1 |
>It's come to my attention this afternoon that theres some portage |
2 |
>breakage with the stacked profiles. I plan on building the 2004.1 |
3 |
>stages as soon as this is fixed up. |
4 |
> |
5 |
> |
6 |
> |
7 |
|
8 |
Thanks. Can you explain what this means for me? I presume it means |
9 |
that there will be a new portage build out that handles the situation? |
10 |
If it's currently masked can you please let me know what I should be |
11 |
grabbing please (easier than currently having to manually tweak this |
12 |
stuff perhaps) |
13 |
|
14 |
|
15 |
>>It's really not clear what needs to be done to get a "hardened" system |
16 |
>>right now? For example, do we need any other flags adding to |
17 |
>>make.conf...? |
18 |
>> |
19 |
>> |
20 |
> |
21 |
>Actually things are in a bit of flux. Hardened-gcc is deprecated, and |
22 |
>the replacement (gcc-3.3.3-r[23] with USE=hardened) is still in |
23 |
>testing. The term 'hardened' sometimes gets thrown around a little too |
24 |
>much. The hardened stages are more precisely pie-ssp stages. You can |
25 |
>have SELinux with pie-ssp; it just takes a little work. This is a |
26 |
>common request, so I'll probably be making selinux-pie-ssp stages |
27 |
>eventually to make this easier. |
28 |
> |
29 |
> |
30 |
|
31 |
OK, thanks this is helpful. I'm using gcc-3.3.2-r5, ie the latest |
32 |
portage stable. I understood that this was more than enough to support |
33 |
the hardened stuff? I don't see any -fPIE flags being added for me, and |
34 |
although I see -fstack-protector being added, this is presumably because |
35 |
I added it into my CFLAGS. |
36 |
|
37 |
Can you advise what the best thing is to do right now in order to at |
38 |
least partially harden the machine. Recompiling bits of stuff later is |
39 |
an option, but I can't really afford a full rebuild. In any case my |
40 |
alternative is a normal gentoo build, so I will take whatever hardening |
41 |
is easy to do right now (on the grounds it is better than nothing). The |
42 |
main entry route to the machine will likely remain the php apps running |
43 |
on the web-server, so this is actually where the bulk of my effort needs |
44 |
to go anyway - hardening is just some icing really. On the other hand I |
45 |
am not sure yet how selinux is going to help with securing Apache, still |
46 |
need to try and understand more about this - has anyone written a howto |
47 |
on chrooting apache2 on gentoo, this might well be the prefered way to |
48 |
secure it in my case...? |
49 |
|
50 |
Thanks |
51 |
|
52 |
Ed W |
53 |
|
54 |
|
55 |
-- |
56 |
gentoo-hardened@g.o mailing list |