| 1 |
On 06/29/2011 05:39 PM, Tom Hendrikx wrote: |
| 2 |
> On 29/06/11 16:47, 7v5w7go9ub0o wrote: |
| 3 |
>> On 06/29/11 07:19, Anthony G. Basile wrote: |
| 4 |
>> |
| 5 |
>> [snip] |
| 6 |
>> |
| 7 |
>>> |
| 8 |
>>> The safest approach in either switching or recompiling everything |
| 9 |
>>> is: |
| 10 |
>>> |
| 11 |
>>> 1. Make the profile is set "eselect profile list" and pick your |
| 12 |
>>> hardened box. Careful on amd64 about changing multilib/nomultilib. |
| 13 |
>>> Stick with your mutilib-edness (if such a word exists :) |
| 14 |
>>> |
| 15 |
>>> 2. Rebuild the tool chain: emerge binutils glibc gcc |
| 16 |
>>> |
| 17 |
>>> 3. Rebuild system: emerge --keep-going -eq system (note anything |
| 18 |
>>> that fails you might want to file a bug) |
| 19 |
>>> |
| 20 |
>>> 4. Rebuild world: emerge --keep-going -eq world (again not any |
| 21 |
>>> failures, shouldn't happen else we're not doing our job) |
| 22 |
>>> |
| 23 |
>>> system vs world = system is just the bare minimum packages that any |
| 24 |
>>> box running that profile needs. world = system + what you've added. |
| 25 |
>>> You can skip step 3, but there might be a chance of mixing |
| 26 |
>>> unhardened/hardened stuff if you do, but I'm not 100% sure. |
| 27 |
>>> |
| 28 |
>> |
| 29 |
>> Thank You! |
| 30 |
>> |
| 31 |
>> 1. Is there some way this clear, succinct list could get into the |
| 32 |
>> hardened documentation? |
| 33 |
>> |
| 34 |
>> 2. At this point, the 'clearest' way to build a hardened box from scratch |
| 35 |
>> seems to go a few steps into the Gentoo handbook, then migrate using the |
| 36 |
>> steps above. Not ideal, but until the documentation can be refined, how |
| 37 |
>> about either putting these steps into the handbook, or alternatively a |
| 38 |
>> reference *in the handbook* to wherever you find a home for these steps |
| 39 |
>> (e.g. QandA). |
| 40 |
> |
| 41 |
> I built a hardened box last week by grabbing a hardened autobuild, then |
| 42 |
> following the regular handbook for my arch. Above steps are only needed |
| 43 |
> when you start from a regular stage, or when you are converting a |
| 44 |
> regular install. |
| 45 |
> |
| 46 |
> Usage of autobuilds is missing in the handbook now, but iirc there are |
| 47 |
> some open bugs on getting this changed. |
| 48 |
> |
| 49 |
> -- |
| 50 |
> Regards, |
| 51 |
> Tom |
| 52 |
|
| 53 |
That's correct, these are instructions for switching from vanilla or if |
| 54 |
you want to *very* safely recompile everything making sure you get |
| 55 |
hardened. It is the most conservative path but also very time consuming. |
| 56 |
|
| 57 |
If you're starting from scratch, just grab the latest stage3 *hardened* |
| 58 |
tarball, start building your system from there and save yourself the |
| 59 |
time. You will gain nothing but recompiling the tool chain and |
| 60 |
system/world. |
| 61 |
|
| 62 |
-- |
| 63 |
Anthony G. Basile, Ph.D. |
| 64 |
Gentoo Linux Developer [Hardened] |
| 65 |
E-Mail : blueness@g.o |
| 66 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 67 |
GnuPG ID : D0455535 |
Archives