How does it compares with NSA Security Linux patch. Anyone has a idea.
[»]
Re: How does it compares with security linux
by Solar Designer - Jun 5th 2005 18:20:21
These two are not even similar, so it is hard to compare them. Rather,
I'll describe them briefly:
The Openwall Linux kernel patch - a collection of security
"hardening" features aimed at reducing the likelihood and/or
impact of successful exploitation of certain classes of vulnerabilities in
userspace applications, without requiring modifications to any userspace
applications or libraries; also included are security fixes/enhancements to
issues with the kernel itself (whenever the mainstream kernel is being too
conservative or too slow at fixing security issues).
NSA SELinux - adds support for mandatory access control policies into the
Linux kernel, and provides patches to certain userspace utilities to make
use of said Linux kernel additions, with more userspace patches available
from third parties (the kernel patch is useless without userspace
applications and libraries patches); no security fixes/enhancements to
issues with the kernel itself are being included (as far as I'm aware).
The two kernel patches can co-exist, and it may make sense to use both
approaches on some systems, although there may be some issues with patch
merging (might have to apply some hunks manually). I have not tried that.
You could also want to consider RSBAC as a well-established generic
alternative to SELinux. (Or rather, SELinux is an alternative to RSBAC,
since RSBAC is an older project.) It can co-exist with the Openwall Linux
kernel patch, too, and I know that some people and even Linux distributions
(ALT Linux Castle, other minor ones) have been using these patches
together.
[reply]
[top]
