| View previous topic :: View next topic |
| Author |
Message |
NiceGuy
Guru
Joined: 12 Jun 2006
Posts: 451
Location: Canada
|
 Posted: Mon Apr 07, 2008 6:01 pm Post subject: Gentoo hardened? |
 |
|
Hello,
I noticed in the Gentoo Mirror that there is a "Gentoo Hardened Stage-3" available, has anybody used/installed this? I am thinking about it, but I would like to know how (if any) much of a learning curve is involved if I decide to build my next server with this instead.
I'm not too concerned about the build process learning curve, more like the day to day operation/maintenance of running such a server.
I currently run a regular 2007 Gentoo Server so this is the extent of my knowledge.
Thanks for your time
_________________
success is the ability to go from one failure to the next without any loss of enthusiasm |
|
| Back to top |
|
 |
fabien29200
n00b
Joined: 12 Jun 2006
Posts: 32
|
| Posted: Mon Apr 07, 2008 6:25 pm Post subject: |
|
|
Hello !
In fact, to have a Gentoo Hardened you just have to install a regular Gentoo with hardened USE flag !
Just follow the handbook. I recommend of course to use the hardened sources.
I think there are several interesting things in hardened gentoo. And some of them don't need any administration (pie, ssp, pax ...). There are just security improvements brought by the "hardened gcc" and the kernel.
There are other options in the kernel if you want to chroot some of your server daemons. But this needs some administration. I didn't try RSBAC because of the lack of documentation (there is documentation about principles on the official website, but nothing about implementation  ).
I think Hardened Gentoo should be tested. |
|
| Back to top |
|
|
jcat
Veteran
Joined: 26 May 2006
Posts: 1337
|
| Posted: Wed Apr 09, 2008 12:39 pm Post subject: |
|
|
Just be advised that Gentoo Hardened - stable - is not yet on GCC 4, so if you want to share packages or other portage resources between servers than you 'll have to use the testing version of GCC on Hardened. this is only advisable on production servers if you're a confident Gentoo admin!
Cheers,
jcat |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Wed Apr 09, 2008 4:33 pm Post subject: |
|
|
| fabien29200 wrote: | Hello !
In fact, to have a Gentoo Hardened you just have to install a regular Gentoo with hardened USE flag !
Just follow the handbook. I recommend of course to use the hardened sources.
|
I believe that there's more to it than just a hardened USE flag. At the very least, you need to switch to the hardened profile, which sets the USE flag, among other things, but that's covered in the handbook. As jcat says, one of those things is that hardened stable masks gcc>=4, and I believe it also masks glibc>=2.4. For those reasons alone, it's probably best to start with a hardened stage, rather than try switch a regular install to the hardened profile. I've heard that downgrading glibc is theoretically possible, but usually installation-destroying.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
NiceGuy
Guru
Joined: 12 Jun 2006
Posts: 451
Location: Canada
|
| Posted: Tue Apr 15, 2008 3:16 pm Post subject: |
|
|
Hello,
I decided not to go with the Hardened ... I do think its a great idea .. but I'll be honest .. I'm not that enthusiastic about installing later versions of packages. Perhaps if the hardened-version packages (gcc etc..) were closer to the latest version of packages.
Though I completely understand why there is a skew/difference in the packages available for Hardened-Gentoo versus Non-Hardened. I guess non-hardened gets released first than, after sometime, and modifications, a hardened version follows.
Still there is quite the packages/version difference. Some of the packages available in hardened ... believe it or not .. are the same version I'm already running .. prior to performing the upgrade.
I guess hardened comes at the price of enhancements.
Maybe sometime in the future I'll look back to see how its doing, but for now I'll continue with the main stream of Gentoo
Thanks again
_________________
success is the ability to go from one failure to the next without any loss of enthusiasm |
|
| Back to top |
|
|
Xake
Guru
Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia
|
| Posted: Thu Apr 17, 2008 2:51 pm Post subject: |
|
|
| NiceGuy wrote: | Hello,
I decided not to go with the Hardened ... I do think its a great idea .. but I'll be honest .. I'm not that enthusiastic about installing later versions of packages. Perhaps if the hardened-version packages (gcc etc..) were closer to the latest version of packages.
Though I completely understand why there is a skew/difference in the packages available for Hardened-Gentoo versus Non-Hardened. I guess non-hardened gets released first than, after sometime, and modifications, a hardened version follows.
Still there is quite the packages/version difference. Some of the packages available in hardened ... believe it or not .. are the same version I'm already running .. prior to performing the upgrade.
I guess hardened comes at the price of enhancements.
Maybe sometime in the future I'll look back to see how its doing, but for now I'll continue with the main stream of Gentoo
Thanks again |
The problem here is purely GCC.
Hardened is a patched toolchain allowing you to compile some security functions into your packages.
All other changed packages (except from hardened-sources and things related to pax and alike) is if the packages needs modifications to compile or work (like mesa).
However most packages in gentoo does not need changes to work with hardened, and thus are the same verion in Hardened as in the default profile.
But there is one big problem currently with Hardened.
With GCC-4 SSP support was pushed into upstream gcc. But there was somewhat of a fallout between the toolchain herd and the hardened herd about how to handle this, and currently noone touches it and/or tries to make it work. Be advised: the ebuilds in portage has NO SUPORT AT ALL(!) for "Gentoo Hardened". There are a (nowdays somewhat old) overlay from kevquinn (the last one to tuch it, but did leave gentoo before finishing it) with support for SSP and PIE in gcc-4.0 to gcc-4.2.
The packages not avaible in Hardened stable/unstable/whatever is nearly all related to stuff that is broken with GCC-3 or older.
Me myself are running hardened gcc-4 on my desktop. I still have problems understaanding people that trust UNSTABLE software enought to run it without some safeguards. Yes, some things breaks from time to time. But they are most of the time easily fixed. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
