Re: Security Patches to the Linux Kernel

From: Michael J. Cannon (
Date: 08/30/01

Message-ID: <003e01c130ea$f03fad30$7a009418@scooby>
From: "Michael J. Cannon" <>
To: <>, <>
Subject: Re: Security Patches to the Linux Kernel
Date: Wed, 29 Aug 2001 19:30:11 -0500


We've tried both products, and they DO stress different philosophies. The
NSA's distro is certainly not ready for deployment without a lot of work,
and really addresses only a sub-set of what a truly secure environment
should entail, with its emphasis on file systems security and apps and user
permissions. They are really concentrating on 'life and limb' security
procedures and best practices, and, in the meantime, helping to redefine
what a secure OS is. However, it is really Alfa, not beta code. More info
on the history, concerns, goals and accomplishments of the product can be
gained by following the "Background" Link on the SELinux home page.

GRSecurity's patches, as well as Brad's other work take the NSA's another
step and are a welcome addition to the Linux 2.4 project, especially this
week. I would have no problems taking code patched with this product into
production. I might even attempt a move to production with a Mandrake
Server, NSA patched, with Brad's additions. But I don't have to.

I became aware of Astaro Secure Linux yesterday. You can find their web
page at . This is the distro I was looking
for, with commercial support.

For a hardware addition, for more lock-down, try TCS's TCSecure, website at . Expensive,
but worth for the level of additional safety and assurance it provides.
Certainly worth it in 'life and limb' or severely constrained and regulated
infosec situations, such as financial transactions, HIPAA or M&A/Financial

I've been studying the NSA project since Flask, Brad's work since he began
and have used the TCS products in Linux and NT for some years and still am
looking most kindly on the Astaro product, if it passes our tests, because
of the commercial support and the more complete implementation of security
(as well as the promised ease-of-use and integration with our favored tools.
We may wind up combining Astaro with one or more of the other products
during our research. Get in touch with me off line if you want to be kept

Michael J. Cannon
"Si vis pacem, para bellum."

----- Original Message -----
From: <>
To: <>
Sent: Wednesday, August 29, 2001 10:27 PM
Subject: Security Patches to the Linux Kernel

> Has anyone here experimented with, or put into production any of the
> patches, mods or improvements to Linux's default security architecture?
> Two of the systems that I have been looking at are:
> 1) The NSA's SE Linux at
> 2) GRSecurity from

Relevant Pages

  • RE: Anyone know why the Alpha market is so so quiet?
    ... That is usually not the case with large IT environments with ... But the conclusion is that Kerry arguments against Linux does not ... With 5-20 Linux security patches being released each ...
  • RE: on patches, for Linux, for Windows, for VMS.
    ... Subject: OT: on patches, for Linux, for Windows, for VMS. ... These new security patches need to be ...
  • Re: Alpha remembrance day
    ... platforms that *average* 7-20 security patches per month? ... Actually I was thinking more along the lines of the x86 variants of Solaris or Linux. ... patches of course, whether or not they actually need to be installed ... support plan in place for them, the HW costs are usually a much smaller ...
  • RE: Anyone know why the Alpha market is so so quiet?
    ... RH Linux had 29 *security* patches. ... See my prev note about whether "buggies" will target web tier or data tier. ...
  • Re: NT/2000 vs Unix based Web Servers
    ... Trustix Secure Linux is a perfect ... on this free linux distro. ... security at the cost of all else. ...