| View previous topic :: View next topic |
| Author |
Message |
hjkl
Apprentice
Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe
|
 Posted: Tue Jun 22, 2021 4:33 pm Post subject: Is it worth it to switch to a hardened Gentoo profile? |
 |
|
Hi,
I'm very paranoid about security and practically harden my system to the extent I can without loosing most of the convenience I want (which is luckily not much).
I recently learned about Gentoo "Hardened" and I was wondering if it's worth it for me to switch to it.
https://wiki.gentoo.org/wiki/Hardened_Gentoo Also it seems that this is kind of outdated (switching to the hardened profile) as hardened-sources no longer exist.
WIll it cause any headaches and will SELinux be mandatory to use or just optional as I don't want to bother setting it up.
Cheers!
_________________
Having problems compiling since 2021  |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Tue Jun 22, 2021 5:17 pm Post subject: |
|
|
Hi if you select
| Code: |
default/linux/amd64/17.1/hardened (stable)
|
then no need to bother with selinux.
In fact if you want DE stay away from selinux.
The only distros with functional selinux DE is centos and fedora...
Why hide it?
Archlinux maintains a hardened-kernel.
https://archlinux.org/packages/extra/x86_64/linux-hardened/
You can use the sources and build the kernel locally i suppose.
Here are the sources
https://github.com/anthraxx/linux-hardened/releases
_________________
Last edited by alamahant on Tue Jun 22, 2021 7:15 pm; edited 7 times in total |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9874
Location: almost Mile High in the USA
|
| Posted: Tue Jun 22, 2021 5:20 pm Post subject: |
|
|
It indeed is a security vs convenience issue. Sometimes you will run into things that don't "work" because it's trying to protect you. Whether or not you want to deal with it is the question.
For a computer that "does just one thing" (like a backend database or file server) it might make sense.
For a computer that "does everything" (including workstations) likely you'll run into things that will annoy you from time to time and possibly more often than not.
Totally up to you. The idea, however, is that the software you run should be kept secure and free from bugs that hardened kernels should not be necessary and is simply overhead - until a hacker finds an undiscovered or zero day and exploits it...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2199
|
| Posted: Tue Jun 22, 2021 5:41 pm Post subject: |
|
|
I run ~amd64 gentoo-sources, and noticed that the last update brought a new Gentoo meta-configuration item CONFIG_GENTOO_KERNEL_SELF_PROTECTION which looks to turn on several security enhancements (which I currently run without).
The relevant non-Gentoo documentation appears to be here, and a Gentoo-related note here.
_________________
Greybeard |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5334
Location: Bavaria
|
| Posted: Tue Jun 22, 2021 7:18 pm Post subject: Re: Is it worth it to switch to a hardened Gentoo profile? |
|
|
| fullbyte wrote: | I'm very paranoid about security and practically harden my system to the extent I can without loosing most of the convenience I want (which is luckily not much).
I recently learned about Gentoo "Hardened" and I was wondering if it's worth it for me to switch to it. |
Hi,
I am also paranoid about security and hardened my kernel with KSPP, but I dont use hardened sources because I do it myself (with AppArmor). If you are interested in my solution you may read my (german) Installation guide (just translate with google translator):
https://forums.gentoo.org/viewtopic-t-1112798.html |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5334
Location: Bavaria
|
| Posted: Tue Jun 22, 2021 7:20 pm Post subject: |
|
|
| Goverp wrote: | | [...] the last update brought a new Gentoo meta-configuration item CONFIG_GENTOO_KERNEL_SELF_PROTECTION [...] |
... which is faulty ! Here is my corrected version (in german):
https://forums.gentoo.org/viewtopic-p-8625312.html#8625312
(maybe read the first post of this thread first) |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Tue Jun 22, 2021 7:32 pm Post subject: |
|
|
Thanks pietinger
for the detailed list of what these options entail.
I went through your to-the-point post.
I am uncertain about this though.
If one uses a FULL .config like i dont know arch or fedora all these gentoo-specific expansions will have already been included no?
I am not sure about the hardened feature but the rest i suppose so...
Do you have any clarity maybe on this?
Also is it possible to compile a hardened kernel source with a normal gcc?[/url]
Thanks....
_________________
|
|
| Back to top |
|
|
hjkl
Apprentice
Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe
|
| Posted: Tue Jun 22, 2021 7:41 pm Post subject: Re: Is it worth it to switch to a hardened Gentoo profile? |
|
|
| pietinger wrote: | | fullbyte wrote: | I'm very paranoid about security and practically harden my system to the extent I can without loosing most of the convenience I want (which is luckily not much).
I recently learned about Gentoo "Hardened" and I was wondering if it's worth it for me to switch to it. |
Hi,
I am also paranoid about security and hardened my kernel with KSPP, but I dont use hardened sources because I do it myself (with AppArmor). If you are interested in my solution you may read my (german) Installation guide (just translate with google translator):
https://forums.gentoo.org/viewtopic-t-1112798.html |
I'll make sure to read it!
Thanks everyone! I appreciate it.
_________________
Having problems compiling since 2021 |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20581
|
| Posted: Tue Jun 22, 2021 8:00 pm Post subject: |
|
|
| Goverp wrote: | | a Gentoo-related note here. |
I overlooked "related" and was expecting something from the Gentoo kernel project. The info doesn't seem obviously wrong, but it is Random Internet.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5334
Location: Bavaria
|
| Posted: Tue Jun 22, 2021 8:09 pm Post subject: |
|
|
Hi, alamahant
| alamahant wrote: | | If one uses a FULL .config like i dont know arch or fedora all these gentoo-specific expansions will have already been included no? |
I dont think so; I beleive (=I dont know) it is only included in gentoo-sources.
| alamahant wrote: | I went through your to-the-point post.
I am uncertain about this though.
[...]
Do you have any clarity maybe on this? |
I try to explain it (with my poor school english):
The recommendations of KSPP contains options which should be DISABLED and options which should be ENABLED. The extended /usr/src/linux/distro/Kconfig checks if some of the options which should be disabled are disabled (before you dont see this extension).
Then if you enable it, you enable automatically the most options of KSPP which should be ENABLED.
1. But in the actual Kconfig the help-text is in the wrong position, so it does NOTHING ... you will see the whole selects only (when you go into the help). So I had to put this help-text to the correct position.
2. I had two delete two lines, because I diabled /dev/mem completly (like KSPP says) and then you will get warnings when you compile (because there is no /dev/mem which can be protected).
| alamahant wrote: | | Also is it possible to compile a hardened kernel source with a normal gcc? |
It should - but I dont know.
| alamahant wrote: | | Thanks pietinger |
My pleasure
Greetings,
Peter |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5334
Location: Bavaria
|
| Posted: Tue Jun 22, 2021 8:14 pm Post subject: Re: Is it worth it to switch to a hardened Gentoo profile? |
|
|
| fullbyte wrote: | | Thanks everyone! I appreciate it. |
My pleasure
Greetings,
Peter |
|
| Back to top |
|
|
|
Gentoo Chat
