| 1 |
>Btw, are there any special flags I can use to increase te security of the system? |
| 2 |
> |
| 3 |
> |
| 4 |
..snip.. |
| 5 |
|
| 6 |
>I have been using selinux-sources and I would like to know what hardened sources would you recommend? |
| 7 |
>Something with grsec, ssp would be better? And if so, do I need to recompile all the packages? |
| 8 |
> |
| 9 |
> |
| 10 |
There was a thread just a few days ago, where I bothered the good people |
| 11 |
here with lots of basic questions about selinux, and hardened. You |
| 12 |
should have a read of those. |
| 13 |
|
| 14 |
In a nutshell though, grsecurity adds a lot of hardening to apps, and |
| 15 |
also has an ACL system. SELinux is just an ACL system, and personally I |
| 16 |
found it a little hard to get my head around. You don't need to rebuild |
| 17 |
you whole system to add it, and there is a good section in the docs at |
| 18 |
hardened.gentoo.org on how to convert your system to selinux if you want to. |
| 19 |
|
| 20 |
>Do I also need a special gcc with any kind of buffer overflow protections? |
| 21 |
> |
| 22 |
> |
| 23 |
|
| 24 |
This is a good idea. Seems to be in a state of flux at the moment. |
| 25 |
Read the recent threads for more details |
| 26 |
|
| 27 |
>Also, would be ACCEPT_KEYWORDS="~x86" a good idea on a production server? I figure having the latest packages installed sure pays off regarding the previous versions bugs and holes, but they may come with new ones. |
| 28 |
> |
| 29 |
> |
| 30 |
|
| 31 |
Doubt it. Stable is intended to include bug fixed versions ASAP. |
| 32 |
Unstable is for testing and usually ok, but I tend to just unmask or |
| 33 |
manually force packages where I need an update. |
| 34 |
|
| 35 |
Ed W |
| 36 |
|
| 37 |
-- |
| 38 |
gentoo-hardened@g.o mailing list |
Archives