pepsi@directlink.net
2004-May-06 16:55 UTC
New install with Mandrake 10.0 - Use secure kernel?
Hello: I am going to be installing/configuring Shorewall 2.0.1 on a clean install of Mandrake 10.0 distribution (have been testing recently with Cooker versions of 10.0 and Shorewall). My question relates to which version of the kernel would you all recommend for a clean installation? Mandrake currently offers the standard 2.6 kernel (the official 10.0 release includes a kernel-2.6.3.7 RPM, the most recent update is the 2.6.3.9 version) and a secure kernel version. I was searching for some type of listing of the various benefits, configuration changes, kernel (compile) parameters, etc., that highlights the differences between the standard and secure kernel to help me make an intelligent decision as to which kernel I should install on the to-be firewall. Are there any recommendations/guidelines for making this decision, or opinions of those on this list who might have a suggestion? Any input greatly appreciated - thanks again in advance. Regards, Mark Colaluca
pepsi@directlink.net wrote:> > Any input greatly appreciated - thanks again in advance. >Regardless of which version you choose, be sure to check the Shorewall errata; you will need the firewall script found there to make module loading to work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Mason Schmitt
2004-May-06 21:52 UTC
Re: New install with Mandrake 10.0 - Use secure kernel?
On May 6, 2004 09:55 am, pepsi@directlink.net wrote:> Hello: > > I am going to be installing/configuring Shorewall 2.0.1 on a clean install > of Mandrake 10.0 distribution (have been testing recently with Cooker > versions of 10.0 and Shorewall). My question relates to which version of > the kernel would you all recommend for a clean installation? >Depends what you are using your box for and how careful you want to be. I think that in general people trying to create highly secure, repeatable, stable boxes tend to let others brave the trail of new software releases and implement whatever is tried and true, in this case I''d say that the 2.4 series of kernels is *well* tested. On the other hand, if you like keeping up with the latest changes or you need a feature included in recent software then go for the newer software. Having said all of that, I''m using the 2.6 kernel on a recently built firewall and it''s been behaving itself with no issues at all - very stable.> I was searching for some type of > listing of the various benefits, configuration changes, kernel (compile) > parameters, etc., that highlights the differences between the standard and > secure kernel >If you install all the kernels you can see exactly what the differences are by looking in each of the config files in /boot/. Basically the "secure" 2.6 kernel just has the SELinux extensions available. I am not overly familiar with the SELinux extensions to the kernel, but it seems to me that to take advantage of SELinux means really getting into the guts of some pretty complex mandatory access control configuration - without a friendly interface to that underlying system (much like shorewall is to iptables) I don''t think that you are going to get much value from the Mandrake "secure" kernel. I''d really like to see them (Mandrake) move back to using grsecurity for their secure kernel (grsecurity has made changes to accommodate the 2.6 kernel!).> to help me make an intelligent decision as to which kernel I > should install on the to-be firewall. Are there any > recommendations/guidelines for making this decision, or opinions of those > on this list who might have a suggestion? >If Mandrake still uses grsecurity in the 2.4 kernel they offer, I''d stick with that (I''ve had great success with it in the past). -- Mason Schmitt