| View previous topic :: View next topic |
| Author |
Message |
wah
Guru
Joined: 25 Feb 2005
Posts: 453
Location: Raleigh, NC, USA
|
 Posted: Fri Mar 24, 2006 8:35 pm Post subject: hardened-sources vs. grsecurity/pax/etc |
 |
|
Hi all,
I've spent this afternoon browsing, and while I think I know the answer to my questions, I'd like some 2nd/3rd/100th opinions if you will. I believe, however, I may be misunderstanding some of these concepts...and also, this is FMI as well:
1. Hardened-sources -> how I understand them is that the kernel is patched with more stringent security patches then say the regular gentoo-sources
2. Grsecurity2/pax -> security implementation on the kernel level that is available in both gentoo-sources and hardened-sources
So, you could implement grsecurity/pax on a plain gentoo-sources kernel or a hardened-sources kernel. Got that.
However, if you are using hardened-sources (which has security patches), should you use the grsec and pax items as well? I assume this would FURTHER secure your system, but I am definitely unclear if you should use both or just one of the two.
I've done a personal web server in the past that was running gentoo-sources, and I'm going to redo it in the future - and I'm trying to get a feel for how I should secure it further. I've always read about the above implementations, but I've never really messed with either of them. The guides in the doc section are wonderful - but where they're not clear to me is whether you should use one or both.
The other project I'm thinking of using this info for is a home router/gateway - but from what I've read, a lot of grsec and pax deal with users accessing items on the "server" and chrooting, etc...which would not apply to my gateway (I think). So that would tell me to just use hardened-sources.
I appreciate anyone's time for even looking at this, and I apologize in advance if I missed an explaination somewhere.
Cheers,
Wah
_________________
- AMD64 3000+, MSI K8N-SLI, Nvidia Geforce 6600 PCIE, 2GB OCZ Dual-Channel PC3200,2x160GB SATA
- Registered Linux User #418541 |
|
| Back to top |
|
 |
daveteusink
n00b
Joined: 07 Jan 2004
Posts: 41
|
| Posted: Fri Mar 24, 2006 9:13 pm Post subject: From a n00b |
|
|
| I undertook that very task last week. If you go to the gentoo hardened documentation it expains what PaX is. Basically it protects from buffer overflows so its an extra added layer of security. I'd recommend using both the hardened sources and also learning PaX. Thats what I'm doing and it is going well. |
|
| Back to top |
|
|
wah
Guru
Joined: 25 Feb 2005
Posts: 453
Location: Raleigh, NC, USA
|
| Posted: Fri Mar 24, 2006 9:33 pm Post subject: Re: From a n00b |
|
|
| daveteusink wrote: | | I undertook that very task last week. If you go to the gentoo hardened documentation it expains what PaX is. Basically it protects from buffer overflows so its an extra added layer of security. I'd recommend using both the hardened sources and also learning PaX. Thats what I'm doing and it is going well. |
Cool - so you took the "all of the above" approach? Awesome. I really appreciate the comment - I'm pretty sure that's what I'll do as well...just wanted to see if I was overdoing it or if the two would cancel each other out, etc...
Cheers,
W.
_________________
- AMD64 3000+, MSI K8N-SLI, Nvidia Geforce 6600 PCIE, 2GB OCZ Dual-Channel PC3200,2x160GB SATA
- Registered Linux User #418541 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
