[ubuntu-hardened] LTS Enablement Stacks; newer kernel (with new security features) and system security.

[John Johansen]

On 02/22/2017 01:23 PM, daniel curtis wrote:
> 
> Hi
> 
> My question is rather theoretically. I would like to ask about something like; The Ubuntu LTS Enablement Stacks, which "(...) provide newer kernel and X support for existing Ubuntu LTS releases" etc. If, for example, I would like to take advantage of this mechanism what are the benefits from a security point of view?
> 
> I'm seeing it this way; newer kernel - more new security mechanism, but on the other side; newer kernel - more, potentially, holes and so on. (It was discussed, for example, in this thread: 1., 2.) Mr Tyler Hicks noticed, that: "It would be wrong to think that a software project only becomes more secure over time (...)"
> 
Newer kernels will have both new features, and bug fixes. New features may introduce bugs but may also introduce new security features (eg better kaslr), while the bug fixes may address issues that have not yet been identified as security issues. So from a security pov its a bit of a mixed bag, and it hard to say anything definitive from a generic pov. The question could be better answered when comparing specific versions, as you could better sum up the features, and bug fixes to get a better idea of where the balance lies.

Nor would I say software only gets more secure over time, I have definitely seen the reverse happen. As for the kernel, the more severe security issues are backported so older kernels with updates do tend to get more secure, but they also can miss out of new features that have security impact, kaslr, copy to/from user restrictions, ...
Which is best from a security pov, is really not a question that can be answered generically.

> Of course it's not the only one conclusion, but it definitely right. Anyway; as I mentioned - my question is rather theoretical. But I would like to ask if it makes any sense to install a newer Linux kernel via The Ubuntu LTS Enablement Stacks in situation where user don't need newer version of kernel and X for a better devices support etc. 
> 
> I mean security considerations. What is yours opinions? It's worth to make such an operation? I recall: everything works for the current kernel, but the newer one, brings newest security features etc. But maybe I'm totally wrong and I don't understand the whole  LTS Enablement Stacks mechanism?
> 
It can be, again you might get new security features (again better kaslr, copy protections, ...), and you will get fixes bugs that haven't been identified as security issues yet. However there are also risks of regressions, and that development has introduced new security bugs.

Again, I don't think this is something that can be addressed generically, you need to evaluate risk/reward at an individual kernel/feature level.