| 1 |
Ed Wildgoose wrote: |
| 2 |
|
| 3 |
> |
| 4 |
>> It's come to my attention this afternoon that theres some portage |
| 5 |
>> breakage with the stacked profiles. I plan on building the 2004.1 |
| 6 |
>> stages as soon as this is fixed up. |
| 7 |
>> |
| 8 |
>> |
| 9 |
>> |
| 10 |
> |
| 11 |
> Thanks. Can you explain what this means for me? I presume it means |
| 12 |
> that there will be a new portage build out that handles the |
| 13 |
> situation? If it's currently masked can you please let me know what I |
| 14 |
> should be grabbing please (easier than currently having to manually |
| 15 |
> tweak this stuff perhaps) |
| 16 |
> |
| 17 |
> |
| 18 |
>>> It's really not clear what needs to be done to get a "hardened" |
| 19 |
>>> system right now? For example, do we need any other flags adding to |
| 20 |
>>> make.conf...? |
| 21 |
>>> |
| 22 |
>> |
| 23 |
>> |
| 24 |
>> Actually things are in a bit of flux. Hardened-gcc is deprecated, and |
| 25 |
>> the replacement (gcc-3.3.3-r[23] with USE=hardened) is still in |
| 26 |
>> testing. The term 'hardened' sometimes gets thrown around a little too |
| 27 |
>> much. The hardened stages are more precisely pie-ssp stages. You can |
| 28 |
>> have SELinux with pie-ssp; it just takes a little work. This is a |
| 29 |
>> common request, so I'll probably be making selinux-pie-ssp stages |
| 30 |
>> eventually to make this easier. |
| 31 |
>> |
| 32 |
>> |
| 33 |
> |
| 34 |
> OK, thanks this is helpful. I'm using gcc-3.3.2-r5, ie the latest |
| 35 |
> portage stable. I understood that this was more than enough to |
| 36 |
> support the hardened stuff? I don't see any -fPIE flags being added |
| 37 |
> for me, and although I see -fstack-protector being added, this is |
| 38 |
> presumably because I added it into my CFLAGS. |
| 39 |
> |
| 40 |
> Can you advise what the best thing is to do right now in order to at |
| 41 |
> least partially harden the machine. Recompiling bits of stuff later |
| 42 |
> is an option, but I can't really afford a full rebuild. In any case |
| 43 |
> my alternative is a normal gentoo build, so I will take whatever |
| 44 |
> hardening is easy to do right now (on the grounds it is better than |
| 45 |
> nothing). The main entry route to the machine will likely remain the |
| 46 |
> php apps running on the web-server, so this is actually where the bulk |
| 47 |
> of my effort needs to go anyway - hardening is just some icing |
| 48 |
> really. On the other hand I am not sure yet how selinux is going to |
| 49 |
> help with securing Apache, still need to try and understand more about |
| 50 |
> this - has anyone written a howto on chrooting apache2 on gentoo, this |
| 51 |
> might well be the prefered way to secure it in my case...? |
| 52 |
> |
| 53 |
> Thanks |
| 54 |
> |
| 55 |
> Ed W |
| 56 |
> |
| 57 |
> |
| 58 |
> -- |
| 59 |
> gentoo-hardened@g.o mailing list |
| 60 |
> |
| 61 |
> |
| 62 |
sorry for this, new guy in this gentoo business, I just wanted to ask a |
| 63 |
few questions,I joined the mailing list because it said it was about the |
| 64 |
hardened sources, and that's what I installed, but I wanted to know what |
| 65 |
the diference is exactly ( you guys are talking on another level!!) |
| 66 |
|
| 67 |
if this is not the place to ask this ( as it obviouly isn't a simple q & |
| 68 |
a mailing list), then just tell me to take a hike , although i'd still |
| 69 |
like to receive the emails, as a information only.. |
| 70 |
|
| 71 |
thanks |
| 72 |
|
| 73 |
Charles Romestant |
| 74 |
|
| 75 |
-- |
| 76 |
gentoo-hardened@g.o mailing list |
Archives