1 |
>Btw, are there any special flags I can use to increase te security of the system? |
2 |
> |
3 |
> |
4 |
..snip.. |
5 |
|
6 |
>I have been using selinux-sources and I would like to know what hardened sources would you recommend? |
7 |
>Something with grsec, ssp would be better? And if so, do I need to recompile all the packages? |
8 |
> |
9 |
> |
10 |
There was a thread just a few days ago, where I bothered the good people |
11 |
here with lots of basic questions about selinux, and hardened. You |
12 |
should have a read of those. |
13 |
|
14 |
In a nutshell though, grsecurity adds a lot of hardening to apps, and |
15 |
also has an ACL system. SELinux is just an ACL system, and personally I |
16 |
found it a little hard to get my head around. You don't need to rebuild |
17 |
you whole system to add it, and there is a good section in the docs at |
18 |
hardened.gentoo.org on how to convert your system to selinux if you want to. |
19 |
|
20 |
>Do I also need a special gcc with any kind of buffer overflow protections? |
21 |
> |
22 |
> |
23 |
|
24 |
This is a good idea. Seems to be in a state of flux at the moment. |
25 |
Read the recent threads for more details |
26 |
|
27 |
>Also, would be ACCEPT_KEYWORDS="~x86" a good idea on a production server? I figure having the latest packages installed sure pays off regarding the previous versions bugs and holes, but they may come with new ones. |
28 |
> |
29 |
> |
30 |
|
31 |
Doubt it. Stable is intended to include bug fixed versions ASAP. |
32 |
Unstable is for testing and usually ok, but I tend to just unmask or |
33 |
manually force packages where I need an update. |
34 |
|
35 |
Ed W |
36 |
|
37 |
-- |
38 |
gentoo-hardened@g.o mailing list |