| 1 |
Hi hardened users, |
| 2 |
|
| 3 |
Currently, when configuring the hardened kernel, the user is presented |
| 4 |
with some predefined Security Levels. (Security options -> Grsecuirty |
| 5 |
-> Security Level). Four of these are set by Gentoo |
| 6 |
|
| 7 |
Hardened Gentoo [server] |
| 8 |
Hardened Gentoo [server no rbac] |
| 9 |
Hardened Gentoo [workstation] |
| 10 |
Hardened Gentoo [workstation no rbac] |
| 11 |
|
| 12 |
These are defined so as to maximize security while minimizing breakage |
| 13 |
with Gentoo software. I'm proposing to change this to |
| 14 |
|
| 15 |
Hardened Gentoo [server] |
| 16 |
Hardened Gentoo [workstation or virtualization host] |
| 17 |
|
| 18 |
One change will be to remove the "no rbac" option which is easily turned |
| 19 |
on/off at Security options -> Grsecuirty -> Role Based Access Control |
| 20 |
Options -> Disable RBAC system. The default will be on (ie do not |
| 21 |
disable rbac). Even if the users doesn't want to use RBAC and still |
| 22 |
enables it, there is no harm done since RBAC simply be available but not |
| 23 |
used unless turned on by gradm. |
| 24 |
|
| 25 |
The other change will be to add a "virtualization host" option. |
| 26 |
Currently these settings are identical to the workstation and so are |
| 27 |
coalesced, but may change. I am trying to make the hardened kernel |
| 28 |
compatible with VirtualBox and kvm, but there are some security settings |
| 29 |
which will most likely *always* break virtualization and will need to be |
| 30 |
turned off. |
| 31 |
|
| 32 |
This is work in progress and testing is appreciated. The ebuilds are on |
| 33 |
my overlay. |
| 34 |
|
| 35 |
|
| 36 |
-- |
| 37 |
Anthony G. Basile, Ph.D. |
| 38 |
Gentoo Developer |
Archives