[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strongest linux - kernel patches

Ugly reply, but here goes...

On Tue, Jul 01, 2003 at 04:27:21PM -0700, Alvin Oga wrote:
> On Tue, 1 Jul 2003, valerian wrote:
> > On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote:
> > > Hi all,
> > > 
> > > I want to setup a new linux server in internet (apache, php, postfix,
> > > mysql, dns...), and I would like to patch the standard kernel with some
> > > security patches..... but my question is, what patches are the best??

Best? Well what do you want to do? How much time are you prepared to
spend to secure your system? 
Are you looking for a general, basic security model (Openwall works good
and is easy to apply) or do you want to spend time on ACLs (SELinux or
RSBAC or Grsecuritys simple system)? 

> > >    - Openwall ??

Good is you just want to apply it and basically forget about it. 

> > >    - TrustedDebian ??

Is not a kernel patch. Now called Adamantix (have a look at www.adamantix.org) and is a Debian deriviate that uses PaX, builds every package (including the kernel) with IBMs stack smashing protector and lets you choose if you want to use an RSBAC (www.rsbac.org) enabled kernel. 

> > >    - LIDS??
And RSBAC, SELinux to the list if you want to check similar patches out.

> -- at a minimum, you should be using linux-2.4.21
>    and openwall and lids and ..

or wait for .22 which _might_ include some crypto.

> -- than use the latest php, apache, postfix, mysql, dns
> 	- probably want to chroot your dns app

... and don't forget to build the packages with your SSP patched GCC :)

== thomas@northernsecurity.net
== thomas@se.linux.org
== 0x114AA85C

Reply to: