| 1 |
On Tuesday 04 Jul 2017 05:20:41 Ian Bloss wrote: |
| 2 |
> You should use the hardened profile with the harden sources. On terms with |
| 3 |
> security you could compile a hardened kernel but you sacrifice ease of |
| 4 |
> use by having to manage pax and if you choose an RBAC system like SElinux |
| 5 |
> or grsecuritys adds more burden. |
| 6 |
> |
| 7 |
> Security isn't a product, so I would recommend sticking with regular |
| 8 |
> profile with stable packages, and be mindful of what you have opened up to |
| 9 |
> the internet. I would also recommend just reading up on linux security in |
| 10 |
> general to understand what you're trying to make yourself more secure to. |
| 11 |
|
| 12 |
I second that last point. I looked into hardened Gentoo some years ago and |
| 13 |
came to the conclusion that it wasn't worth all the extra trouble. My |
| 14 |
impression (though I could easily be wrong) is that hardening is intended |
| 15 |
more for protection against local threats, like someone else sitting in your |
| 16 |
seat, than anything coming in over the wires. |
| 17 |
|
| 18 |
In the end I just used the stable sources with a decent firewall: shorewall, |
| 19 |
in fact. If your network setup isn't too unusual, you can use one of their |
| 20 |
standard sets of configuration files. |
| 21 |
|
| 22 |
That's my two-penn'orth, anyway. |
| 23 |
|
| 24 |
-- |
| 25 |
Regards |
| 26 |
Peter |
Archives