Free pax software for linux

PaX is a kernel patch implementing additional security feature - non-executable memory pages. Forward port from 2.4 with some extra features, but only i386 is known to work, other architectures may not even compile - feedback is welcome. Much like 2.6 itself, PaX for 2.6 is experimental and anything can break sometime.
NOTE: all versions for 2.6 before 2005.03.05 have a privilege elevation bug, you must update as soon as possible.
NOTE: all versions for 2.6 before 2004.05.01 have a local kernel denial of service bug, thanks to ChrisR for bringing it to our attention.

Adamantix project aims to become a highly secure but usable Linux distribution. A standard Linux distribution is not very secure, despite the fact that it may be more secure than other operating systems.
The underlying problem is that most of Linux as we know it today was designed for speed and features, but not for security. Adding security to a system which is not designed to be secure will not solve most of the current and future problems.
This means that the whole system needs to be redesigned from the ground up to make it really secure. And that is what the Adamantix project is going to accomplish.
Adamantix v1.0 (known as Trusted Debian v1.0 back then) was the first Linux distribution to integrate support for PaX and SSP (Stack Smashing Protector, aka. Propolice). PaX is a kernel patch which protects against a number of buffer overflows and other memory corruption attacks. SSP is a GCC patch which provides protection of the stack, which makes stack overflows harder to exploit.
Currently work is going on to integrate RSBAC support in Adamantix. RSBAC is a kernel patch which provides a flexible and extensible security framework. This framework is very powerful and can be used to implement almost any security feature. A number of modules which use this framework have been implemented on top of it, such as:
- An improved chroot (jail) module
- On-access virus scanning module
- Linux capabilities management module
- Linux resource management module
- User ID changing management module
- Role based access module
- Access Control Lists (ACLs) module
- And others.
All these modules can be combined to form a whole which is greater than the sum of the individual modules. In the future the number of modules is likely to grow, including modules for gr-security RBAC and SELinux, to provide backwards compatibility for legacy systems. RSBAC is a toolkit, in the same spirit as Linux is a toolkit.
It takes quite some time to learn and understand RSBAC, just like learning Linux takes quite some time. But this time is well invested and will give similar rewards as learning Linux.

Devil-Linux is a distribution which boots and runs completely from CDROM. The configuration can be saved to a floppy diskette or a USB pen drive.
Devil Linux was originally intended to be a dedicated firewall/router but now Devil-Linux can also be used as a server for many applications. Attaching an optional hard drive is easy, and many network services are included in the distribution.
The system is designed to install without the use of a hard drive. It requires the use of a CDROM and a write-protected floppy.
The CDROM provides the operating system, and the floppy provides the configuration information, via a tarball that is unpacked into the /etc directory. In this way, the system is fully configurable, yet the running system has no writeable device.
Main features:
- Boots from CD
- Traditionally Devil Linux boots from a CD-ROM which is read-only by nature. This means an intruder will not be able to install i.e. an "ordinary" root kit.
- Boots from USB pendrive
- As all movable parts in your computer, the CD-ROM is prone to failure. This is the reason why we provide a script to install the entire system on an USB pendrive. Note: You need a computer which is able to boot from USB harddisks, in order to use this feature.
- Configuration is saved on a floppy disc or on a USB Flash Media
- Due to the read-only nature of CD-ROMs, you need a place to save your configuration files. This can either traditionally be on a floppy disc or on a USB flash media (like a pendrive), to increase the reliability.
- Configuration can be burned on CD
- There are cases when you have to ensure that the configuration cant be modified. This is the reason why we provide the feature for loading the configuration archive from the (read-only) CD-ROM.
- No need for a harddisk although it can optionally be used for data storage
- Most distributions need a harddisk for data storage, with DL this is completely optional. Reasons for adding harddisk data storage would be, i.e. when you use DL as your mail server or for file sharing. DL uses dynamic disc configuration via the Logical Volume Manager, which makes adding and maintaining the harddisk storage easy (regardless if you have only 1 GB or 1 TB of data).
- Support for Intel 486 and higher
- Got some old boxes in your bone yard? For most internet connection an old computer is enough to play the role of your Firewall, this is the reason why we still support 486 CPUs. But were not stuck with old technologies, we also provide you a version vor 686 CPUs with SMP support.
- IPTables/Netfilter Support
- State of-the-art firewall functionality is provided by IPTables/Netfilter, which includes features like connection tracking. Devil-Linux adds many more Netfilter modules then you find in your standard Linux Kernel.
- Create your own, customized version with our Build System
- Since everybody has different requirements, Devil-Linux provides you with an easy-to-use build system, which enables you to create your own customized version. You can i.e. only add the packages you need on your machine or even add features which are currently missing in the mainstream version.
- Directly supported by Firewall Builder
- Dont like writing your Firewall rules by hand? Get Firewall Builder and use a great GUI tool to create your ruleset. Firewall Builder supports writing the rules directly onto your configuration floppy.
- No graphical desktop
- Devil-Linux has not support for i.e. X-Server. This greatly reduces the requirements to run DL and also greatly increases security by reducing the number of running programs. (Try this on Windows...)
- Almost all binaries are compiled with the GCC Stack Smashing Protector
- Except of a very few exceptions, all binaries are compiled with the GCC Stack Smashing Protector. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. The protection is realized by buffer overflow detection and the variable reordering feature to avoid the corruption of pointers.
- Improved Kernel Security through GRSecurity
- GRSecurity adds several new features and protection mechanisms to the Linux Kernel itself. This includes Chroot restrictions (did you know that it is easy to break out of a non-protected chroot jail?), Address space modification protection (like PAX), Auditing features, Randomization features and much more.
- Easy to use chroot
- Devil-Linux has support for chroot jails which is easy to use. Just define what you need in a configuration file and our jail script will take care of the rest. Some pre-defined configurations are already available.

Swbis provides a POSIX packaging implementation with useful extensions.
Swbis aims to implement the POSIX packaging standard with useful extensions. Working utilities include swpackage(8), swverify(8), swcopy(8), and swinstall(8).
GPG/PGP signing and verification of tar archives is supported as well as an installed software catalog form that allows direct use of gpg(1) for verification of the GPG signature in the package database. s
wcopy and swinstall are network transparent by direct use of SSH and support multiple SSH hops for easy access to hosts behind a firewall. Neither has to be installed on the remote target host.
Enhancements:
- swcopy - Distribution copying utility.
- Supports multiple ssh-hops to remote target or source.
- Uses ssh, sh, dd, and choice of pax, tar, star, or gtar.
- Does not have to be installed on the target host.
- target or source host may be any POSIX.2 conforming host.
- Supports remote-source to remote-target copies.
- swpackage - Packages files according to a PSF file.
- Complete implementation of Extended Definitions.
- Stand-alone operation, no use of temporary files.
- Output format is bit-for-bit identical to GNU tar.
- Supports creation of GPG embedded signature, and sha1, md5sum digests of the package payload section.
- swverify - Authenticates a signed package.
- Authenticates packages signed by swpackage.
- Verifies installed software (partially implemented).
- Authenticates the GPG signature in the installed software.
- swinstall - Install a posix package. (alpha as of 2004-02-15)
- swinstall does not have to be installed on the target host.
- The target or source host may be any POSIX.2 conforming host.
- creates an installed software catalog where the GPG signature can be verified using gpg
- Uses ssh for remote connections.
- Supports multiple ssh-hops to remote target or source.
- Uses tar (or pax) to install the files.
- Supports full error monitoring during control script execution and records exit status and installation states.
Enhancements:
- This release adds features to swpackage for using gpg-agent when signing packages.
- Also features were added to enable use of swign in an Automake rule.
- Enhancements to swverify were made to allow verification of a signed directory exported from a SCM repository such as CVS.
- The distribution package is now a self-hosting example of using the swign utility along with automake to create tar archive distributions with an embedded GPG signature.
- An unsafe use of gpgs exit status by swverify was fixed.