| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Darknight wrote: |
| 5 |
> [...] |
| 6 |
> I've "dropped" hardened source due to lack of time to learn and properly |
| 7 |
> activate their features... It's on todo list... :) |
| 8 |
> |
| 9 |
|
| 10 |
Hi Darknight, |
| 11 |
|
| 12 |
thank you for your interest in the Gentoo Hardened project. |
| 13 |
|
| 14 |
To learn more about the features like rulesets for access restriction, |
| 15 |
memory protection, randomization for executables and stack overwrite |
| 16 |
protection, you can get a first read at the docs at |
| 17 |
|
| 18 |
http://hardened.gentoo.org |
| 19 |
|
| 20 |
But if this is not enough, the documentation of grsec at |
| 21 |
www.grsecurity.net, pax.grsecurity.net and the SELinux documentation at |
| 22 |
the respective pages will give you further insights how the technology |
| 23 |
works. |
| 24 |
|
| 25 |
To answer some of the questions from your correspondence, the only thing |
| 26 |
that would let you benefit from the hardened toolchain without a PaX |
| 27 |
enabled kernel is the SSP protection which means code is automatically |
| 28 |
inserted into hardened compiled executables and libraries to guard |
| 29 |
against stack smashing attacks. |
| 30 |
|
| 31 |
Without a PaX kernel you will not benefit from PIE randomization nor |
| 32 |
will you have advanced security from MPROTECT features and Stack |
| 33 |
non-executability. |
| 34 |
|
| 35 |
Moving from a nonhardened to a hardened setup involves some steps like |
| 36 |
switching profile and kernel, configuring applications with paxctl, |
| 37 |
recompiling and testing applications and rolling out an access policy |
| 38 |
which is best done by someone who |
| 39 |
|
| 40 |
a) understands the technology behind it |
| 41 |
b) can assess the impact on the applications she or he is using |
| 42 |
c) has a plan for restoring back to a vanilla system if problems affect |
| 43 |
productive systems and thus loss of availability or performance |
| 44 |
|
| 45 |
Frankly speaking, security is not the profile you are switching to or |
| 46 |
the hardened compiler specs you are using, it's the knowledge in your |
| 47 |
head about the technology you are employing to reach a certain state for |
| 48 |
your operating system and applications. |
| 49 |
|
| 50 |
Of course it can also be done in "crash and burn" style which i myself |
| 51 |
prefer sometimes too... ;) |
| 52 |
|
| 53 |
But for learning about the big picture and getting a deeper grip on the |
| 54 |
technology, i recommend you spend some time learning about the technical |
| 55 |
changes we did and why we did these. |
| 56 |
|
| 57 |
If you are willing to hit the learning curve, i recommend you join us at |
| 58 |
the irc channel or ask for more hints about further readings and |
| 59 |
technical implications of our provided security solutions. |
| 60 |
|
| 61 |
One of my personal goals is that people like you should have fun and |
| 62 |
enjoy tackling the task of making their system more secure while having |
| 63 |
full understanding and knowledge why they are doing it and what they are |
| 64 |
doing there. |
| 65 |
|
| 66 |
Because then, the "how" they are doing it becomes clear to them too. |
| 67 |
|
| 68 |
Thanks again and hope i could help you a bit, |
| 69 |
|
| 70 |
|
| 71 |
Alex |
| 72 |
-----BEGIN PGP SIGNATURE----- |
| 73 |
Version: GnuPG v1.4.5 (GNU/Linux) |
| 74 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 75 |
|
| 76 |
iD8DBQFFJTxDlpSgoWRXlxURAjCgAJ49XoeSARmKbXds4qNeGrhKserqzwCggaQk |
| 77 |
Jlq8eJoLhHc7nRSPPif0jlA= |
| 78 |
=s771 |
| 79 |
-----END PGP SIGNATURE----- |
| 80 |
-- |
| 81 |
gentoo-hardened@g.o mailing list |
Archives