Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is it worth it to switch to a hardened Gentoo profile?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
hjkl
Apprentice
Apprentice


Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe

PostPosted: Tue Jun 22, 2021 4:33 pm    Post subject: Is it worth it to switch to a hardened Gentoo profile? Reply with quote

Hi,

I'm very paranoid about security and practically harden my system to the extent I can without loosing most of the convenience I want (which is luckily not much).

I recently learned about Gentoo "Hardened" and I was wondering if it's worth it for me to switch to it.


https://wiki.gentoo.org/wiki/Hardened_Gentoo Also it seems that this is kind of outdated (switching to the hardened profile) as hardened-sources no longer exist.


WIll it cause any headaches and will SELinux be mandatory to use or just optional as I don't want to bother setting it up.

Cheers!
_________________
Having problems compiling since 2021 :(
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3875

PostPosted: Tue Jun 22, 2021 5:17 pm    Post subject: Reply with quote

Hi if you select
Code:

 default/linux/amd64/17.1/hardened (stable)

then no need to bother with selinux.
In fact if you want DE stay away from selinux.
The only distros with functional selinux DE is centos and fedora...
Why hide it?
Archlinux maintains a hardened-kernel.
https://archlinux.org/packages/extra/x86_64/linux-hardened/
You can use the sources and build the kernel locally i suppose.
Here are the sources
https://github.com/anthraxx/linux-hardened/releases
_________________
:)


Last edited by alamahant on Tue Jun 22, 2021 7:15 pm; edited 7 times in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9645
Location: almost Mile High in the USA

PostPosted: Tue Jun 22, 2021 5:20 pm    Post subject: Reply with quote

It indeed is a security vs convenience issue. Sometimes you will run into things that don't "work" because it's trying to protect you. Whether or not you want to deal with it is the question.

For a computer that "does just one thing" (like a backend database or file server) it might make sense.

For a computer that "does everything" (including workstations) likely you'll run into things that will annoy you from time to time and possibly more often than not.

Totally up to you. The idea, however, is that the software you run should be kept secure and free from bugs that hardened kernels should not be necessary and is simply overhead - until a hacker finds an undiscovered or zero day and exploits it...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1971

PostPosted: Tue Jun 22, 2021 5:41 pm    Post subject: Reply with quote

I run ~amd64 gentoo-sources, and noticed that the last update brought a new Gentoo meta-configuration item CONFIG_GENTOO_KERNEL_SELF_PROTECTION which looks to turn on several security enhancements (which I currently run without).
The relevant non-Gentoo documentation appears to be here, and a Gentoo-related note here.
_________________
Greybeard
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3996
Location: Bavaria

PostPosted: Tue Jun 22, 2021 7:18 pm    Post subject: Re: Is it worth it to switch to a hardened Gentoo profile? Reply with quote

fullbyte wrote:
I'm very paranoid about security and practically harden my system to the extent I can without loosing most of the convenience I want (which is luckily not much).

I recently learned about Gentoo "Hardened" and I was wondering if it's worth it for me to switch to it.


Hi,

I am also paranoid about security and hardened my kernel with KSPP, but I dont use hardened sources because I do it myself (with AppArmor). If you are interested in my solution you may read my (german) Installation guide (just translate with google translator):
https://forums.gentoo.org/viewtopic-t-1112798.html
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3996
Location: Bavaria

PostPosted: Tue Jun 22, 2021 7:20 pm    Post subject: Reply with quote

Goverp wrote:
[...] the last update brought a new Gentoo meta-configuration item CONFIG_GENTOO_KERNEL_SELF_PROTECTION [...]


... which is faulty ! Here is my corrected version (in german):

https://forums.gentoo.org/viewtopic-p-8625312.html#8625312

(maybe read the first post of this thread first)
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3875

PostPosted: Tue Jun 22, 2021 7:32 pm    Post subject: Reply with quote

Thanks pietinger
for the detailed list of what these options entail.
I went through your to-the-point post.
I am uncertain about this though.
If one uses a FULL .config like i dont know arch or fedora all these gentoo-specific expansions will have already been included no?
I am not sure about the hardened feature but the rest i suppose so...
Do you have any clarity maybe on this?
Also is it possible to compile a hardened kernel source with a normal gcc?[/url]

Thanks....
_________________
:)
Back to top
View user's profile Send private message
hjkl
Apprentice
Apprentice


Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe

PostPosted: Tue Jun 22, 2021 7:41 pm    Post subject: Re: Is it worth it to switch to a hardened Gentoo profile? Reply with quote

pietinger wrote:
fullbyte wrote:
I'm very paranoid about security and practically harden my system to the extent I can without loosing most of the convenience I want (which is luckily not much).

I recently learned about Gentoo "Hardened" and I was wondering if it's worth it for me to switch to it.


Hi,

I am also paranoid about security and hardened my kernel with KSPP, but I dont use hardened sources because I do it myself (with AppArmor). If you are interested in my solution you may read my (german) Installation guide (just translate with google translator):
https://forums.gentoo.org/viewtopic-t-1112798.html


I'll make sure to read it!

Thanks everyone! I appreciate it.
_________________
Having problems compiling since 2021 :(
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20053

PostPosted: Tue Jun 22, 2021 8:00 pm    Post subject: Reply with quote

Goverp wrote:
a Gentoo-related note here.
I overlooked "related" and was expecting something from the Gentoo kernel project. The info doesn't seem obviously wrong, but it is Random Internet.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3996
Location: Bavaria

PostPosted: Tue Jun 22, 2021 8:09 pm    Post subject: Reply with quote

Hi, alamahant

alamahant wrote:
If one uses a FULL .config like i dont know arch or fedora all these gentoo-specific expansions will have already been included no?

I dont think so; I beleive (=I dont know) it is only included in gentoo-sources.

alamahant wrote:
I went through your to-the-point post.
I am uncertain about this though.
[...]
Do you have any clarity maybe on this?


I try to explain it (with my poor school english):

The recommendations of KSPP contains options which should be DISABLED and options which should be ENABLED. The extended /usr/src/linux/distro/Kconfig checks if some of the options which should be disabled are disabled (before you dont see this extension).

Then if you enable it, you enable automatically the most options of KSPP which should be ENABLED.

1. But in the actual Kconfig the help-text is in the wrong position, so it does NOTHING ... you will see the whole selects only (when you go into the help). So I had to put this help-text to the correct position.

2. I had two delete two lines, because I diabled /dev/mem completly (like KSPP says) and then you will get warnings when you compile (because there is no /dev/mem which can be protected).

alamahant wrote:
Also is it possible to compile a hardened kernel source with a normal gcc?

It should - but I dont know.

alamahant wrote:
Thanks pietinger

My pleasure :-)

Greetings,
Peter
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3996
Location: Bavaria

PostPosted: Tue Jun 22, 2021 8:14 pm    Post subject: Re: Is it worth it to switch to a hardened Gentoo profile? Reply with quote

fullbyte wrote:
Thanks everyone! I appreciate it.


My pleasure :-)

Greetings,
Peter
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum