| 1 |
>It's come to my attention this afternoon that theres some portage |
| 2 |
>breakage with the stacked profiles. I plan on building the 2004.1 |
| 3 |
>stages as soon as this is fixed up. |
| 4 |
> |
| 5 |
> |
| 6 |
> |
| 7 |
|
| 8 |
Thanks. Can you explain what this means for me? I presume it means |
| 9 |
that there will be a new portage build out that handles the situation? |
| 10 |
If it's currently masked can you please let me know what I should be |
| 11 |
grabbing please (easier than currently having to manually tweak this |
| 12 |
stuff perhaps) |
| 13 |
|
| 14 |
|
| 15 |
>>It's really not clear what needs to be done to get a "hardened" system |
| 16 |
>>right now? For example, do we need any other flags adding to |
| 17 |
>>make.conf...? |
| 18 |
>> |
| 19 |
>> |
| 20 |
> |
| 21 |
>Actually things are in a bit of flux. Hardened-gcc is deprecated, and |
| 22 |
>the replacement (gcc-3.3.3-r[23] with USE=hardened) is still in |
| 23 |
>testing. The term 'hardened' sometimes gets thrown around a little too |
| 24 |
>much. The hardened stages are more precisely pie-ssp stages. You can |
| 25 |
>have SELinux with pie-ssp; it just takes a little work. This is a |
| 26 |
>common request, so I'll probably be making selinux-pie-ssp stages |
| 27 |
>eventually to make this easier. |
| 28 |
> |
| 29 |
> |
| 30 |
|
| 31 |
OK, thanks this is helpful. I'm using gcc-3.3.2-r5, ie the latest |
| 32 |
portage stable. I understood that this was more than enough to support |
| 33 |
the hardened stuff? I don't see any -fPIE flags being added for me, and |
| 34 |
although I see -fstack-protector being added, this is presumably because |
| 35 |
I added it into my CFLAGS. |
| 36 |
|
| 37 |
Can you advise what the best thing is to do right now in order to at |
| 38 |
least partially harden the machine. Recompiling bits of stuff later is |
| 39 |
an option, but I can't really afford a full rebuild. In any case my |
| 40 |
alternative is a normal gentoo build, so I will take whatever hardening |
| 41 |
is easy to do right now (on the grounds it is better than nothing). The |
| 42 |
main entry route to the machine will likely remain the php apps running |
| 43 |
on the web-server, so this is actually where the bulk of my effort needs |
| 44 |
to go anyway - hardening is just some icing really. On the other hand I |
| 45 |
am not sure yet how selinux is going to help with securing Apache, still |
| 46 |
need to try and understand more about this - has anyone written a howto |
| 47 |
on chrooting apache2 on gentoo, this might well be the prefered way to |
| 48 |
secure it in my case...? |
| 49 |
|
| 50 |
Thanks |
| 51 |
|
| 52 |
Ed W |
| 53 |
|
| 54 |
|
| 55 |
-- |
| 56 |
gentoo-hardened@g.o mailing list |
Archives