This repository has been archived by the owner. It is now read-only.
(discontinued) Hardening the openSUSE distro.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
checksec
hardening-build
packaging
Checksec_scan.md
Kernel_flavors.md
Known_issues.md
NEWS-2015.md
NEWS-2016.md
NEWS.md
README.md
TODO.md
Tools.md
Userspace_hardening.md
obs-differences
obs-sr-staging-kernel

README.md

Hardening the openSUSE distro

NOTE: this project is in an undefined state, the following information is inaccurate.

Based on openSUSE kernel, patched with grsecurity and built with hardened toolchain, openSUSE-gardened aims to enable alternative, more secure option for its users. It provides kernel for desktop or server flavor and includes userspace tools that should enable easier use. This is currently unofficial project and in beta state.

The desktop flavor has been on openSUSE desktop and is considered stable enough for daily use. Despite that, there could be issues pertaining to graphics drivers from nVidia and AMD. Testers are needed for server flavor and other desktop environments and your feedback is welcome. You can post your findings/bugs/issues here on project's issue tracker or have a chat with us at irc.freenode.net #opensuse-gardened. For more information on PaX/grsecurity see Grsecurity wikibook.

Feature highlights:

  • Kernel built using GCC toolchain and plugins from grsecurity.
  • PaX flags stored as extended attributes on filesystem level, therefore ELF header modification is not needed and intentionally disbled in kernel
  • If applicable, the installer (zypper) automatically refreshes PaX flags of newly installed binaries.

Why -gardened? According to Wikipedia, gardening is "a practice of growing and cultivating, an activity that brings relaxation", pun intended.

Quick links: NEWS (updated almost weekly) TODO

Status

  • ☑ alpha - experimental stage
    • ☑ make it work
    • ☑ test in various environments
    • ☑ tune the build
    • ☐ document build process, polish and publish scripts
  • ☐ beta
    • ☑ create an official devel project in openSUSE
    • ☐ review configs for provided kernel flavors
    • ☐ automate updates to new grsec patch version
    • ☐ automate basic testing (boot, update, ltp, stress)
    • ☐ PaX exception suggestions based on system log messages
    • ☐ make it easier to do custom builds (due to randomization features), also custom configs or extra patches
  • ☐ 1st class integration
    • ☐ merge grsecurity/PaX to linux kernel

Quick start

Repository packages are compatible with base openSUSE installation. To install, follow one of the procedures below. Please note that the randomization features cannot be fully utilized with the pre-build packages (the secret random seed can be obtained from the rpm). Use them for testing and do a full package rebuild in other cases.

YaST One-click installation pattern for the desktop kernel flavor:

This will permanently add the repo and download following packages:

  • kernel-grsec-desktop — the kernel (built with gcc 4.8 on 13.1, 13.2 and 42.1; gcc 6 on Tumbleweed)
  • gradm — management utility for the RBAC policies
  • linux-pax-flags — list of PaX exceptions and a tool to turn them on/off
  • paxctl — provides paxctl utility to modify the PaX exceptions
  • paxtest — set of tests to show the success of various protection mechanisms

Manual installation after adding the repo like this:

zypper ar --refresh \
 http://download.opensuse.org/repositories/home:/dsterba:/grsecurity/openSUSE_Leap_42.2/ \
 openSUSE-gardened

Other related packages:

  • zypp-plugin-pax-flags - package manager plugin that refreshes all PaX flags after installation

Note: take in consideration that changing repository to a higher priority than openSUSE Updates will pull in modified compiler package along with appropriate plugins. We haven't observed any problems in such scenario though if you may not want this, do not change the repo priority. This applies to 13.x and 42.x .

Note: that the kernel for Leap build target does not follow the official Leap kernels!

More information about the tools can be found at the tools page.

List of known issues, you may encounter some of them.

More about the kernel flavors.

Update cycle

The testing version of grsecurity patches is released quite often. The OBS packages are updated within a day or less. The patching process has been automated but some manual review is always done before the packages are sent to build service.

Due to the fast pace of updates, please look at the git repository or OBS project for the latest version.

The non-kernel packages are released infrequently, they are considered stable.

OBS repositories

The repository obs://security:grsecurity contains packages that pass build and base boot tests, but may be delayed behind the latest testing patches. This is recommended repository for most users.

The home project obs://~:grsecurity has become a staging repository, the latest patches are applied there, but the builds may be broken for certain time.

Testing or build support repos:

  • ~:grsecurity:scratch -- whatever needs testing without breaking the rest
  • ~:grsecurity:ports -- all packages for ARM (armv6 and armv7)
  • ~:grsecurity:gcc48 -- version of gcc 4.8 with enabled plugins, all arches (x86, arm)

Plans

Whenever possible, merge back changes to openSUSE. The kernel is likely to stay out of official openSUSE tree since grsecurity is not a part of mainline linux kernel. The efforts to apply grsec patches on top of the stable-based openSUSE kernels are minimal and make long-term maintenance doable.

See TODO for things in progress or to work on.

Downloads

Related repositories:

Stalled and not updated anymore:

References and further reading