Openwall Linux kernel patch
The Openwall Linux kernel patch is a collection of security "hardening" features for the Linux kernel. In addition to the new features, some versions of the patch contain various security fixes. The "hardening" features of the patch, while not a complete method of protection, provide an extra layer of security against the easier ways to exploit certain classes of vulnerabilities and/or reduce the impact of those vulnerabilities. The patch can also add a little bit more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing.
| Tags | Security Operating System Kernels Linux Systems Administration |
|---|---|
| Licenses | GPL LGPL Public Domain |
| Operating Systems | POSIX Linux |
| Implementation | Assembly C |
Recent releases
- 07 Jul 2009 20:50
Changes: This release was updated to Linux 2.4.37.2.
- 25 May 2009 11:53
Changes: This release was updated to Linux 2.4.37.1. Functionality of the CONFIG_HARDEN_PAGE0 feature has been revised to apply on top of the vm.mmap_min_addr sysctl introduced in mainstream 2.4 kernels, and the documentation has been revised accordingly.
- 14 Aug 2007 10:42
Changes: This revision adds a fix for the "parent process death signal" vulnerability in the Linux kernel. It also adds two security hardening features, both enabled by default: restricted access to VM86 mode (specific to 32-bit x86) and restricted zero page mappings (generic).
- 07 Aug 2007 22:46
Changes: This release was updated to Linux 2.4.35.
- 27 Dec 2006 05:21
Changes: This release was updated to Linux 2.4.34. Minor documentation updates have been made.
- All comments
Recent commentsRe: How does it compares with security linux
These two are not even similar, so it is hard to compare them. Rather, I'll describe them briefly:
The Openwall Linux kernel patch - a collection of security "hardening" features aimed at reducing the likelihood and/or impact of successful exploitation of certain classes of vulnerabilities in userspace applications, without requiring modifications to any userspace applications or libraries; also included are security fixes/enhancements to issues with the kernel itself (whenever the mainstream kernel is being too conservative or too slow at fixing security issues).
NSA SELinux - adds support for mandatory access control policies into the Linux kernel, and provides patches to certain userspace utilities to make use of said Linux kernel additions, with more userspace patches available from third parties (the kernel patch is useless without userspace applications and libraries patches); no security fixes/enhancements to issues with the kernel itself are being included (as far as I'm aware).
The two kernel patches can co-exist, and it may make sense to use both approaches on some systems, although there may be some issues with patch merging (might have to apply some hunks manually). I have not tried that.
You could also want to consider RSBAC as a well-established generic alternative to SELinux. (Or rather, SELinux is an alternative to RSBAC, since RSBAC is an older project.) It can co-exist with the Openwall Linux kernel patch, too, and I know that some people and even Linux distributions (ALT Linux Castle, other minor ones) have been using these patches together.
How does it compares with security linux
How does it compares with NSA Security Linux patch. Anyone has a idea.