| 1 |
On Sat, 10 Dec 2011 15:17:47 -0500 |
| 2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 3 |
|
| 4 |
> Hello all, |
| 5 |
> |
| 6 |
> I'm considering rolling out a new server with gentoo, but wanted to |
| 7 |
> base it on the hardened profile, but the gentoo docs I've read so far |
| 8 |
> all seem to be a bit vague about all the details. |
| 9 |
> |
| 10 |
> I've been using gentoo for a while on my hobby server, but I |
| 11 |
> installed it about 8 years ago, and chose the 'server' profile, and I |
| 12 |
> must say it has been a real pleasure to maintain, with the only real |
| 13 |
> hiccup I ever experienced being the mailman update that moved the |
| 14 |
> directories for the lists without telling me what to do about it (the |
| 15 |
> fix was simple, and the devs swiftly fixed the lack of post-install |
| 16 |
> docs). |
| 17 |
> |
| 18 |
> Does anyone know of a good How-To that covers *all* of the bases? Ie, |
| 19 |
> which model is best - grsecurity, PAX, SeLinux - and how best to |
| 20 |
> implement it? |
| 21 |
> |
| 22 |
> The purpose of this server will be as a mail server (dovecot, |
| 23 |
> postfix, amavisd-new/spamassassin, mailman), and hosting a few small |
| 24 |
> websites. |
| 25 |
> |
| 26 |
> Thanks... |
| 27 |
> |
| 28 |
|
| 29 |
As with most things gentoo, 'best' is a mater of opinion. I personally |
| 30 |
use grsec (includes pax) for hardening and selinux for policies. To |
| 31 |
convert you generally do the following. |
| 32 |
|
| 33 |
profile-config set 12 (this sets to nomultilib selinux) |
| 34 |
emerge system |
| 35 |
emerge world |
| 36 |
|
| 37 |
Since I'm paranoid revdep-rebuild too. |
| 38 |
|
| 39 |
-- |
| 40 |
Matthew Thode (prometheanfire) |
Archives