| 1 |
On 07/04/17 01:12, Ста Деюс wrote: |
| 2 |
> Hi. |
| 3 |
> |
| 4 |
> I'm new to Gentoo, and before new installation on my PC, keep trying to |
| 5 |
> choose between system profiles. I want to use the PC as desktop, but am |
| 6 |
> concerned on security and minimalism. So, I would like to use the |
| 7 |
> hardened profile and then add the desktop packages, namely openbox w/o |
| 8 |
> any X-session managers -- just logging in w/ text console and then |
| 9 |
> startx. |
| 10 |
> |
| 11 |
> So, is my setup wise, or i miss something because do not know something |
| 12 |
> on the distro. regarding this points of installation? |
| 13 |
> |
| 14 |
> Thank you for your time, |
| 15 |
> Sthu. |
| 16 |
|
| 17 |
Minimalism does reduce attack surfaces, but on a workstation, if later |
| 18 |
on you want some complex and fancy software, often you have to start |
| 19 |
adding codes, flags and recompiling quite a lot. On specific task |
| 20 |
machines, I always go the minimal route, ymmv. I run lxde but it |
| 21 |
is morphing into lxqt (or at least that's what is commonly posted. |
| 22 |
I've run openbox and actually now use a mixture of codes to build up |
| 23 |
one minimized workstation, but it is a pita to get happy. |
| 24 |
|
| 25 |
W. Dnes is the king of minimalist here, so when he gives advise |
| 26 |
realize it has decades of experimentation to get to where he is on |
| 27 |
minimization. I've been hacking on codes for minimized Hi Performance |
| 28 |
Computing (HPC) gentoo style, but not ready to release anything as it is |
| 29 |
a moving target. "Unikernels" are my pathway forward but this path is a |
| 30 |
huge time sink... Caveat Emptor! |
| 31 |
|
| 32 |
|
| 33 |
Hardened is changing, do to the fact that the patches provided to the |
| 34 |
linux kernel team, are not being provided for free anymore. There is |
| 35 |
much angst as to the pathway forward. Much of the work is being carried |
| 36 |
forward in the kernel, compiler projects and some apps but what to do, |
| 37 |
post kernel 4.9.x is not clear for gentoo, atm. This thread by blueness |
| 38 |
on gentoo-dev is a good place to start reading, look in the archives:: |
| 39 |
|
| 40 |
[gentoo-dev] The status of grsecurity upstream and hardened-sources |
| 41 |
downstream |
| 42 |
|
| 43 |
|
| 44 |
Here's the [thread]intro:: |
| 45 |
|
| 46 |
|
| 47 |
"Since late April, grsecurity upstream has stop making their patches |
| 48 |
available publicly. Without going into details, the reason for their |
| 49 |
decision revolves around disputes about how their patches were being |
| 50 |
(ab)used. |
| 51 |
|
| 52 |
Since the grsecurity patch formed the main core of our hardened-sources |
| 53 |
kernel, their decision has serious repercussions for the Hardened Gentoo |
| 54 |
project. I will no longer be able to support hardened-sources and will |
| 55 |
have to eventually mask and remove it from the tree. |
| 56 |
|
| 57 |
Hardened Gentoo has two sides to it, kernel hardening (done via |
| 58 |
hardened-sources) and toolchain/executable hardening. The two are |
| 59 |
interrelated but independent enough that toolchain hardening can |
| 60 |
continue on its own. The hardened kernel, however, provided PaX |
| 61 |
protection for executables and this will be lost. We did a lot of work |
| 62 |
to properly maintain PaX markings in our package management system and |
| 63 |
there was no part of Gentoo that wasn't touched by issues stemming from |
| 64 |
PaX support. |
| 65 |
|
| 66 |
I waited two months before saying anything because the reasons were more |
| 67 |
of a political nature than some technical issue. At this point, I think |
| 68 |
its time to let the community know about the state of affairs with |
| 69 |
hardened-sources. |
| 70 |
|
| 71 |
I can no longer get into the #grsecurity/OFTC channel (nothing personal, |
| 72 |
they kicked everyone), and so I have not spoken to spengler or pipacs. |
| 73 |
I don't know if they will ever release grsecurity patches again. |
| 74 |
|
| 75 |
My plan then is as follows. I'll wait one more month and then send out |
| 76 |
a news item and later mask hardened-sources for removal. I don't |
| 77 |
recommend we remove any of the machinery from Gentoo that deals with PaX |
| 78 |
markings. " |
| 79 |
|
| 80 |
|
| 81 |
Personally, I'd suggest following Anthony (blueness) as to the |
| 82 |
gentoo-hardened pathway forward, but surely others in the extended |
| 83 |
gentoo community are surefooted with gentoo security. (Pentoo) might be |
| 84 |
of interest as a workstation pathway forward.... If you cannot block them, |
| 85 |
join them....? |
| 86 |
|
| 87 |
;-) |
| 88 |
|
| 89 |
|
| 90 |
hth, |
| 91 |
James |
| 92 |
|
| 93 |
|
| 94 |
And more links for your convenience:: |
| 95 |
|
| 96 |
https://www.theregister.co.uk/2015/08/27/grsecurity |
| 97 |
|
| 98 |
https://www.wilderssecurity.com/threads/grsecurity-patches-going-private.393068/ |
| 99 |
|
| 100 |
https://lwn.net/Articles/662219/ |
| 101 |
|
| 102 |
https://lwn.net/Articles/698891/ |
| 103 |
|
| 104 |
https://grsecurity.net/compare.php |
| 105 |
|
| 106 |
https://www.theregister.co.uk/2015/08/27/grsecurity |
Archives