| 1 |
Awesome information, Alex! |
| 2 |
|
| 3 |
Alex Efros wrote: |
| 4 |
> Hi! |
| 5 |
> |
| 6 |
> On Thu, Oct 05, 2006 at 05:49:40PM +0200, Darknight wrote: |
| 7 |
> |
| 8 |
>> I should have mentioned this important bit: I'm still with old glibc and gcc |
| 9 |
>> so I can switch, I need to understand if it's a bad gamble or completely |
| 10 |
>> safe. |
| 11 |
>> |
| 12 |
> |
| 13 |
> I think it's safe. I've converted all my servers to hardened some time ago |
| 14 |
> without any problems. Here is versions I've now: |
| 15 |
> sys-devel/binutils-2.16.1-r3 |
| 16 |
> sys-devel/gcc-3.4.6-r1 |
| 17 |
> sys-kernel/hardened-sources-2.6.16-r11 |
| 18 |
> sys-kernel/linux-headers-2.6.11-r5 |
| 19 |
> sys-libs/glibc-2.3.6-r4 |
| 20 |
> If you've newer versions - this may be a problem. |
| 21 |
> If you've older versions - it may be good idea to upgrade to these |
| 22 |
> versions first (with upgrading/recompiling all other packages), and after |
| 23 |
> you'll be sure everything is working you can convert to hardened |
| 24 |
> (i.e. recompiling everything once again to get SAME versions of all packages |
| 25 |
> but with hardened now). |
| 26 |
> |
| 27 |
> Here is list of commands I've used to convert my servers to hardened: |
| 28 |
> |
| 29 |
> emerge hardened-sources |
| 30 |
> |
| 31 |
> # Now configure this kernel (without hardened features yet), |
| 32 |
> # then compile/boot this kernel. |
| 33 |
> |
| 34 |
> ln -snf ../usr/portage/profiles/hardened/x86/2.6/ /etc/make.profile |
| 35 |
> |
| 36 |
> # Remove all extra optimization from CFLAGS in /etc/make.conf and |
| 37 |
> # set -O2. |
| 38 |
> |
| 39 |
> # Clean up your $PKGDIR (usually /usr/portage/packages/) to optimize |
| 40 |
> # compile time using emerge -b and emerge -k later. |
| 41 |
> |
| 42 |
> emerge -C linux-headers |
| 43 |
> emerge linux-headers glibc binutils gcc-config gcc |
| 44 |
> |
| 45 |
> # Here do all operations needed for upgrading gcc, if needed. |
| 46 |
> |
| 47 |
> emerge -b glibc binutils gcc portage |
| 48 |
> emerge -bke system |
| 49 |
> emerge -ke world |
| 50 |
> |
| 51 |
> glsa-check -l | grep '\[N\]' |
| 52 |
> |
| 53 |
> # Manually upgrade packages shown by glsa-check, if needed. |
| 54 |
> |
| 55 |
> emerge -a --depclean |
| 56 |
> emerge -uDNa world |
| 57 |
> |
| 58 |
> emerge paxtest paxctl gradm |
| 59 |
> |
| 60 |
> revdep-rebuild |
| 61 |
> |
| 62 |
> dispatch-conf |
| 63 |
> |
| 64 |
> # Now reconfigure kernel with switched on hardened features, |
| 65 |
> # then compile/boot this kernel. |
| 66 |
> |
| 67 |
> |
| 68 |
-- |
| 69 |
gentoo-hardened@g.o mailing list |
Archives