There are problems assosiated with upgrading a RHEL/CentOS 5 system so that it can properly build a recent linux kernel, due to it requiring a somewhat current build chain (binutils, gcc, etc). Rather than continue to back-port these RPM packages from fedora to my CentOS 5 machines, which is what I’ve done in the past, I have opted to just upgrade and use a new operating system.
As a proof of concept, I pulled 4 features from the grsecurity patch and back-ported them to the CentOS 5.6 kernel. I built the resulting patch with ksplice and inserted the resulting tarball into the kernel. The features work brilliantly. It’s been running on my server the past few days with no issues so far.
The features I did it with are: Trusted Path Execution (TPE), dmesg restrictions, TCP/UDP blackhole, and disabled privileged IO.
In light of me working on tpe-lkm, I’ve downloaded the source for the RHEL6 kernel. I noticed right away that there were no patches, that the entire kernel was already pre-patched. I did some googling, and found some others chattering about this, like this one:
A side-project I’ve been working on for enhanced security in distribution kernels. Trusted Path Execution (TPE) is a feature that basically denies users the ability to execute programs that are not owned by the root user, or that they can write to. This prevents all kinds of exploits that would have otherwise rooted your system.
You can find the source code for this work-in-progress here:
In an attempt to keep myself motivated to blog on a semi-regular basis, I’m re-inventing my blog and starting completly from scratch.
I will be blogging about the book I am currently writing, the grsecurity kernel build system I am building, and the rogue-beret repo I will have online shortly.
Well, time for bed. Been sitting at this computer all evening. Have a good night!