| View previous topic :: View next topic |
| Author |
Message |
schachti
Advocate
Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany
|
 Posted: Sun Feb 24, 2008 4:51 pm Post subject: Workstation security? |
 |
|
What possibilities do I have under gentoo to secure a workstation?
So what else than switching to a distro that takes security issues more seriously can one do?
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
| Back to top |
|
 |
noobstate
n00b
Joined: 07 Oct 2007
Posts: 61
|
| Posted: Sun Feb 24, 2008 5:04 pm Post subject: Re: Workstation security? |
|
|
| schachti wrote: | What possibilities do I have under gentoo to secure a workstation?
So what else than switching to a distro that takes security issues more seriously can one do? |
how is selinux not supported yet on workstations ?!?!?! im running it on all machines ... and personally like it better then grsecurity which hides your filesystem when in use. the selinux gentoo documenations are outdated and old as FUCK i recommend u simply switch profiles recompile (make a /selinux dir assuming your kernel is configured properly aka filesystem has security context and no POSIX) and ur off and going on ppc x86_64 and x86 (all three i have currently running) and the 2007.0 profile is in sync with 2008 (if there is one) for package versions .
and hardened sources + selinux 2007.0 profile = gcc 4.1.2  enjoy
dont do hardened profile. i find they are way behind and selinux profile supports pic pie and pax works GREAT on all machines tested but one (amd - amd64 i dont know why cause it works on my amd64-core duo, it did work at some point tough) just not now for some odd reason !??!
gentoo and security = simply how well do u know ur operating system
u can use any kernel and any package u wish (via overaly )
dont diss the gentoo security just because certain devs got lazy doesnt mean it doesnt support security like other distros, it does , it just doesnt have uptodate proper documentation and packages if missing are not bleeding edge
ps my hardened-sources is at 2.6.23 id say thats pretty recent for a kernel |
|
| Back to top |
|
|
noobstate
n00b
Joined: 07 Oct 2007
Posts: 61
|
| Posted: Sun Feb 24, 2008 5:18 pm Post subject: |
|
|
if u wana get creative download a recent kernel patch it with hardened-vserver
i did that and damn grsecurity and selinux running on one + pax and vservers stick portage within a vserver and NFS it over . then ull also have space for log server too for extra security
if u have nvidia card like me u can also enjoy beryl and emerald / or compiz-fusion simply by compiling it (nvidia includes XGL in their drivers) just make sure u paxctl Xorg and necessary files or it will be killed by pax. then u can use wine to emulate steam and play counter-strike source all on the same box
i shit u not my friend (selinux targeted also) glibc 2.6 and gcc 4.1.2
thats my development box its something so sweet it brings tear to my eye |
|
| Back to top |
|
|
schachti
Advocate
Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany
|
| Posted: Sun Feb 24, 2008 5:18 pm Post subject: Re: Workstation security? |
|
|
| noobstate wrote: | | how is selinux not supported yet on workstations ?!?!?! im running it on all machines ... and personally like it better then grsecurity which hides your filesystem when in use. the selinux gentoo documenations are outdated and old as FUCK |
ok - I only had a short look at the documentation, where a big warning on red background says "SELinux is only supported on servers. Workstation support will happen in the future.". As in general the gentoo documentation is quite good, I took it as the truth...
| noobstate wrote: | | ps my hardened-sources is at 2.6.23 id say thats pretty recent for a kernel |
I need 2.6.24 due to a bug in older kernels that made my system freeze - so I'll wait until there is a hardened 2.6.24 kernel and try...
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
| Back to top |
|
|
schachti
Advocate
Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany
|
| Posted: Sun Feb 24, 2008 5:22 pm Post subject: |
|
|
| noobstate wrote: | | i shit u not my friend (selinux targeted also) glibc 2.6 and gcc 4.1.2 |
I'm currently running glibc 2.7, but as it is not contained in /usr/portage/profiles/selinux/package.mask, I hope it will work with the selinux profile as well.
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
| Back to top |
|
|
noobstate
n00b
Joined: 07 Oct 2007
Posts: 61
|
| Posted: Sun Feb 24, 2008 5:34 pm Post subject: |
|
|
| schachti wrote: | | noobstate wrote: | | i shit u not my friend (selinux targeted also) glibc 2.6 and gcc 4.1.2 |
I'm currently running glibc 2.7, but as it is not contained in /usr/portage/profiles/selinux/package.mask, I hope it will work with the selinux profile as well. |
i dont see why not just dont expect to be able to downgrade , damn have i made that mistake before. twice. - recompile
im awaiting gcc 4.2 stable (even tough its stable on other distros, and i dont wana overlay it ) so that core duo conroe cflag arch is added to the support list make.conf
other then that
btw good luck running selinux on a desktop even with targeted , it still drops and complains about unknown apps which are not services and grsecurity is even worse in my eyes, u have to first run which programs u will allow to run and take a snapshot of what access they have. so its flawed form the get go (incase a program is already flawed when u get it and u allow it to run) but not bad if u were to use it for a filesystem checksum type of security measure.
selinux works for me now that i have like 30 policies and am used to having it break the policies every update lol |
|
| Back to top |
|
|
|
Networking & Security
