at the beginning we plan : * to use only the pax options of the grsec kernel, no rbac enabled * to work on vanilla sources or gentoo hardened sources * no debian patches, no exotic patches * shipping the kernel with warnings that, as a default, java wont work with a secure kernel, and possibly any other graphical applications doing dirty stuff with memory ( buffer overflow, relocations and much more )
as soon as we have a devuan beta version we feel confident enough to install on at least one dedicated server ( something like dell r210 ) and on a laptop ( something like a thinkpad ), we ll start packaging a grsec patched kernel. speaking of installing on a dedicated server, do we have plans to provide some kind of easy install system to install on a server from a rescue mode ? ( not everyone have full kvm access to install graphically, many datacenters provide only the rescue mode ) On Fri, Mar 6, 2015 at 6:27 PM, Adam Borowski <kilob...@angband.pl> wrote: > On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote: >> *** I'm so happy to see this group. I've been using this kernel lately, >> running on Parabola: >> >> 3.14.34-gnu-201502271838-1-lts-grsec-knock >> >> GRSecurity, and Knock support. Knock is a kernel patch that enables >> single packet port knocking [0], thwarting common scanning attacks. I >> would love to see this running on Devuan. Parabola GNU/Linux was the >> first distro to deploy it, and I've been using it happily with SSH. > > It looks like Knock breaks everything TCP SQN is used for, including even > such basics as packet retransmission/duplication detection. I've read the > LKML discussion to see if I'm missing something, but apparently, I don't. > > As such, I'd say Knock has no place on a distribution kernel. > > -- > // If you believe in so-called "intellectual property", please immediately > // cease using counterfeit alphabets. Instead, contact the nearest temple > // of Amon, whose priests will provide you with scribal services for all > // your writing needs, for Reasonable and Non-Discriminatory prices. > _______________________________________________ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
