I'm coming back to Linux after working a pile of Sun Solaris based tasks. Last major encounter with Linux was RH 7.2. Now I've got a task which will take me into the AES3.0/AES 4.0, and FC3/FC4 realms. Most of my tasks relate system security engineering, of which hardening the OS is one of the "defense-in-depth" measures. I've loaded FC3 onto a small machine to begin to update my knowledge/skills. I also got a book on "Hardening Linux" by James Turnbull. The book discusses the openwall, grsecurity, PAX, and LIDS projects, but it was published just as the 2.6 kernel was being developed, so the guidance was aimed at the earlier kernel. I did find a RedHat white paper on ExecShield, and it appears to include some of the concepts from PAX. I've also worked with Bastille before, and have discovered that it has been updated for FC3. I could use Bastille in conjunction with the embedded ExecShield for some of my tasks, but for some tasks where the risk is great, additional hardening beyond ExecShield and Bastille would be highly desireable. Question, since FC3 should be the latest integrated offering of the kernel and apps, how much of the openwall, grsecurity, PAX, and LIDS components were added to the 2.6 kernel by the open source community, or by Red Hat later? Guess I'm really asking is: What's left for me to add from from these projects that wasn't already added? Dave McGuffey Principal Information Assurance Engineer SAIC
