Re: Security Patches to the Linux Kernel

From: Michael J. Cannon (
Date: 08/30/01

Message-ID: <003e01c130ea$f03fad30$7a009418@scooby>
From: "Michael J. Cannon" <>
To: <>, <>
Subject: Re: Security Patches to the Linux Kernel
Date: Wed, 29 Aug 2001 19:30:11 -0500


We've tried both products, and they DO stress different philosophies. The
NSA's distro is certainly not ready for deployment without a lot of work,
and really addresses only a sub-set of what a truly secure environment
should entail, with its emphasis on file systems security and apps and user
permissions. They are really concentrating on 'life and limb' security
procedures and best practices, and, in the meantime, helping to redefine
what a secure OS is. However, it is really Alfa, not beta code. More info
on the history, concerns, goals and accomplishments of the product can be
gained by following the "Background" Link on the SELinux home page.

GRSecurity's patches, as well as Brad's other work take the NSA's another
step and are a welcome addition to the Linux 2.4 project, especially this
week. I would have no problems taking code patched with this product into
production. I might even attempt a move to production with a Mandrake
Server, NSA patched, with Brad's additions. But I don't have to.

I became aware of Astaro Secure Linux yesterday. You can find their web
page at . This is the distro I was looking
for, with commercial support.

For a hardware addition, for more lock-down, try TCS's TCSecure, website at . Expensive,
but worth for the level of additional safety and assurance it provides.
Certainly worth it in 'life and limb' or severely constrained and regulated
infosec situations, such as financial transactions, HIPAA or M&A/Financial

I've been studying the NSA project since Flask, Brad's work since he began
and have used the TCS products in Linux and NT for some years and still am
looking most kindly on the Astaro product, if it passes our tests, because
of the commercial support and the more complete implementation of security
(as well as the promised ease-of-use and integration with our favored tools.
We may wind up combining Astaro with one or more of the other products
during our research. Get in touch with me off line if you want to be kept

Michael J. Cannon
"Si vis pacem, para bellum."

----- Original Message -----
From: <>
To: <>
Sent: Wednesday, August 29, 2001 10:27 PM
Subject: Security Patches to the Linux Kernel

> Has anyone here experimented with, or put into production any of the
> patches, mods or improvements to Linux's default security architecture?
> Two of the systems that I have been looking at are:
> 1) The NSA's SE Linux at
> 2) GRSecurity from