I was curious if Calculate Linux had ever considered using the hardened Gentoo kernel in any of of it’s products. Calculate does not do a specialist firewall version which would be an obvious target for the hardened kernel.
Is the hardened kernel only typically used in servers or when IT departments want to use Selinux, Apparmor or Tomoya as an access control system? Does the hardened kernel create issues with other aspects of the system such as video drivers or network access?
Of course users can always install the hardened kernel on their own. The only drawback that I have found is that in a generic kernel configuration setup, it is always easy to miss small details and suddenly you have no sound drivers or some other irritating mistake. The Calculate cl-kernel programs really makes the process of kernel recompilation much easiser and safer and I do use it if I want to make small changes to the kernel.
At the moment this is not considered.
The man with nickname <> from <<#calculate>> irc-channel want to implement support, but something is inhibited
Just for fun, I installed Pentoo Linux on my external usb hard drive. It is also Gentoo based and ships with the hardened Gentoo kernel.
The main differences that I have seen are that:
- It is more difficult to get proprietary video drivers to run. I have not been able to get any version of the fglrx driver to run with Pentoo. The Pax security system in the kernel may not be allowing some of its functions. Since it is a binary blob, there is no way to audit the code to see where the problem is coming from.
- The Pax system would not allow clamd from clamav to run until I manually disabled all the Pax functions on the command line for /usr/sbin/clamd. The kernel is very fussy about how much control individual programs are allowed to have.
The Pax system and the hardened kernel in general are much less tolerant of misbehaving programs or programs which are doing something the kernel is not anticipating. The trade off from this is less usablilty and user friendliness but more protection from security surprises.
I could see using the hardened kernel on a firewall, gateway server or a server with limited requirements for graphics. I have not experimented with implementing any of the access control systems like Apparmor, Selinux, Grsecurity or Tomoyo in Gentoo although I have used Selinux and Appmor with RHEL and OpenSuse. Standard linux is very secure but commercial enterprises and governments have special needs that can benefit from an increased level of security.