1 |
Wow you guys like to talk alot so I'll just inject my two bits at the |
2 |
top of the thread. |
3 |
|
4 |
Here let me make it simple or confuse you more. |
5 |
|
6 |
selinux is not hardened.. |
7 |
grsecurity is not hardened |
8 |
pax is not hardened |
9 |
pie is not hardened |
10 |
ssp is not hardened |
11 |
|
12 |
Hardened is no more than a group of people that have come together and |
13 |
have agreed that Gentoo security efforts needs to clear paths to walk. |
14 |
1) gentoo-security (which is reactive towards security) |
15 |
2) gentoo-hardened (which is proactive towards security) |
16 |
|
17 |
Lets jump back to selinux as this topic comes up a rather lot and tends |
18 |
to confuse many. selinux is exactly one subproject that happens to deal |
19 |
with access control and it's not the only option for users contrary to |
20 |
popular belief. Now the reason why we see it so much of it and it |
21 |
appears to be the most supported is due to it being non so user friendly |
22 |
or intuitive and requiring a large amount of both documentation and and |
23 |
human resources. |
24 |
|
25 |
Ok the PaX/PIE/SSP thing.. First without PaX PIE is pointless. |
26 |
Buffer/Heap overflows needs to be a thing of the past so use PaX. Read |
27 |
the docs, learn the concepts etc.. |
28 |
|
29 |
Next recommended setting for those of you who can't wait till we are |
30 |
ready to roll a new set stages should try something like so. |
31 |
|
32 |
CFLAGS="-fforce-addr -fomit-frame-pointer" |
33 |
# this is optional (read man gcc for more info why) |
34 |
|
35 |
USE=hardened ACCEPT_KEYWORDS="~x86" emerge ">=sys-devel/gcc-3.3.3-r3" |
36 |
|
37 |
The whole LDFLAGS= has proved to be somewhat problematic and thus should |
38 |
be avoided for now. |
39 |
|
40 |
So the way this man sees things. |
41 |
1) Stop the intrusion from happening in the first place (PaX should be |
42 |
used) |
43 |
2) First line of defense if a intrusion happens (be that grsecurity |
44 |
rbac/acl, selinux lsm, rsbac or otherwise) you need something here. |
45 |
3) Monitor for intrusions (prelude-ids is my choice) |
46 |
|
47 |
Anybody seen my margarita? |
48 |
|
49 |
On Mon, 2004-03-29 at 01:41, Tóth Attila wrote: |
50 |
> Hi there, |
51 |
> |
52 |
> I recently installed gentoo hardened. After emerging system I found, that |
53 |
> hardened-gcc was removed. Is there a workaround? Should I take care of it? |
54 |
> What flags are advised in make.conf? |
55 |
> |
56 |
> A quote from Ned Ludd: |
57 |
> |
58 |
> CFLAGS="-fPIC -fforce-addr -fomit-frame-pointer -fstack-protector-all" |
59 |
> LDFLAGS="-pie -W,-z,noexecstack -W,-z,noexecheap" |
60 |
> |
61 |
> So what are the suggested setting for a new hardened install starting from |
62 |
> stage2 or stage3? |
63 |
> Thx, |
64 |
> Attila Toth |
65 |
-- |
66 |
Ned Ludd <solar@g.o> |
67 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |