You are not logged in.
Hii I am using ARCH (what else?! :twisted: )
and I have download this nice test program http://pax.grsecurity.net/paxtest-0.9.7-pre4.tar.gz from [pax.grsecurity.net]
and it seem that I have many sequirty flows in my system, how can I fix it up?
Offline
Weeeeeeeeeeeeeeeeeeeeeeeeee....
Offline
Chat?
Offline
By using a PaX kernel... Don't ask me, I've never used one, but I definitely would like to see one in the Arch repos. That, and more secure default settings, like for example limiting the number of processes to 10000 or so in /etc/security/limits.conf.
(Guys, perhaps it would be polite to provide real answers?)
Offline
By using a PaX kernel... Don't ask me, I've never used one, but I definitely would like to see one in the Arch repos. That, and more secure default settings, like for example limiting the number of processes to 10000 or so in /etc/security/limits.conf.
(Guys, perhaps it would be polite to provide real answers?)
I with you man :!:
Why doesnt ARCH provide a better secure kernel?
Offline
Well, I've heard strange things about Xorg with PaX kernels... Also, remember who maintains the kernels. The devs might feel that, as of now, Arch is secure enough for what it's generally used for.
Offline
Why doesnt ARCH provide a better secure kernel?
I may be wrong on this one, but I always thought that Arch tried to stay as vanilla as possible, so the devs don't have to worry about always customizing and updating things for each release of the kernel (or any software for that matter). Sure it could always be an option like the archck kernel has become, but I doubt it would ever be the default.
Offline
EAD wrote:Why doesnt ARCH provide a better secure kernel?
I may be wrong on this one, but I always thought that Arch tried to stay as vanilla as possible, so the devs don't have to worry about always customizing and updating things for each release of the kernel (or any software for that matter). Sure it could always be an option like the archck kernel has become, but I doubt it would ever be the default.
That's what I've already heard as well. Maybe EAD could maintain 2.6.16-pax in AUR?
Offline
I bet he'll want SE- next
Edit:
So the question is, how secure is enough? You know where are about 432 trigazimillion patches available for linux kernel that do all sorts of things from boosting performance to security, PLUS combinations of various patches. So what is "more secure" kernel? Assuming "more secure than vanilla," there is a lot of variation and level of security you can build up on top of that. So the question is, at which point is it acceptable? You know once someone say "okay, it'll have patchA, patchB and patchC," someone will say "but how about patchD?" while someone else might say patchE is essential.
You have the tools and opportunity to take the initiative already. If you are wondering why Arch doesn't provide more secure kernel, you can. Arch package maintainers can't provide every variation of different kernels to suit everyone's likes and dislikes. For that, I think stock kernel (and archck) provides good compromise of stability, functionality and ease of use while ABS helps at letting individuals really fine tune their kernel the way they like it. So what I'm saying is it's up to you.
Offline
amm, So why not provide a good PAX for ARCH?
and SElinux?
I mean PAX is only for kernel 2.4 and all the old 2.6 like 2.6.13 and not 2.6.16, and it's not very stable.
I don't mind make a makepackage for it, but the source is old and not stable, and I better have stable linux then secure.
Any way, why not improve ARCH security?
Offline
Have you tried working on SE- ? The last time I was interested in SE-, what stopped me and made me realize it's not practical was the hair ripping amount of work to get ruleset and all that right. It's dreadful. It's not a slap on patch that'll turn out a good to go kernel just by patching it. I don't know a whole a lot about Pax other than what it is, so I wouldn't comment on that. But I think you answered your own question in your post. If Pax and SELinux are as outdated and unstable as you say they are, and even you are saying you'd rather have stable kernel than unstable secure one, then what is the point of arguing to get -pax kernel out?
If you do search on SELinux, there's quite a few discussions going about Pax/SElinux that already answer what you are asking time after time. I think discussion is good as long as you present your idea on why you think it is important, what it addresses, what might be the implication and so on, but simply going "why? why? why?" doesn't get anywhere. Like I said, that's already answered previously, maybe not by dev(s) or maintainer(s), but they do talk about difficulty of implementation and lots of other interesting stuff. Seriously, make a PKGBUILD, chuck it in AUR, wait and see if people will show interest for it. Or post a request and see if anyone is willing.
Offline
Ah, so that's part of the problem... Eck. Really, a *lot* more security stuff needs to be done for kernel 2.6 systems, buffer overflows being the most common vulnerability and all...
Offline
Ah, so that's part of the problem... Eck. Really, a *lot* more security stuff needs to be done for kernel 2.6 systems, buffer overflows being the most common vulnerability and all...
It shouldnt be up to the kernel developers to fix the userspace developer's poor programming.
Offline