bottlerocket icon indicating copy to clipboard operation
bottlerocket copied to clipboard

Published 20 hours ago verified publisher icon bottlerocket-os

Add grsecurity integration

Open bobsaintcool opened this issue 2 years ago • 1 comments

Hello,

What I'd like:

Have AMI of bottle including a grsecurity patched kernel. I'd love from a security guy having grsecurity running bellow bottle rocket OS. From what I've understood it could be achieved by build BottleRocket OS from source and using a such a custom AMI into our AWS VMs.

However from what I've understood teams may run ASG which may required official AWS AMI to be used to benefit from all the feature. In such case the above solution will not works. Thus, I believe it could be nice to have some service on top that, if we have both tenant on AWS and grsec subscription could benefit from official botttlerocket + grsec by AWS.

Is this somehow feasible? How do you image to make this thing happen?

Any alternatives you've considered:

I don't, but I'm open to suggestion

bobsaintcool avatar May 02 '22 15:05 bobsaintcool

Hi @bobsaintcool, we will look into supporting this down the road.

ecpullen avatar May 02 '22 16:05 ecpullen

There are a few key inputs for the Bottlerocket kernel today:

  • upstream LTS kernels (5.10 and 5.15 currently, 6.1 soon)
  • Amazon Linux versions of those LTS kernels
  • Bottlerocket specific changes

The main benefits of Amazon Linux as an upstream are AWS-backed support for workloads running in EC2; performance testing; and security fixes. Bottlerocket specific changes are intentionally limited in scope to minor patches and config changes. Where the kernel config changes more dramatically, as it has for the metal-* variants, it complicates the support story quite a bit.

For that reason, it's unlikely that the grsec patches would be added to Bottlerocket kernels - the resulting kernel would just be too hard to align with current support expectations. A more likely path is through the Kernel Self Protection Project, which is dedicated to upstreaming some of the functionality, that then becomes available in future LTS kernels.

One of the larger efforts underway this year is to enable out-of-tree Bottlerocket variants (#2669), which should make it easier to combine the core of Bottlerocket with a custom kernel or kernel config, by reducing the maintenance burden to just the part that differs from the core project. I'd recommend following that issue for updates.

bcressey avatar Feb 14 '23 00:02 bcressey

Good enough for me thanks!

bobsaintcool avatar Feb 14 '23 00:02 bobsaintcool