Switching from RHEL to a clone

There are problems assosiated with upgrading a RHEL/CentOS 5 system so that it can properly build a recent linux kernel, due to it requiring a somewhat current build chain (binutils, gcc, etc). Rather than continue to back-port these RPM packages from fedora to my CentOS 5 machines, which is what I’ve done in the past, I have opted to just upgrade and use a new operating system.

Continue reading

Applying (part of) the grsecurity patch with Ksplice

As a proof of concept, I pulled 4 features from the grsecurity patch and back-ported them to the CentOS 5.6 kernel. I built the resulting patch with ksplice and inserted the resulting tarball into the kernel. The features work brilliantly. It’s been running on my server the past few days with no issues so far.

The features I did it with are: Trusted Path Execution (TPE), dmesg restrictions, TCP/UDP blackhole, and disabled privileged IO.

Continue reading

Trusted Path Execution (TPE) Linux Kernel Module

A side-project I’ve been working on for enhanced security in distribution kernels. Trusted Path Execution (TPE) is a feature that basically denies users the ability to execute programs that are not owned by the root user, or that they can write to. This prevents all kinds of exploits that would have otherwise rooted your system.

You can find the source code for this work-in-progress here:

Continue reading

Starting from scratch

In an attempt to keep myself motivated to blog on a semi-regular basis, I’m re-inventing my blog and starting completly from scratch.

I will be blogging about the book I am currently writing, the grsecurity kernel build system I am building, and the rogue-beret repo I will have online shortly.

Well, time for bed. Been sitting at this computer all evening. Have a good night!