View previous topic :: View next topic |
Author |
Message |
mattg889 n00b
Joined: 07 Nov 2012 Posts: 21
|
Posted: Thu Feb 28, 2013 2:14 am Post subject: No "server" profile... |
|
|
Hi, I am trying to install Gentoo on my HP DL360 G5 server. I am doing the installation with "systemrescuecd" because the Gentoo 64bit minimal disk does not work with my network cards.
I am following the "Gentoo Linux x86 Quick Install Guide" just with the amd64 stage 3.
I can get to the point of selecting my profile with no problems at all. But now when I enter the command "eselect profile list" this is the output:
[1] default/linux/amd64/13.0
[2] default/linux/amd64/13.0/selinux
[3] default/linux/amd64/13.0/desktop
[4] default/linux/amd64/13.0/desktop/gnome
[5] default/linux/amd64/13.0/desktop/kde
[6] default/linux/amd64/13.0/developer
[7] default/linux/amd64/13.0/no-multilib
[8] default/linux/amd64/13.0/x32
[9] hardened/linux/amd64
[10] hardened/linux/amd64/selinux
[11] hardened/linux/amd64/no-multilib
[12] hardened/linux/amd64/no-multilib/selinux
[13] hardened/linux/uclibc/amd64
I want to set this up as a server but I don't see any server option. I was expecting to see "default/linux/amd64/13.0/server" in the list.
Did I miss something? |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
mattg889 n00b
Joined: 07 Nov 2012 Posts: 21
|
Posted: Thu Feb 28, 2013 3:14 am Post subject: |
|
|
Sorry to be a pain, but I would like to see if I can figure out why the server profile isn't showing up. If I understand it right, the profiles pre-set all the use flags and a bunch of other settings. Using the "starting point" profile would require me to find out what settings are missing and/or wrong. And I must admit, I am not exactly a Linux expert...
Any other ideas? |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Thu Feb 28, 2013 10:07 am Post subject: |
|
|
server profile is gone/deprecated/dead i believe
if youre going to roll a server, go with
Code: |
[9] hardened/linux/amd64 *
|
that doesnt mean youre going to be rolling with a hardened kernel, or anything of the sort. unless you want to be. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
jody l33t
Joined: 16 Oct 2007 Posts: 668 Location: Switzerland
|
Posted: Thu Feb 28, 2013 2:40 pm Post subject: kernel configuration for PaX? |
|
|
Hi
I also need to install gentoo for a server. I used the profile
Code: | [9] hardened/linux/amd64 * |
I tried to follow the Hardened Gentoo PaX Quickstart http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml which i reached from "Introduction to Hardened Gentoo" http://www.gentoo.org/proj/en/hardened/primer.xml but i got stuck here: Quote: | As stated, the PaX patches are bundled with Grsecurity, so the PaX configuration options are found under that menu in Security Options -> Grsecurity -> Customize Configuration -> PaX. You also have the option of selecting one of Grsecurity's preconfigured profiles at Security Options -> Grsecurity -> Configuration Method. These will give you a meaningful starting point configuration for PaX. |
But in menuconfig the "Security options" does not have a sub item "Grsecurity".
Can anybody tell me what kernel options i have to choose for PaX (and PIE?)?
Thank You
Jody |
|
Back to top |
|
|
mvaterlaus Apprentice
Joined: 01 Oct 2010 Posts: 234 Location: Switzerland
|
Posted: Thu Feb 28, 2013 2:46 pm Post subject: |
|
|
jody wrote: |
Can anybody tell me what kernel options i have to choose for PaX (and PIE?)?
|
I think, you are using a gentoo-sources kernel and not a hardened-sources kernel. You need to have a hardened-sources kernel, because the hardened-sources are allready patched with GRsecurity and PaX. If you want to use a gentoo-sources kernel or a vanilla kernel, you need to patch the kernel yourself. |
|
Back to top |
|
|
jody l33t
Joined: 16 Oct 2007 Posts: 668 Location: Switzerland
|
Posted: Thu Feb 28, 2013 3:18 pm Post subject: |
|
|
this is possible:
i just did 'emerge gentoo-sources'...
Now that you pointed that out:
i assume i have to emerge 'sys-kernel/hardened-sources', right?
Thanks
Jody |
|
Back to top |
|
|
mvaterlaus Apprentice
Joined: 01 Oct 2010 Posts: 234 Location: Switzerland
|
Posted: Thu Feb 28, 2013 3:41 pm Post subject: |
|
|
yeah, sys-kernel/hardened-sources is the right package to go. there are also pappy kernel seeds to start with a minimal default config. |
|
Back to top |
|
|
mattg889 n00b
Joined: 07 Nov 2012 Posts: 21
|
Posted: Thu Feb 28, 2013 4:53 pm Post subject: Oh I forgot... |
|
|
I forgot to mention that I am trying to install my server as a headless server. No GUI. And I was planning on installing VirtualBox in headless mode. Is the "hardened/linux/amd64" profile still the best option? |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Thu Feb 28, 2013 5:26 pm Post subject: |
|
|
IMO the best profile is just [1] default/linux/amd64/13.0 (without looking into profiles to see the diff), but i expect hardened profile to enable some hardened use flags and install must have tools for hardened usage that you don't need/want for a server that will not run with hardened kernel anyway, so you end with garbage.
So, yep for me, cach0rr0's advise wasn't a good one. |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Thu Feb 28, 2013 10:45 pm Post subject: |
|
|
krinn wrote: | IMO the best profile is just [1] default/linux/amd64/13.0 (without looking into profiles to see the diff), but i expect hardened profile to enable some hardened use flags and install must have tools for hardened usage that you don't need/want for a server that will not run with hardened kernel anyway, so you end with garbage.
So, yep for me, cach0rr0's advise wasn't a good one. |
only thing i can think of that it might enable that might have an impact - hardened GCC (upon rebuild)
looking at my entire system for things that use either the 'hardened' or 'pax_kernel' USE flag, all I see are:
Code: |
vunnable amd64 # equery hasuse hardened
* Searching for USE flag hardened ...
[IP-] [ ] app-admin/syslog-ng-3.3.5-r1:0
[IP-] [ ] dev-util/pkgconfig-0.28:0
[IP-] [ ] media-gfx/splashutils-1.5.4.4-r2:0
[IP-] [ ] sys-devel/gcc-4.6.3:4.6
[IP-] [ ] sys-libs/glibc-2.16.0:2.2
[IP-] [ ] x11-libs/gnome-pty-helper-0.34.2:0
vunnable amd64 # equery hasuse pax_kernel
* Searching for USE flag pax_kernel ...
[IP-] [ ] dev-java/oracle-jre-bin-1.7.0.13:1.7
[IP-] [ ] dev-libs/libffi-3.0.12:0
[I--] [??] media-libs/mesa-9.1_rc1:0
[IP-] [ ] net-im/skype-4.1.0.20:0
|
only ones of these he would have on a headless server are gcc, glibc, pkgconfig, and syslog-ng - and the syslog-ng changes are very nice, even for a non-server setup, since it has filters that put things into different organized logs, rather than dumping everything into /var/log/messages. The above packages are from my laptop, which has a load of crap on it - so, yeah, he will not have these things on a server, and really the only thing changed is that my programs were build with "hardened" GCC.
that's not going to be a big broad sweeping change, but, you get SSP as an added bonus upon rebuilding GCC, and rebuilding subsequent packages should you so choose - SSP is not a bad thing on a server...
in other words, it is very unlikely to make any problematic changes, AND, "hardened GCC" has a small handful of benefits.
win/win IMHO
with hardened-sources you *do* get prompted to install gradm, but this is not installed by default, and, that's only if you use hardened-sources do you need that. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Fri Mar 01, 2013 3:15 am Post subject: |
|
|
You are not required to use sys-kernel/hardened-sources to use the hardened profile. You are welcome to use a plain sys-kernel/gentoo-sources with the hardened profile. However, if you want to see the GRsecurity options, then using sys-kernel/hardened-sources is the easiest way to get them. In my opinion, a server is the place where you want to use hardened if you use it at all, since by definition it is offering service to external entities, some of which may be malicious. |
|
Back to top |
|
|
|