1 |
On 12/23/2017 09:09 AM, Peter Humphrey wrote: |
2 |
> Hello list, |
3 |
> |
4 |
> Now that grsecurity is off-limits, I'm left wondering how to go about |
5 |
> hardening a no-multilib box that will be exposed to the Big Bad World. |
6 |
|
7 |
You can still use grsec/pax if you're willing to stick with an older |
8 |
(LTS) kernel: |
9 |
|
10 |
https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec |
11 |
|
12 |
|
13 |
> To start with, it's not obvious which profile to use: |
14 |
> |
15 |
> $ eselect profile list | grep no-multi | grep hardened |
16 |
> [23] default/linux/amd64/17.0/no-multilib/hardened |
17 |
> [24] default/linux/amd64/17.0/no-multilib/hardened/selinux |
18 |
|
19 |
One of those two, depending on whether or not you use SELinux. |