1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • The Linux kernel may not be quite as secure as it should be

    From TechnologyDaily@1337:1/100 to All on Fri Jun 25 15:00:03 2021
    The Linux kernel may not be quite as secure as it should be

    Date:
    Fri, 25 Jun 2021 13:48:01 +0000

    Description:
    Study commissioned by Linux Foundation looks to boost efforts to enhance security of the Linux kernel.

    FULL STORY ======================================================================

    A policy and process overview of the Linux kernel has identified some potential pain points in the handling and signing process of the security
    keys for the Linux kernel.

    The review of the kernel teams processes for signing releases and for the policies and procedures for the handling of the signing keys was sought by
    the Linux Foundation and conducted by cybersecurity experts at the Open
    Source Technology Improvement Fund (OSTIF) and Trail of Bits.

    This review resulted in seven recommendations that can help improve the robustness of the security and use of the signing keys for the Linux Kernel, notes OSTIF in its report . Here are the best Linux laptops for running Linux Check our roundup of the best Linux distros Weve also rounded up the best security keys

    In addition to the recommendation, the report notes that Trail of Bits suggested that kernel developers should flesh out and update the
    documentation on the procedures and policies in order to help organizations wrap their heads around the current practices. Key issues

    In addition to highlighting the shortcomings, the report also included a series of recommended mitigations as well.

    Notably, the Linux Foundation kernel team members, more or less agreed to
    most of the suggestions, except for one that goes against the principles of the wider open source community.

    The report pointed out that the kernel doesnt enforce the use of smart cards to store private key material used for GPG or SSH on a separate smart card device for individuals with commit rights on key Linux kernel repositories.

    Furthermore, the Linux Foundations recommended smartcard Nitrokey doesnt support touch activation, which the report argues is much better than the passphrase-only protected Nitrokey.

    The report notes that the Linux Foundation kernel team members responded to these suggestions by expressing their inability to switch to Yubikey with touch activation, since it is not open source and cant be trusted for
    securing critical infrastructure.

    However, the developers said they might update their policies to recommend that the current Nitrokeys be physically removed from the administrators computer when not in use. Subscribe to Linux Format magazine for more Linux and open source goodness



    ======================================================================
    Link to news story: https://www.techradar.com/news/the-linux-kernel-may-not-be-quite-as-secure-as- it-should-be/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)