1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Darknight wrote: |
5 |
> [...] |
6 |
> I've "dropped" hardened source due to lack of time to learn and properly |
7 |
> activate their features... It's on todo list... :) |
8 |
> |
9 |
|
10 |
Hi Darknight, |
11 |
|
12 |
thank you for your interest in the Gentoo Hardened project. |
13 |
|
14 |
To learn more about the features like rulesets for access restriction, |
15 |
memory protection, randomization for executables and stack overwrite |
16 |
protection, you can get a first read at the docs at |
17 |
|
18 |
http://hardened.gentoo.org |
19 |
|
20 |
But if this is not enough, the documentation of grsec at |
21 |
www.grsecurity.net, pax.grsecurity.net and the SELinux documentation at |
22 |
the respective pages will give you further insights how the technology |
23 |
works. |
24 |
|
25 |
To answer some of the questions from your correspondence, the only thing |
26 |
that would let you benefit from the hardened toolchain without a PaX |
27 |
enabled kernel is the SSP protection which means code is automatically |
28 |
inserted into hardened compiled executables and libraries to guard |
29 |
against stack smashing attacks. |
30 |
|
31 |
Without a PaX kernel you will not benefit from PIE randomization nor |
32 |
will you have advanced security from MPROTECT features and Stack |
33 |
non-executability. |
34 |
|
35 |
Moving from a nonhardened to a hardened setup involves some steps like |
36 |
switching profile and kernel, configuring applications with paxctl, |
37 |
recompiling and testing applications and rolling out an access policy |
38 |
which is best done by someone who |
39 |
|
40 |
a) understands the technology behind it |
41 |
b) can assess the impact on the applications she or he is using |
42 |
c) has a plan for restoring back to a vanilla system if problems affect |
43 |
productive systems and thus loss of availability or performance |
44 |
|
45 |
Frankly speaking, security is not the profile you are switching to or |
46 |
the hardened compiler specs you are using, it's the knowledge in your |
47 |
head about the technology you are employing to reach a certain state for |
48 |
your operating system and applications. |
49 |
|
50 |
Of course it can also be done in "crash and burn" style which i myself |
51 |
prefer sometimes too... ;) |
52 |
|
53 |
But for learning about the big picture and getting a deeper grip on the |
54 |
technology, i recommend you spend some time learning about the technical |
55 |
changes we did and why we did these. |
56 |
|
57 |
If you are willing to hit the learning curve, i recommend you join us at |
58 |
the irc channel or ask for more hints about further readings and |
59 |
technical implications of our provided security solutions. |
60 |
|
61 |
One of my personal goals is that people like you should have fun and |
62 |
enjoy tackling the task of making their system more secure while having |
63 |
full understanding and knowledge why they are doing it and what they are |
64 |
doing there. |
65 |
|
66 |
Because then, the "how" they are doing it becomes clear to them too. |
67 |
|
68 |
Thanks again and hope i could help you a bit, |
69 |
|
70 |
|
71 |
Alex |
72 |
-----BEGIN PGP SIGNATURE----- |
73 |
Version: GnuPG v1.4.5 (GNU/Linux) |
74 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
75 |
|
76 |
iD8DBQFFJTxDlpSgoWRXlxURAjCgAJ49XoeSARmKbXds4qNeGrhKserqzwCggaQk |
77 |
Jlq8eJoLhHc7nRSPPif0jlA= |
78 |
=s771 |
79 |
-----END PGP SIGNATURE----- |
80 |
-- |
81 |
gentoo-hardened@g.o mailing list |