Grsecurity
| Developer(s) | Brad Spengler (Spender) |
|---|---|
| Stable release | 3.1 for Linux Kernels 3.14.79 and 4.4.45 (26 January 2017) |
| Preview release | 3.1 for Linux Kernel 4.8.17 (15 January 2017) |
| Repository | www |
| Operating system | Linux |
| Platform | Linux kernel |
| Type | Security |
| License | GPL v2 |
| Website | grsecurity |
grsecurity is a set of patches for the Linux kernel which emphasize security enhancements. The patches are typically used by computer systems which accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users. Grsecurity provides a collection of security features to the Linux kernel, including address space protection, enhanced auditing and process control. Work on grsecurity began in February 2001 as a port of Openwall Project's security-enhancing patches for version 2.4 of the Linux kernel mainline. The first release of grsecurity was for the Linux kernel 2.4.1.
Since September 9, 2015, the availability of stable grsecurity patches has become limited to the commercial customers of grsecurity. The testing versions of grsecurity patches, as well as the source code and patches for related userspace utilities, remain publicly available. Since May, 2017 all the patchets are now for customers only. and also disallow any use of the GRSecurity trademarks to be used in any product, fork, or modification including pax.
A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses. PaX is not developed by the grsecurity developers. It is available in other Linux distributions such as Gentoo or IPFire, and directly from grsecurity.
Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what it can or cannot do, and these roles and restrictions form an access policy which can be amended as needed.
...
Wikipedia