Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 23rd, 2015
Linux Advisory Watch: March 20th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Kernel Security Patches Print E-mail
User Rating:      How can I rate this item?
Source: Dave Wreski - Posted by Dave Wreski   
Learn tips and tricks Several independant kernel patches exist to increase the security in your kernel A number of kernel patches and programs are developed independant of the standard Linux kernel that improve upon its level of security. Many of these programs require advanced knowledge of compiling programs and patching source code, but with a bit of effort and practice on a test system, can potentially greatly enhance your level of protection.

Work is being done to add these features into the default Linux kernel. Currently, however, they must be incorporated manually. Implementing these changes assumes you realize that there is no panacea for computer security; it can only be done in layers. Cryptography export regulations also affect the distribution of some of these modifications.

The Openwall Project

Solar Designer of the Openwall Project has created a kernel patch that provides additional protection against a number of common security vulnerabilities. While not a panacea, of course, it does help to prevent buffer overflows, access control for the /proc directory, limit the number of processes a user can have, and other improvements. While it may be incompatible with some programs, it is a generally a great addition, and the most popular kernel security patch.

Linux Intrusion Detection System

Huagang Xie and other have developed LIDS to add quite a number of security improvements to the kernel. It provides protection from root exploits by disabling some functions that can be used to gain unauthorized access to root. Features such as disabling the loading of modules, locking routing tables, protecting daemons from signals, read-only and append-only flags to protect programs or log files from a root intruder, implementation of 'capabilities', and much more. The LIDS HOWTO provides an excellent description and help with installation. An article was also submitted to that describes its usage.

The International Kernel Patch

The International Kernel Patch provides several cryptograph additions to the standard kernel, including RC6, MARS, and Serpent, candidates for becoming Advanced Encryption Standard algorithms to replace DES. Support for ENskip, the replacement for Sun's key management IP crypto efforts is also included. The kernel patch is available for the 2.2 kernels. Information on applying the patch is available in Brian Caswell's Linux Secure Operations Guide.

Rule Set Based Access Control

RSBAC provides the capability to create access control lists and mandatory access control. RSBAC offers the ability to create a "Security Officer" which has specific privileges otherwise only available to the root user. It contains kernel patches which add enforcement to any system call which either has a security context or may affect security, administration tools to manage the new security modules and properties of files, devices, and users. The RSBAC homepage contains a full description of its capabilities, a mailing list, and source code. Paul Robertson discussed its usage and interviewed the author in a recent article.

Linux Trustees Project

The Linux Trustees Project creates an advanced permission management system for Linux. This patch and accompanying programs add access control lists to the Linux kernel, enabling a finer-grained level of control over file access. Whereas previously it was not possible to permit read and write access to a file to one group and only read access to another group, the system administrator now has the capability to do so.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
OpenSSL Mystery Patch is No Heartbleed
Study: One-third of top websites vulnerable or hacked
Threat-sharing cybersecurity bill unveiled
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.