grsecurity forums

[Specter]

I am using OpenSuse v10.1 and I want to harden my OS, a least for the servers.
I do not want to use AppArmor, missing important features (protection for /dev/[k]mem, proc-FS, ASLR,...).

SELinux is too complex for my requirements, recompilation is required for all apps/libs, problem if closed-source.
It further mandates filesystem, bec. of required capabilities and labelling of each file.
Once up and running Grsecurity should be relatively trouble-free.

In this forum I found some postings referring to the SuSE-Linux pre-9.1-versions.

With 9.0 the 'Suse-Distro' could be run with Vanilla-Kernel patched with grsecurity.
In the threads found, there was no clear solution and no indication whether somebody succeeded meanwhile.

I believe many OpenSuse-users were 'auto-migrated' when AppArmor was enabled by default and sticked with it.

Is there some experience available about current versions of OpenSuse, whether there are conflicting portions
of Kernel-code-changes, not possible to merge with e.g. the current Suse-Patches?

I do not want to dig into Kernel-Hacking, besides manually resolving some trivial patch-conflicts.
Or can I run a recent 10.x version of OpenSuse with Vanilla-Kernel patched with grsecurity?

Do you know of / can you recommend other Linux-distributions supporting grsecurity?

[ralphy]

Gentoo's hardened project offers grsecurity. Works quite well.

[Specter]

Hello ralphy,

thank you for this direction!

I am currently reading some of 'http://www.gentoo.org/proj/en/hardened/' and other sources.

It sounds/looks very promising ...
When I have a clearer picture of Hardened Gentoo, I will write more.

[ralphy]

Have fun and goodluck! :)