1 |
On Sat, Dec 10, 2011 at 12:45 PM, Tanstaafl <tanstaafl@×××××××××××.org>wrote: |
2 |
|
3 |
> Hello all, |
4 |
> |
5 |
> I'm considering rolling out a new server with gentoo, but wanted to base |
6 |
> it on the hardened profile, but the docs I've read so far all seem to be a |
7 |
> bit vague about all the details. |
8 |
> |
9 |
> I've been using gentoo for a while on my hobby server, but I installed it |
10 |
> about 8 years ago, and chose the 'server' profile, and I must say it has |
11 |
> been a real pleasure to maintain, and the only real hiccup I ever |
12 |
> experienced was the mailman update that moved the directories for the lists |
13 |
> without telling me what to do about it (the fix was simple, and the devs |
14 |
> swiftly fixed the lack of post-install docs). |
15 |
> |
16 |
> Does anyone know of a good How-To that covers *all* of the bases? Ie, |
17 |
> which model is best - grsecurity, PAX, SeLinux - and how best to implement |
18 |
> it? |
19 |
> |
20 |
> Thanks... |
21 |
> |
22 |
> |
23 |
You may be able to get a better response from the -hardened list, but I |
24 |
built a hardened server a few months ago without much difficulty. As far as |
25 |
I know, the correct model to use depends on what you want to do with the |
26 |
server/what security you are looking to implement. When I went hardened, I |
27 |
used PaX and grsec [1] because it offered the security I was looking for |
28 |
but didn't restrict userland usability on a server on which I was the only |
29 |
user. My understanding is that this restriction would be a consequence of |
30 |
using SeLinux. |
31 |
|
32 |
[1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml |
33 |
|
34 |
As for a solid comparison of the different models and tutorials for them, I |
35 |
don't know of any. I just used [1] as well as the PaX page to install and |
36 |
configure them and I didn't run into any problems. |
37 |
|
38 |
hope that helps a bit (and I hopefully didn't describe anything |
39 |
incorrectly). |
40 |
|
41 |
- Matt |