1 |
On Sat, 10 Dec 2011 15:17:47 -0500 |
2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
3 |
|
4 |
> Hello all, |
5 |
> |
6 |
> I'm considering rolling out a new server with gentoo, but wanted to |
7 |
> base it on the hardened profile, but the gentoo docs I've read so far |
8 |
> all seem to be a bit vague about all the details. |
9 |
> |
10 |
> I've been using gentoo for a while on my hobby server, but I |
11 |
> installed it about 8 years ago, and chose the 'server' profile, and I |
12 |
> must say it has been a real pleasure to maintain, with the only real |
13 |
> hiccup I ever experienced being the mailman update that moved the |
14 |
> directories for the lists without telling me what to do about it (the |
15 |
> fix was simple, and the devs swiftly fixed the lack of post-install |
16 |
> docs). |
17 |
> |
18 |
> Does anyone know of a good How-To that covers *all* of the bases? Ie, |
19 |
> which model is best - grsecurity, PAX, SeLinux - and how best to |
20 |
> implement it? |
21 |
> |
22 |
> The purpose of this server will be as a mail server (dovecot, |
23 |
> postfix, amavisd-new/spamassassin, mailman), and hosting a few small |
24 |
> websites. |
25 |
> |
26 |
> Thanks... |
27 |
> |
28 |
|
29 |
As with most things gentoo, 'best' is a mater of opinion. I personally |
30 |
use grsec (includes pax) for hardening and selinux for policies. To |
31 |
convert you generally do the following. |
32 |
|
33 |
profile-config set 12 (this sets to nomultilib selinux) |
34 |
emerge system |
35 |
emerge world |
36 |
|
37 |
Since I'm paranoid revdep-rebuild too. |
38 |
|
39 |
-- |
40 |
Matthew Thode (prometheanfire) |