To Patch or Not to Patch


When you patch software source code, whether the kernel or not, you change the code to add or remove lines of code based on a patch file created for that software. The patch may be something as simple as a software update or as complex as changing the functionality of the software itself. When a new version of the kernel is released, the kernel maintainers release a full version of the kernel along with a patch file for those wanting to simply update to the next version of the kernel by patching.

When you run a patch to change software functionality, you are, in effect, altering that software from its base state. This involves a trade-off. The trade-off is that from that point forward, to take advantage of the additional functionality added by the patch, you must also patch any updates to the base software. In the context of Grsec, it means that you're moving away from the concept of the vanilla or stock kernel in favor of the added security.

Enhanced Security Without Grsec

Beginning with the 2.6 stream of kernels, some functionality that was previously available only as a kernel patch was introduced into the main kernel. This functionality comes in the form of the SELinux area of the kernel covered earlier.

The advantage to using SELinux is that it's included with the stock kernel and thus doesn't require a patch for every kernel update. However, the additional functionality included with Grsec makes the patch trade-off well worth it for enhancing security.

Other software such as Exec-Shield offers some of the same protections as Grsec. However, information gathered on Grsec and Exec-Shield seems to indicate that Grsec is the more robust implementation and provides some functionality not offered by Exec-Shield. Exec-Shield does have the advantage of being included with some major vendors' Linux implementations.




Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net