Several independant kernel patches exist to increase the security in your kernel A number of kernel patches and programs are developed independant of the standard Linux kernel that improve upon its level of security. Many of these programs require advanced knowledge of compiling programs and patching source code, but with a bit of effort and practice on a test system, can potentially greatly enhance your level of protection.

Work is being done to add these features into the default Linux kernel. Currently, however, they must be incorporated manually. Implementing these changes assumes you realize that there is no panacea for computer security; it can only be done in layers. Cryptography export regulations also affect the distribution of some of these modifications.

The Openwall Project

Solar Designer of the Openwall Project has created a kernel patch that provides additional protection against a number of common security vulnerabilities. While not a panacea, of course, it does help to prevent buffer overflows, access control for the /proc directory, limit the number of processes a user can have, and other improvements. While it may be incompatible with some programs, it is a generally a great addition, and the most popular kernel security patch.

Linux Intrusion Detection System

Huagang Xie and other have developed LIDS to add quite a number of security improvements to the kernel. It provides protection from root exploits by disabling some functions that can be used to gain unauthorized access to root. Features such as disabling the loading of modules, locking routing tables, protecting daemons from signals, read-only and append-only flags to protect programs or log files from a root intruder, implementation of 'capabilities', and much more. The LIDS HOWTO provides an excellent description and help with installation. An article was also submitted to LinuxSecurity.com that describes its usage.

The International Kernel Patch

The International Kernel Patch provides several cryptograph additions to the standard kernel, including RC6, MARS, and Serpent, candidates for becoming Advanced Encryption Standard algorithms to replace DES. Support for ENskip, the replacement for Sun's key management IP crypto efforts is also included. The kernel patch is available for the 2.2 kernels. Information on applying the patch is available in Brian Caswell's Linux Secure Operations Guide.

Rule Set Based Access Control

RSBAC provides the capability to create access control lists and mandatory access control. RSBAC offers the ability to create a "Security Officer" which has specific privileges otherwise only available to the root user. It contains kernel patches which add enforcement to any system call which either has a security context or may affect security, administration tools to manage the new security modules and properties of files, devices, and users. The RSBAC homepage contains a full description of its capabilities, a mailing list, and source code. Paul Robertson discussed its usage and interviewed the author in a recent LinuxSecurity.com article.

Linux Trustees Project

The Linux Trustees Project creates an advanced permission management system for Linux. This patch and accompanying programs add access control lists to the Linux kernel, enabling a finer-grained level of control over file access. Whereas previously it was not possible to permit read and write access to a file to one group and only read access to another group, the system administrator now has the capability to do so.