View previous topic :: View next topic |
Author |
Message |
f474a n00b
Joined: 05 Jul 2017 Posts: 6
|
Posted: Fri Jul 14, 2017 4:17 am Post subject: Hardened Gentoo Questions |
|
|
I've recently migrated to hardened Gentoo profile, there were a few rough edges but with time I was able to fix all my issues.
I have heard about the fact that Grsecurity is going private yet still decided to go ahead with the installation. I've also read somewhere on Gentoo wiki or forum (not sure) that the hardened Gentoo project might be discontinued, etc.
So I need some advice on what to do, was it a waste of time to have switched to hardened install? Is there any possible future or turn around for the hardened project or will it just be discontinued?
What else can I do if I'm security conscious and want to get some adequate level of protection for my Gentoo Linux install? Without Grsecurity patches in the long term I think Linux is kind of in a vulnerable position but then again I barely have enough experience on Linux Security or Hardened profile to comment on that. |
|
Back to top |
|
|
R0b0t1 Apprentice
Joined: 05 Jun 2008 Posts: 264
|
Posted: Fri Jul 14, 2017 5:20 am Post subject: |
|
|
It's not a waste of time. The hardened profile sets quite a few toolchain settings and gives you better infrastructure for using other security additions. Mainly, you'll be using gentoo-sources instead of hardened-sources.
I would recommend installing an RBAC system like SELinux. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Jul 14, 2017 5:22 am Post subject: |
|
|
Hardened does much more than just installing some fly-by-night patchset, if it were we'd have an `eselect profile` list a mile long to encompass all the others. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Fri Jul 14, 2017 5:37 am Post subject: |
|
|
I would say that it is a waste of time and - more importantly - resources:
You get essentially the same toolchain hardening with >=gcc-7.1.0[pie,ssp] which is already default/forced in the curren 2017 profile.
And nobody prevents you from using USE=hardened (though for gcc, I wouldn't prefer it over the above setting and using safe CFLAGS/LDFLAGS).
Most other measurements of the hardened profile (like forcing installation of paxctl and elfix, masking several other packages, or forcing USE=pax_kernel) only have a purpose with pax/grsecurity. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Fri Jul 14, 2017 9:41 am Post subject: |
|
|
I do use the hardened profile for a stable Gentoo Linux + latest vanilla kernel (released weekly by Greg Kroah-Hartmann) - both at a KDE desktop and at a server.
The hardened profile has the advantage to use the stable Gentoo packages, where the 17.0 profile depends on unstable packages, or ? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Fri Jul 14, 2017 10:32 am Post subject: |
|
|
f474a,
A hardened Gentoo is in several pieces. hardened-sources my be discontinued but not the hardened project itself.
There are moves no make some features of hardened mainstream but right now, its early days in the fallout from grsecurity going closed.
All we can say today is that there will be changes but we don't know what those changes are yet. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
nativemad Developer
Joined: 30 Aug 2004 Posts: 918 Location: Switzerland
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Fri Jul 14, 2017 11:46 am Post subject: |
|
|
nativemad.
The /17.0/ profiles depend on gcc-6 which is in testing. Its a feature, not a bug.
The /17.0/ profiles do not appear in eselect profile to ensure that they are not selected accidentally.
/17.0/ profiles require gcc-6 to go stable before they can be released and the /13.0/ profiles depreciated. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
nativemad Developer
Joined: 30 Aug 2004 Posts: 918 Location: Switzerland
|
Posted: Fri Jul 14, 2017 2:06 pm Post subject: |
|
|
AH, lol, haven't recognized the 17! I guess It's time for the weekend...
But afaics "ssp" doesn't get enabled by 17.0!? This would still be a difference to the hardened profile (besides xattr enabling in hardened and the required icu version on 17.0)...!?
Cheers _________________ Power to the people! |
|
Back to top |
|
|
|