Hardened Gentoo Questions

f474a · n00b Joined: 05 Jul 2017 Posts: 6

I've recently migrated to hardened Gentoo profile, there were a few rough edges but with time I was able to fix all my issues.

I have heard about the fact that Grsecurity is going private yet still decided to go ahead with the installation. I've also read somewhere on Gentoo wiki or forum (not sure) that the hardened Gentoo project might be discontinued, etc.

So I need some advice on what to do, was it a waste of time to have switched to hardened install? Is there any possible future or turn around for the hardened project or will it just be discontinued?

What else can I do if I'm security conscious and want to get some adequate level of protection for my Gentoo Linux install? Without Grsecurity patches in the long term I think Linux is kind of in a vulnerable position but then again I barely have enough experience on Linux Security or Hardened profile to comment on that.

R0b0t1 · Apprentice Joined: 05 Jun 2008 Posts: 264

It's not a waste of time. The hardened profile sets quite a few toolchain settings and gives you better infrastructure for using other security additions. Mainly, you'll be using gentoo-sources instead of hardened-sources.

I would recommend installing an RBAC system like SELinux.

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

Hardened does much more than just installing some fly-by-night patchset, if it were we'd have an `eselect profile` list a mile long to encompass all the others.

mv · Watchman Joined: 20 Apr 2005 Posts: 6747

I would say that it is a waste of time and - more importantly - resources:
You get essentially the same toolchain hardening with >=gcc-7.1.0[pie,ssp] which is already default/forced in the curren 2017 profile.
And nobody prevents you from using USE=hardened (though for gcc, I wouldn't prefer it over the above setting and using safe CFLAGS/LDFLAGS).
Most other measurements of the hardened profile (like forcing installation of paxctl and elfix, masking several other packages, or forcing USE=pax_kernel) only have a purpose with pax/grsecurity.

toralf · Posted: Fri Jul 14, 2017 9:41 am Post subject:

I do use the hardened profile for a stable Gentoo Linux + latest vanilla kernel (released weekly by Greg Kroah-Hartmann) - both at a KDE desktop and at a server.
The hardened profile has the advantage to use the stable Gentoo packages, where the 17.0 profile depends on unstable packages, or ?

NeddySeagoon · Posted: Fri Jul 14, 2017 10:32 am Post subject:

f474a,

A hardened Gentoo is in several pieces. hardened-sources my be discontinued but not the hardened project itself.
There are moves no make some features of hardened mainstream but right now, its early days in the fallout from grsecurity going closed.

All we can say today is that there will be changes but we don't know what those changes are yet.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

nativemad · Posted: Fri Jul 14, 2017 11:21 am Post subject:

NeddySeagoon · Posted: Fri Jul 14, 2017 11:46 am Post subject:

nativemad.

The /17.0/ profiles depend on gcc-6 which is in testing. Its a feature, not a bug.
The /17.0/ profiles do not appear in eselect profile to ensure that they are not selected accidentally.

/17.0/ profiles require gcc-6 to go stable before they can be released and the /13.0/ profiles depreciated.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

nativemad · Posted: Fri Jul 14, 2017 2:06 pm Post subject:

AH, lol, haven't recognized the 17! I guess It's time for the weekend... :lol:

But afaics "ssp" doesn't get enabled by 17.0!? This would still be a difference to the hardened profile (besides xattr enabling in hardened and the required icu version on 17.0)...!?

Cheers
_________________
Power to the people!