Notes:
NSA SELinux
- based on NSA research on operating systems and security features
- a collection of kernel and utility patches to provide mandatory access control, traceability, Type Enforcement®, Role-based Access Control, Multi- level Security.
- is a research project not a trusted operating system
LIDS is a kernel patch and admin tool to enhance the Linux kernel security, it provides:
- implementation of reference monitor in the kernel
- mandatory access control in the kernel
- protection of files and processes, root has no power over lids, processes and files can be hidden
- security alert from the kernel
- port scanner detector in the kernel
- LIDS seems to be the open source community's equivalent of NSA SELinux functionality
grsecurity is a combined collection of security enhancement patches for Linux kernel:
- OpenWall buffer overflow protection (system will not allow execution of code on the stack)
- memory page protection, readable != executable
- randomize the address space layout of programs on each execution
- proc/mem/resources limitations (fork bomb protection)
- wide access control for users, processes, sockets, network connections, consoles etc.
- kernel logging extensions
- give examples from web page