Grsecurity best practices

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Grsecurity best practices

Postby bancfc » Tue Apr 26, 2016 12:11 pm

For security reasons does it matter if a default non-hardened distro kernel is left installed on the system? Should it be removed?

Does using ccache interfere with RANDSTRUCT output for subsequent builds - causing it to be the same?
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: Grsecurity best practices

Postby N8Fear » Wed Apr 27, 2016 1:22 am

You have to decide what you need for security. Personally I don't keep a non-grsec kernel around and even don't have an older kernel than one or two releases back (a "known good" one in case there is some kind of regression).
This is mainly done because otherwise an attacker with physical access could downgrade to a vulnerable (or a non-grsec) kernel.
Generally speaking you should ask yourself what kind of threats you want/need to defend against and create your own formal or informal security policy based on that information.
N8Fear
 
Posts: 37
Joined: Thu Jan 17, 2013 5:01 am


Return to grsecurity support