| View previous topic :: View next topic |
| Author |
Message |
dbasetrinity
Apprentice
Joined: 25 Jun 2005
Posts: 167
|
 Posted: Sun Jun 18, 2006 11:59 pm Post subject: Jaded Alternitive Installation Guide v3 |
 |
|
To perform a 2006.0 Stage 3 Hardened Installation with GCC 4.0.3, follow these steps:
With a hardened Stage3 and grsecurity and pax
If your in search of added security, Well look no further, this guide will take you step by step through the process. This Guide should be considered as EXPERIMENTAL. We in the creation of the guide have done alot of testing on this setup and find it very reliable, however there are always possibilies that a bug could show up. If you do have any issues at all please report them So we can try to resolve the issues.
Guide Features
1. Hardened stage3 Tarball
2. nptl
3. GCC4.0.3
4. Hardened-Sources
1. Download and Burn the Minimal Installation CD. The .ISO image required for the hardware used in this example is
| Code: | | wget http://gentoo.osuosl.org/releases/x86/2006.0/installcd/install-x86-minimal-2006.0.iso |
Some might find using the minimal a little boring since its none GUI with only links to play with I like something that has Mozilla-firefox and Gaim and Xchat these tend to help if running into problems with the installation. So here are a few i like to use.
http://kanotix.com/
http://www.lxnaydesign.net/
kanotix is a debain based Livecd And RR4 is a Gentoo Based Livecd
2. Boot using the Minimal Installation CD. At the "boot:" prompt, press <Enter> to select the default gentoo kernel.
3. Configure LAN Card. We're assuming that your LAN card has been recognized and that you can obtain a LAN connection via DHCP.
4. Configure Your Hard Disk
4.1 View the Hard Drive's Operational Parameters. In this example we will assume that only one hard disk will be installed on the system. It will be recognized by Gentoo as /dev/hda. We will start off by viewing the default disk parameters at boot:
| Code: | # hdparm /dev/hda
/dev/hda:
multcount = 16 (on)
IO_support = 0 (default 16-bit)
unmaskirq = 0 (off)
using_dma = 1 (on)
keepsettings = 0 (off)
readonly = 0 (off)
readahead = 256 (on)
geometry = 16383/255/63, sectors = 120034123776, start = 0
# hdparm -i /dev/hda
/dev/hda:
Model=WDC WD1200JB-00GVA0, FwRev=08.02D08, SerialNo=WD-WMAL92634373
Config={ HardSect NotMFM HdSw>15uSec SpinMotCtl Fixed DTR>5Mbs FmtGapReq}
RawCHS=16383/16/63, TrkSize=57600, SectSize=600, ECCbytes=74
BuffType=DualPortCache, BuffSize=8192kB, MaxMultSect=16, MultSect=16
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=234441648
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5
AdvancedPM=no, WriteCache=enabled
Drive conforms to: device does not report version:
* signifies the current active mode |
4.2 We will be setting hdparm in this step you increase Harddrive Proformance. In this example we're using a WD1200JB. Its possible to get a little better performance out of this Harddrive by issuing a few parameters with hdparm. The following parameters work well with this drive. Here are a few guides on HDparm that might help you decide if those right for your drive:
http://gentoo-wiki.com/HOWTO_Use_hdparm_to_improve_IDE_device_performance
http://gentoo-wiki.com/MAN_hdparm
| Code: | # hdparm -a256A1c1d1m16u1 /dev/hda
/dev/hda:
setting fs readahead to 256
setting 32-bit IO_support flag to 1
setting multcount to 16
setting unmaskirq to 1 (on)
setting using_dma to 1 (on)
setting drive read-lookahead to 1 (on)
multcount = 16 (on)
IO_support = 1 (32-bit)
unmaskirq = 1 (on)
using_dma = 1 (on)
readahead = 256 (on) |
4.3 Test the Hard Drive's Performance.
Typical results for an Athlon-xp::
| Code: | # hdparm -tT /dev/hda
/dev/hda:
Timing cached reads: 2365 MB in 2.00 seconds = 1177.93 MB/sec
Timing buffered disk reads: 174 MB in 3.01 seconds = 57.46 MB/sec |
4.4 Partition the Hard Drive
4.4.1 Display the Partition Information
Technically, the syntax of this command is used to change the partition information, but on an unpartitioned drive it will display the partition iinformation that is available:
| Code: | # fdisk /dev/hda
The number of cylinders for this disk is set to 24321.
There is nothing wrong with that, but this is larger than 1024,
and in certain setups could cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/hda: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
Command (m for help): |
4.4.2 Plan Our Partition Scheme:
My recommendation is that you might want to plan out your partitions out well. I would suggest for debugging purposes to create a seperate /usr /opt /var and possibly a /home and i also like to create a /www partition which i then use to house all my web pages for my LAMP setup.
For Clarity Im going to just keep it simple, we're going to use the following partition scheme. I'll leave out the details, assuming that you know how to partition your hard disk.
| Code: | Partition File System ID Size Description
/dev/hda1 ReiserFS 3.6 83 100 MB Boot partition
/dev/hda2 (swap) 82 512 MB Swap partition
/dev/hda3 ReiserFS 3.6 83 Remainder Root Partition |
4.5 Partition the Hard Disk
| Code: | Disk /dev/hda: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
4.5.1 [color=indigo]Verify the partition configuration[/color]
Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 76 506047+ 82 Linux swap
/dev/hda3 77 14593 116607802+ 83 Linux
|
4.5.2 Exit Fdisk and Save the Partition Layout Press "w" to write the partition table to disk and exit fdisk.
| Code: | Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks |
4.6 Time to create the filesystem. This example covers the installation of EXT3 on the /boot and Reiser FS 3.6 on the /root partition, and swap on the /swap partition.
4.6.1 Installing EXT3 on /dev/hda1 and Reiser FS on /dev/hda3:
| Code: | # mke2fs -j /dev/hda1
# mkreiserfs /dev/hda3 |
You will need to answer "Y" when asked if you want to continue installing Reiser FS on the hard disk.
4.6.2 Install the swap partition on /dev/hda2:
| Code: | | # mkswap /dev/hda2 && swapon /dev/hda2 |
4.7 Mounting the File Systems. Mount the partitions using the "mount" command.
| Code: | # mount /dev/hda3 /mnt/gentoo
# mkdir /mnt/gentoo/boot
# mount -t ext3 /dev/hda1 /mnt/gentoo/boot
|
5. Installing the Gentoo Installation Files.
5.1 Download the Hardened Stage 3 Tarball from the Internet.
Go to the gentoo mount point on your hard disk:
We will need to download 2 files from the mirrors: The Stage 3 Hardened tarball and its checksum file. We will download the following two files using the "wget" command at the bash prompt. The entire command must be typed on one line:
| Code: | wget http://gentoo.osuosl.org/releases/x86/2006.0/stages/x86/hardened/stage3-x86-hardened-2.6-2006.0.tar.bz2
wget http://gentoo.osuosl.org/releases/x86/2006.0/stages/x86/hardened/stage3-x86-hardened-2.6-2006.0.tar.bz2.DIGESTS |
If you need to check the list of Gentoo Mirrors,Click Here!
5.2 Checking the md5sum of the Tarballs. This step should never be skipped, Bad things can happen while downloading, a bit here a byte there! 
| Code: | # md5sum -c stage3-x86-hardened-2.6-2006.0.tar.bz2.DIGESTS
stage3-x86-hardened-2.6-2006.0.tar.bz2: OK |
5.3 Extracing the Hardened Stage 3 Tarball using the following command.
| Code: | | # tar -xjpvf stage3-x86-hardened-2.6-2006.0.tar.bz2 |
Now is a good time to take a break this can take awhile depending on your system...
5.4 Installing Portage
5.4.1 Download a fresh portage snapshot using the wget command.
| Code: | # wget http://gentoo.osuosl.org/snapshots/portage-latest.tar.bz2
|
5.4.2 Extract the Portage Snapshot
| Code: | | # tar -xjvf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr |
This one might give you a few free moments to refill that coffee cup as this will again take awhile..
6. Installing the Gentoo Base System
6.1 Copy the DNS information in /etc/resolv.conf to ensure that networking works in our new Gentoo environment.
| Code: | | # cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf |
6.2 We will mount the /proc file system to allow our Gentoo installation to use kernel-provided information within the chrooted environment.
| Code: | # mount -t proc none /mnt/gentoo/proc
# mount -o bind /dev /mnt/gentoo/dev
# cp /proc/mounts /mnt/gentoo/etc/mtab |
6.3 Chroot into the New Environment
| Code: | # chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile
|
6.4 Set the Date and Time
6.4.1 Set the Correct Date and Time.
The date command uses the syntax MMDDHHMMYYYY, where MM is the month, DD is the day, HHMM is the time, and YYYY is the year. As I type this, it is Tuesday December 05, 2005 at 19:30:
| Code: | # date 120519302005
Tuesday Dec 05 91:30:00 Local time zone must be set--see zic manual page 2005 |
6.4.2 Set the Time Zone Symlink.
This example displays the available time zone selections for the Western Hemisphere:
| Code: | | # ls /usr/share/zoneinfo/America |
I set the local time zone to Pacific Time because I live in Los Angeles. To do this, I first remove the symlink to the default time zone, and then replace it with a symlink to my local time zone:
| Code: | # rm /etc/localtime
# ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
Sunday June 18 16:32:50 2006
|
6.5 Setting up make.conf
In this example, we're compiling for a Athlon-xp-class box on the x86 architecture. Our CHOST setting will be i686-pc-linux-gnu. Since all of the 686-class boxes use the same CHOST, it really doesn't matter which tarball we start off with. More accurately, you can start off with the i686 tarball and properly complete the install for any of the 686-class boxes. The advantage for doing this is that the i686 tarball is not effected by the permissions problems that plague some of the other 686-class tarballs. All that you need to worry about is changing the architecture specification for your processor.
This Guide uses a minimalist setting of the USE variable. You are free to add additional USE flags as needed for your specific system requirements, but it is Hightly recommended that you do not add them to /etc/make.conf until after you have Finished emerge -e system. Adding USE-flags before then Can make Compiling the system a Challenge. Also as this being a HARDENED install there is no Default use-flags that are needed for this install and those Use-Flags are listed At the end of the install and should be added to Either to /etc/make.conf or ufed which we use in this guide. .
| Code: | # nano -w /etc/make.conf
CHOST="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe"
CXXFLAGS=${CFLAGS}
ACCEPT_KEYWORDS="x86"
PORTAGE_TMPDIR=/var/tmp
PORTDIR=/usr/portage
DISTDIR=${PORTDIR}/distfiles
PKGDIR=${PORTDIR}/packages
PORT_LOGDIR=/var/log/portage
PORTDIR_OVERLAY=/usr/local/portage
GENTOO_MIRRORS="<your mirror goes here> http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
RSYNC_RETRIES="3"
RSYNC_TIMEOUT=180
MAKEOPTS="-j2"
PORTAGE_NICENESS=3
AUTOCLEAN="yes"
FEATURES="distlocks sandbox userpriv usersandbox"
CCACHE_SIZE="2G"
USE="nptl" |
6.6 Additional Portage Configuration
6.6.1 Create Portage Directories
The sample /etc/make.conf listed above specifies directories for Portage log files and overlays that are not included as part of a standard Gentoo installation. If you are going to use the logging and overlay functions listed in the sample make.conf file, then you will need to create two additional directories on your system.
| Code: | # mkdir /var/log/portage
# mkdir /usr/local/portage
|
6.6.2 Package Keywords - Enabling GCC 4.0.3 in the Stable Branch
GCC 4.0.3 is part of the unstable or "testing" branch in Portage. If you will be using the "x86" stable branch of the software, then we need to configure Portage to enable the use of GCC 4.0.3 and some other toolkit components, even though they are currently classified in the testing branch.
To configure a stable branch system to utilize a testing branch ebuild, We need to let Portage know that we have approved this subset of the testing branch for use on our system. This is accomplished by specifying the name of the package and the applicable keyword in the /etc/portage/package.keywords file. We will enable support for four testing branch ebuilds in our system.
| Code: | # nano -w /etc/portage/package.keywords
=sys-devel/gcc-4.0* -* ~x86
sys-devel/gcc-config ~x86
sys-libs/libstdc++-v3 ~x86
=sys-libs/glibc-2.3.6-r1 -* ~x86
=sys-devel/binutils-2.16.9* -* ~x86
sys-libs/timezone-data ~x86
app-admin/eselect-compiler ~x86
|
6.6.3 We need to also unmask GCC4.0.3 and gliic2.3.6 and binutils-2.16.9
| Code: | # nano -w /etc/portage/package.unmask
=sys-devel/binutils-2.16.9*
=sys-libs/glibc-2.3.6
=sys-devel/gcc-4.0*
|
6.6.4 Update the Portage Tree
6.7 Activate User Locales
Gentoo's default behavior is to compile a full set of all of the available user locales. We will activate the userlocales local USE flag to limit the compilation of userlocales to those that we specify. Limiting the scope of userlocales will save us a tremendous amount of time while compiling glibc. (While we're editing this file, we'll also add "ithreads" as a package-specific USE flag for perl and libperl to allow interpreter level threading.
6.7.1 Activate the userlocales USE flag for glibc
| Code: | # nano -w /etc/portage/package.use
sys-libs/glibc userlocales
sys-devel/libperl ithreads
dev-lang/perl ithreads |
6.7.2 Specify the user locales to build.
Create the /etc/locales.build file with your favorite editor. I'm located in the USA, so I'll use the following values.
| Code: | # nano -w /etc/locales.build
en_US/ISO-8859-1
en_US.UTF-8/UTF-8 |
7. Building the Toolkit
7.1 Building the Toolkit: GCC 3.4.4
To enable NPTL support we are required to use a 2.6 kernel and linux26-headers. Linux26-headers is now contained in the 2006.0 Stage 3 tarball
| Code: | # env-update && source /etc/profile
# emerge gcc-config glibc binutils libstdc++-v3 gcc
|
This step will surely make you think WOW because this step takes awhile to complete. Good time for a nice afternoon nap. Time to compile that toolchain!.
7.2 Re-Building the Toolkit: GCC 4.0.3
After emerging a new version of GCC, we need to pause for a moment and think about what we've done. We've just used GCC 3.4.4 and a toolchain built with GCC 3.4.4 to compile GCC 4.0.3. Before we spend any more time building our Gentoo system we should rebuild the entire toolchain, re-compiling it so that we have GCC 4.0.3 that was built with GCC 4.0.3.
Before we do this we need to examine /etc/make.conf and make changes to the CFLAGS statements in order to take advantage of the new performance-enhancing features of GCC 4.0.3. After making necessary updates to /etc/make.conf we need to rebuild the toolkit using the new GCC 4.0.3 compiler. The result will be a 4.0.3 tooklit, compiled by a 4.0.3 toolkit that was built with a 3.4.4 toolkit.
7.2.1 Updating make.conf
Here are some settings for /etc/make.conf that may be worth considering. They include extreme levels of code optimization, and some very safe and stable performance-enhancing CFLAGS. Depending upon your individual hardware, you may have to simplify some of the CFLAGS settings.
These CFLAGS should be looked at as Examples Only.Please refer to
http://gentoo-wiki.com/CFLAGS
http://gcc.gnu.org/onlinedocs/gcc-3.3/gcc/Optimize-Options.htm
http://gentoo-wiki.com/Safe_Cflags
| Code: | CFLAGS="-O2 -march=athlon-xp -fforce-addr -fomit-frame-pointer -ftracer -pipe"
CXXFLAGS="${CFLAGS} -fvisibility-inlines-hidden" |
The Default may be a better approach for those who don't want to be on the bleeding edge or don't want to spend time troubleshooting.
7.2.2 Configuring the Default C Compiler
Although we have emerged GCC 4.0.3, it has not been automatically installed as our default compiler. If you have any doubts about this, take a quick peek at the output of "emerge info" or "gcc-config -l". Although GCC 4.0.3 has already been emerged, GCC 3.4.4 is still installed as out
| Code: | # gcc-config -l
[1] i386-pc-linux-gnu-3.4.4-20050130
[2] i386-pc-linux-gnu-3.4.4-20050130-hardenednopie
[3] i386-pc-linux-gnu-3.4.4-20050130-hardenednopiessp
[4] i386-pc-linux-gnu-3.4.4-20050130-hardenednossp
[5] i386-pc-linux-gnu-3.4.4-20050130-vanilla
[6] i686-pc-linux-gnu-4.0.3 *
[7] i686-pc-linux-gnu-4.0.3-hardenednopie
[8] i686-pc-linux-gnu-4.0.3-hardenednopiessp
[9] i686-pc-linux-gnu-4.0.3-hardenednossp
[10] i686-pc-linux-gnu-4.0.3-vanilla |
Change the default compiler to gcc 4.0.3 by issuing the following command. Warning make sure that the correct Compiler option is selected numbers may change.
7.2.3 Updating the System Environment
An additional command updates our system environment:
| Code: | | # env-update && source /etc/profile |
7.2.4 Rebuilding the System Toolkit
Now its time to rebuild the toolkit. We'll start off by recompiling glibc, binutils, gcc, and by updating portage. This will rebuild our GCC 4.0.3 compiling toolkit (which had previously been compiled with GCC 3.4.4) with the GCC 4.0.3 compiler, taking advantage of our new USE flags and CFLAGS compiler settings.
| Code: | | # emerge glibc binutils libstdc++-v3 gcc portage |
Upon completion of the rebuild of the compiling toolkit, we will recompile the entire system to assure that our entire toolkit has been compiled using GCC 4.0.3 and our hardware-specific settings.
The result will be a 4.0.3 toolkit and an entire system that is built with a 4.0.3 toolkit..
| Code: | | # emerge -e system && emerge -e system |
7.2.5 Prune the GCC Compiler
Now that GCC 4.0.3 has been installed as the default compiler and our system has been rebuilt, we can prune GCC 3.4.4 from our system by issuing the following commands. First, verify that GCC 4.0.3 has indeed been installed as the default compiler using the "l" parameter with gcc-config. (Just to avoid any confusion, the parameter used is a lower case "L", not the number "one".) Then, after confirming that GCC 4.0.3 has been installed as the default compiler, prune GCC 3.4.4 from your system.
| Code: | # gcc-config -l
# emerge -P gcc
|
8.0 Building the World
8.1 Emerge Ccache (Optional)
Now that our toolkit has been built, we'll emerge the ccache program. Ccache is a compiler cache that will help to reduce compile times when previously compiled programs are being recompiled. It will not effect the time required to compile programs on the first pass, so this is an optional step. (Note: the ccache_size was set to 2G in the sample make.conf. If you have sufficient disk space, and you're planning on emerging a bloated window manager like Gnome or KDE (or if you are performing an emerge -e system or an emerge -e world), then you may want to Keep this setting at: ccache_size="2G".) If you dont need or want this you can #ccache_size="2G" or just reduce it to ccache_size="512M" in the /etc/make.conf.
8.2 Emerging Programs
Now its time to add a few useful packages to our world profile:
| Code: | # emerge syslog-ng xinetd grub vixie-cron reiserfsprogs sysfsutils dhcpcd hotplug coldplug gentoolkit esearch udev hdparm
# emerge --nodeps acpid ntp
# emerge chpax paxctl paxtest ufed
|
8.3 Updating the Environment
Now we'll add these services to the default runlevel.
| Code: | # rc-update add syslog-ng default
# rc-update add net.eth0 default
# rc-update add vixie-cron default
# rc-update add xinetd default
# rc-update add sshd default
# rc-update add hotplug default
# rc-update add coldplug default
# rc-update add acpid default
# rc-update add ntp-client default
# rc-update add chpax default |
8.4 Configuring the NTP Client
In the previous steps we emerged a Network Time Protocol client to allow us to use NTP time servers to synchronize our system clock. In this step we'll configure the ntp-client to eliminate clock skew:
| Code: | | # ntpdate -b -u pool.ntp.org |
9. Kernel
9.1 Downloading the Kernel
The decision to enable NPTL support requires that we use a 2.6 kernel. You are free to choose any flavor of 2.6 kernel that you like. In this example, we'll be using the HARDENED-Sources kernel. Note that a 2.4 kernel will not work properly with this Installation Guide.
9.3 Now we are going to emerge our kernel source....What ever kernel you decide to go with 2.6 stable just make sure to use HARDENED-SOURCES.....
| Code: | | # emerge hardened-sources |
9.4 Building the Kernel Symlink
This is only needed if you already have a previous kernel installed and you want to point the symlink to the new kernel.
| Code: | # rm /usr/src/linux
# cd /usr/src
# ln -s linux-2.6.16-gentoo-r9 linux |
9.5 Configuration
9.5.1 Enable udev Support
Edit your /etc/conf.d/rc file so that it contains the following statements:
| Code: | # nano -w /etc/conf.d/rc
RC_NET_STRICT_CHECKING="no"
RC_DEVICES="udev"
RC_DEVICE_TARBALL="no" |
9.5.2 Configure Kernel Options
If you're following this Installation Guide, we're going to assume that you want the best performance from your system, and that you'll be using a custom-compiled kernel instead of genkernel. When configuring your kernel, be sure to include support for hotplug firmware loading. Also be sure to remove devfs filesystem support, as we are designing udev support into our system.
Configure the kernel:
| Code: | # cd /usr/src/linux
# make menuconfig
|
9.5.3 Now you can configure your kernel like normal and add a few entries too it. To be able to select the various grsecurity/PaX kernel options, you must enable grsecurity/PaX in your kernel
| Code: |
1. Go into Security Options->>
A. Go into Pax
[ * ] Enable various PaX features
a. Go In PaX Control ----->
[ ] Support soft mode
[ * ] Use legacy ELF header marking
[ * ] Use ELF program header marking
MAC system integration (none) ----
b. Go in Non-exacutable pages ----->
[ * ] Enforce non-executable pages
[ * ] Paging based non-executable pages
[ * ] Segmentation based non-execuatable pages
Default non-executable page method (SEGMEXEC)
[ ] Emulate trampolines
[ * ] Restrict mprotect ()
[ ] Disallow ELF text relocations
[ ] Enforce non-executable kernel pages
c. Go in Address Space Layout Randomization ----->
[ * ] Address Space Layout Randomization
[ * ] Randomize kernel stack base
[ * ] Randomize user stack base
[ * ] Randomize mmap() base
--- Disable the vsyscall page
2.Go into Grsecurity ------>
A. [ * ] Grsecurity
a.Security Level (Custom) ----->
b. Go in Address Space Protection ----->
[ * ] Deny writing to /dev/kmem, /dev/mem, and /dev/port
[ ] Disable privileged I/O
[ * ] Remove addresses from /proc/<pid>/[smaps|maps|stat]
[ ] Deter exploit bruteforcing
[ ] Hide kernel symbols
c. Go in Role Based Access Control Options ----->
[ * ] Hide kernel processes
(3) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds
d. Go in Filesystem Protections ----->
[ * ] Proc restrictions
[ ] Restrict /proc to user only
[ * ] Allow special group
(1001) GID for special group
[ * ] Additional restrictions
[ * ] Linking restrictions
[ * ] FIFO restrictions
[ * ] Chroot jail restrictions
[ * ] Deny mounts
[ * ] Deny double-chroots
[ * ] Deny pivot_root in chroot
[ * ] Enforce chdir("/") on all chroots
[ * ] Deny (f)chmod +s
[ * ] Deny fchdir out of chroot
[ * ] Deny mknod
[ * ] Deny shmat() out of chroot
[ * ] Deny access to abstract AF_UNIX sockets out of chroot
[ * ] Protect outside processes
[ * ] Restrict priority changes
[ * ] Deny sysctl writes
[ * ] Capability restrictions
e. Go in Kernel Auditing ----->
[ ] Single group for auditing
[ ] Exec logging
[ * ] Resource logging
[ ] Log execs within chroot
[ ] Chdir logging
[ * ] (Un)Mount logging
[ ] IPC logging
[ * ] Signal logging
[ * ] Fork failure logging
[ * ] Time change logging
[ ] /proc/<pid>/ipaddr support
[ ] ELF text relocations logging (READ HELP)
f. Go in Executable Protections ----->
[ * ] Enforce RLIMIT_NPROC on execs
[ ] Destroy unused shared memory
[ * ] Dmesg(8) restriction
[ * ] Randomized PIDs
[ ] Trusted Path Execution (TPE)
g. Go in Network Protections ----->
[ * ] Larger entropy pools
[ * ] Randomized TCP source ports
[ ] Socket restrictions
h. Sysctl support ----->
i. Go in Logging Options ----->
(10) Seconds in between log messages (minimum)
(4) Number of messages in a burst (maximum) |
Those are all the Selection for Grsecurity & PaX that I have selected in my kernel...
9.5.4 Compiling the Kernel
To compile your kernel and install the kernel and selected modules, issue the following command. I find that this one works a bit better than some of the other one-liner kernel compilation commands. If you should run into a problem where kernel compilation fails, its easy to determine where the problem was. In addition, this command will also install the kernel for you:
| Code: | | # make && make modules && make modules_install && make install |
10. Configuring the System
10.1 Configure Network Adapters
Configure your network adapters as recommended in the Gentoo Installation Handbook. In our case, we'll use DHCP:
| Code: | # nano -w /etc/conf.d/net
iface_eth0="dhcp"
dhcpcd_eth0="-t 10"
|
10.2 Set Hostnames and Domainnames
The following hostname and domainname locations referenced in the Gentoo Installation Handbook and some of the other HowTo appear to have been deprecated. The first example in each of the following two sections uses the old configuration method, which has been deprecated but this is not yet reflected in many of the installation guides. The second option in each of the following two examples is more current:
10.2.1 Set Your Hostname
The following examples provide instruction for setting the hostname on your Gentoo box. We'll use the "gentooviller" as the hostname in this example.
| Code: | # nano -w /etc/conf.d/hostname
HOSTNAME="gentooville" |
10.2.2 Set Your Domainname
| Code: | # nano -w /etc/conf.d/domainname
OVERRIDE=1
DNSDOMAIN="mydomain.com"
NISDOMAIN="nis.mydomain.com"
|
10.2.3 Update /etc/hosts
If nameservers on your network handle all name resolution, then you can skip this step.
If your PC is a standalone system, or if your PC has a static IP address and you don't have DNS entries for your machine in a nameserver somwehere on your network, then you should specify the following information in the /etc/hosts file.
| Code: | # nano -w /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.5 gentooville.mydomain.com gentooville
|
10.2.4 Add domainname to the Default Runlevel
| Code: | | # rc-update add domainname default |
10.4 Grub Bootloader
10.4.1 Grub.conf
To boot our installation of Gentoo Linux we'll need to configure a boot menu for the Grub Bootloader. Use your favorite text editor to create the /boot/grub/grub.conf file. In this case we'll use nano:
If you cant remember what kernel image you have this is what i do alot since i tend to forget when i get to grub.conf.
And i look for this: vmlinuz-2.6.16-hardened-r9 or similar this is what you would add to your Grub.conf
| Code: | System.map boot config-2.6.16-hardened-r9 lost+found vmlinuz-2.6.16-hardened-r9
System.map-2.6.16-hardened-r9 config grub vmlinuz
|
| Code: | # cd /boot/grub
# nano -w grub.conf
|
| Code: | # Which listing to boot as default. 0 is the first, 1 the second etc.
default 0
# How many seconds to wait before the default listing is booted.
timeout 30
# Nice, fat splash-image to spice things up :)
# Comment out if you don't have a graphics card installed
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title=Gentoo Linux 2.6.16-hardened-r9
# Partition where the kernel image (or operating system) is located
root (hd0,0)
kernel /boot/vmlinuz-2.6.16-hardened-r9 root=/dev/hda3
# The next four lines are only if you dualboot with a Windows system.
# In this case, Windows is hosted on /dev/hda6.
title=Windows XP
rootnoverify (hd0,5)
makeactive
chainloader +1 |
10.4.2 Installing Grub onto the Hard Disk
Start Grub from the command prompt and use the following commands to embed grub into the hard disk. Remember, when counting hard disks we like to start at 1, but Grub likes to start at 0, so /dev/hda1 corresponds to hard disk 0, partition 0 in Grub.
| Code: | # grub
grub> root (hd0,0)
grub> setup (hd0)
grub> quit
|
10.5 Filesystem - Configuring fstab
This is a sample /etc/fstab file that reflects the disk partition scheme used earlier in this Installation Guide. Make changes as appropriate if your partition scheme is different.
| Code: | | # nano -w /etc/fstab |
| Code: | # <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/hda1 /boot reiserfs noauto,notail 1 2
/dev/hda3 / reiserfs notail 0 1
/dev/hda2 none swap sw 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 user,noauto,ro,exec 0 0
/dev/fd0 /mnt/floppy auto noauto,users 0 0
# NOTE: The next line is critical for boot!
none /proc proc defaults 0 0
# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for
# POSIX shared memory (shm_open, shm_unlink).
# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will
# use almost no memory if not populated with files)
# Adding the following line to /etc/fstab should take care of this:
none /dev/shm tmpfs nodev,nosuid 0 0 |
10.6 Setting HD Paramaters
Back in Section 4 we developed optimized operating parameters for our hard disk. Now that we're in the chrooted environment of our newly designed Gentoo system, we need to make these configuration changes permanent. To do this, we'll write the HD parameters to the /etc/conf.d/hdparm file:
| Code: | # nano -w /etc/conf.d/hdparm
disc0_args="-a256A1c1d1m16u1"
cdrom0_args="-d1c1u1" |
After editing the contents of /etc/conf.d/hdparm type the following command to add hdparm to the boot runlevel.
| Code: | | # rc-update add hdparm boot |
10.7 Set-Up User Accounts
We must change the password of the root user in our newly installed system. Then we will add non-root users to the system. .
First, change the root password:
| Code: | # passwd root
New password: (Enter your new password)
Re-enter password: (Re-enter your password)
|
Now add users who will be allowed to "su" their way to temporary root status. These users must be added to the "wheel" user group:
The groups the user is member of define what activities the user can perform. The following table lists a number of important groups you might wish to use:
| Code: |
Group Description
audio = be able to access the audio devices
cdrom = be able to directly access optical devices
floppy = be able to directly access floppy devices
games = be able to play games
portage = be able to use emerge --pretend as a normal user
usb = be able to access USB devices
video = be able to access video capturing hardware and doing hardware acceleration
wheel = be able to use su |
For instance, to create a user called gentooian who is member of the wheel, users and audio groups, log in as root first (only root can create users) and run useradd:
| Code: | # useradd -m -G users,wheel,audio,cdrom,floppy,usb,video -s /bin/bash gentooian
# passwd gentooian
Password: (Enter the password for john)
Re-enter password: (Re-enter the password to verify)
|
Nice GUI pops up and your off in running. You will notice that with HARDENED profile there are some selection made for you. DO NOT REMOVE these. As far as anything else you can enter the flags you normally would..There are a few that seem to be needed for xorg or your fonts will look alittle funny and it might take you an hour or two rebuilding xorg if not used, and those are:
This is where we need to define the Default Gentoo Use-Flags... This needs to be done due to that in the Hardened Stage these are not activated by default.
| Code: | | "alsa apm arts avi bitmap-fonts cups eds emboss encode fortran foomaticdb gdbm gif gnome gpm gstreamer gtk gtk2 imlib jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ogg oggvorbis opengl oss pdflib png qt quicktime sdl spell truetype truetype-fonts type1-fonts vorbis X xml2 xmms xv" |
Then after all that is said and done....I move on to finishing my install with
| Code: | | # emerge kdebase mozilla-firefox gyach |
After those emerge then you can setup xorg
Of course some might prefer to boot into their installation before emerging fun stuff like that: Either way after the emerge you would.
10.10 Exiting Chroot and Unmounting Partitions
We will now exit the chrooted environment and unmount all of the mounted partitions.
| Code: |
# exit
# cd ~/
# umount /mnt/gentoo/proc /mnt/gentoo/boot /mnt/gentoo
# swapoff /dev/hda2 |
11. REBOOT!
And now, the moment you've been waiting for!
Congradulations! You have completed the installation. We are in the process of creating other guides that will go along with this Setup That will increase the security Level of this install. Links to these guide will be added as they are completed...
JADED Guides
Jaded Guide Ver 1.0
Jaded Guide ver 2.0
Jaded Guide ver 4
For further Information on Hardened Grsecurity or PaX, heres a few links that you might find greatly helpful.
https://forums.gentoo.org/viewtopic-t-345229.html
http://www.gentoo.org/doc/en/handbook/index.xml
http://www.gentoo.org/proj/en/hardened/
http://www.grsecurity.net/
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0 |
|
| Back to top |
|
 |
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Tue Jun 20, 2006 2:14 pm Post subject: |
|
|
Nice how to very useful
BTW how about Installing on AMD64 with hardened profile and gcc 4.1.1
Thank you
_________________
www.gentoo.ro |
|
| Back to top |
|
|
dbasetrinity
Apprentice
Joined: 25 Jun 2005
Posts: 167
|
| Posted: Thu Jun 22, 2006 12:12 am Post subject: |
|
|
Well im not sure if amd64 is going to be something im going to do. But im sure it would be pretty easy to use what i have in the guide as a starting point in the installation of it
That and GCC4.1.1 probably still a pain. might as well probably better off just running ~x86 or ~x86_amd64
Since running stable youll just end up keywording packages all day long otherwise getting them to compile.
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0 |
|
| Back to top |
|
|
mudrii
l33t
Joined: 26 Jun 2003
Posts: 789
Location: Singapore
|
| Posted: Thu Jun 22, 2006 4:09 pm Post subject: |
|
|
On AMD64 I have GCC 4.1.1 and I can not see any hardened profile
And why you do not use gcc with hardened profile to compile the system ?
_________________
www.gentoo.ro |
|
| Back to top |
|
|
dbasetrinity
Apprentice
Joined: 25 Jun 2005
Posts: 167
|
| Posted: Thu Jun 22, 2006 7:59 pm Post subject: |
|
|
Because i used a hardened stage to build the system so i dont need to use a hardened profile.
However you can if you wish to do so the end result is the same either way.
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
