| 1 |
Wow you guys like to talk alot so I'll just inject my two bits at the |
| 2 |
top of the thread. |
| 3 |
|
| 4 |
Here let me make it simple or confuse you more. |
| 5 |
|
| 6 |
selinux is not hardened.. |
| 7 |
grsecurity is not hardened |
| 8 |
pax is not hardened |
| 9 |
pie is not hardened |
| 10 |
ssp is not hardened |
| 11 |
|
| 12 |
Hardened is no more than a group of people that have come together and |
| 13 |
have agreed that Gentoo security efforts needs to clear paths to walk. |
| 14 |
1) gentoo-security (which is reactive towards security) |
| 15 |
2) gentoo-hardened (which is proactive towards security) |
| 16 |
|
| 17 |
Lets jump back to selinux as this topic comes up a rather lot and tends |
| 18 |
to confuse many. selinux is exactly one subproject that happens to deal |
| 19 |
with access control and it's not the only option for users contrary to |
| 20 |
popular belief. Now the reason why we see it so much of it and it |
| 21 |
appears to be the most supported is due to it being non so user friendly |
| 22 |
or intuitive and requiring a large amount of both documentation and and |
| 23 |
human resources. |
| 24 |
|
| 25 |
Ok the PaX/PIE/SSP thing.. First without PaX PIE is pointless. |
| 26 |
Buffer/Heap overflows needs to be a thing of the past so use PaX. Read |
| 27 |
the docs, learn the concepts etc.. |
| 28 |
|
| 29 |
Next recommended setting for those of you who can't wait till we are |
| 30 |
ready to roll a new set stages should try something like so. |
| 31 |
|
| 32 |
CFLAGS="-fforce-addr -fomit-frame-pointer" |
| 33 |
# this is optional (read man gcc for more info why) |
| 34 |
|
| 35 |
USE=hardened ACCEPT_KEYWORDS="~x86" emerge ">=sys-devel/gcc-3.3.3-r3" |
| 36 |
|
| 37 |
The whole LDFLAGS= has proved to be somewhat problematic and thus should |
| 38 |
be avoided for now. |
| 39 |
|
| 40 |
So the way this man sees things. |
| 41 |
1) Stop the intrusion from happening in the first place (PaX should be |
| 42 |
used) |
| 43 |
2) First line of defense if a intrusion happens (be that grsecurity |
| 44 |
rbac/acl, selinux lsm, rsbac or otherwise) you need something here. |
| 45 |
3) Monitor for intrusions (prelude-ids is my choice) |
| 46 |
|
| 47 |
Anybody seen my margarita? |
| 48 |
|
| 49 |
On Mon, 2004-03-29 at 01:41, Tóth Attila wrote: |
| 50 |
> Hi there, |
| 51 |
> |
| 52 |
> I recently installed gentoo hardened. After emerging system I found, that |
| 53 |
> hardened-gcc was removed. Is there a workaround? Should I take care of it? |
| 54 |
> What flags are advised in make.conf? |
| 55 |
> |
| 56 |
> A quote from Ned Ludd: |
| 57 |
> |
| 58 |
> CFLAGS="-fPIC -fforce-addr -fomit-frame-pointer -fstack-protector-all" |
| 59 |
> LDFLAGS="-pie -W,-z,noexecstack -W,-z,noexecheap" |
| 60 |
> |
| 61 |
> So what are the suggested setting for a new hardened install starting from |
| 62 |
> stage2 or stage3? |
| 63 |
> Thx, |
| 64 |
> Attila Toth |
| 65 |
-- |
| 66 |
Ned Ludd <solar@g.o> |
| 67 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
Archives