Projects / Openwall Linux kernel patch

Openwall Linux kernel patch

The Openwall Linux kernel patch is a collection of security "hardening" features for the Linux kernel. In addition to the new features, some versions of the patch contain various security fixes. The "hardening" features of the patch, while not a complete method of protection, provide an extra layer of security against the easier ways to exploit certain classes of vulnerabilities and/or reduce the impact of those vulnerabilities. The patch can also add a little bit more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  18 Feb 2010 14:50

    Release Notes: The patch has been updated to Linux 2.4.37.9. A post-2.4.37.9 upstream fix for FAT filesystems has been added. The FAQ has been updated.

    •  15 Nov 2009 20:30

      Release Notes: The patch has been updated to Linux 2.4.37.7.

      •  25 Oct 2009 08:29

        Release Notes: The patch has been updated to Linux 2.4.37.6. A fix for a typographical error in one of the information leak fixes included into 2.4.37.6 has been added.

        •  23 Aug 2009 12:47

          Release Notes: Besides being an update to the 2.4.37.5 kernel release, this revision of the patch adds a fix for the sigaltstack local information leak affecting 64-bit kernel builds (CVE-2009-2847).

          •  03 Aug 2009 19:04

            Release Notes: The patch has been updated to Linux 2.4.37.4, which integrates a replacement for the "personality" hardening measure introduced in 2.4.37.3-ow1.

            Recent comments

            05 Jun 2005 18:20 solardiz

            Re: How does it compares with security linux


            These two are not even similar, so it is hard to compare them. Rather, I'll describe them briefly:


            The Openwall Linux kernel patch - a collection of security "hardening" features aimed at reducing the likelihood and/or impact of successful exploitation of certain classes of vulnerabilities in userspace applications, without requiring modifications to any userspace applications or libraries; also included are security fixes/enhancements to issues with the kernel itself (whenever the mainstream kernel is being too conservative or too slow at fixing security issues).


            NSA SELinux - adds support for mandatory access control policies into the Linux kernel, and provides patches to certain userspace utilities to make use of said Linux kernel additions, with more userspace patches available from third parties (the kernel patch is useless without userspace applications and libraries patches); no security fixes/enhancements to issues with the kernel itself are being included (as far as I'm aware).


            The two kernel patches can co-exist, and it may make sense to use both approaches on some systems, although there may be some issues with patch merging (might have to apply some hunks manually). I have not tried that.


            You could also want to consider RSBAC as a well-established generic alternative to SELinux. (Or rather, SELinux is an alternative to RSBAC, since RSBAC is an older project.) It can co-exist with the Openwall Linux kernel patch, too, and I know that some people and even Linux distributions (ALT Linux Castle, other minor ones) have been using these patches together.

            04 Jun 2005 20:06 contusion

            How does it compares with security linux
            How does it compares with NSA Security Linux patch. Anyone has a idea.

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.