From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LHmNu-0008Bv-Oi for garchives@archives.gentoo.org; Tue, 30 Dec 2008 21:44:19 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 92554E0575; Tue, 30 Dec 2008 21:44:17 +0000 (UTC) Received: from homeless.linbsd.net (homeless.linbsd.net [64.127.112.66]) by pigeon.gentoo.org (Postfix) with ESMTP id 57CAEE0575 for ; Tue, 30 Dec 2008 21:44:17 +0000 (UTC) Received: from [192.168.0.67] (209-180-235-128.eugn.qwest.net [209.180.235.128]) by homeless.linbsd.net (Postfix) with ESMTPA id 9FD835897C for ; Tue, 30 Dec 2008 13:44:16 -0800 (PST) Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened? From: Ned Ludd To: gentoo-hardened@lists.gentoo.org In-Reply-To: <49bf44f10812301231v4b1223d2le83703473a04b98f@mail.gmail.com> References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com> <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com> <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com> <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com> <49bf44f10812270747y9f5bee3jb192efa6e911b999@mail.gmail.com> <897813410812270818u49459nd83e9f628e946e07@mail.gmail.com> <49bf44f10812271230p7558e8fbt819e595e1cbc960b@mail.gmail.com> <1230417351.8383.17.camel@localhost> <49bf44f10812291705r12a6ac9akb4360eac91d8995e@mail.gmail.com> <1230616337.5528.9.camel@localhost> <49bf44f10812301231v4b1223d2le83703473a04b98f@mail.gmail.com> Content-Type: text/plain Date: Tue, 30 Dec 2008 13:44:15 -0800 Message-Id: <1230673455.5778.11.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 62ea1925-73e1-452a-8d96-2e3989356dea X-Archives-Hash: fa68c180657437fa17264642b1e1637b On Tue, 2008-12-30 at 12:31 -0800, Grant wrote: > >> >> What else would you recommend for me? > >> > > >> > I'd suggest to completely ignore the grsec (low/med/high) options and > >> > use the Hardened Gentoo level in the hardened-sources all the time. > >> > > >> > Xorg should not cause problems unless you are stuck using 3rd party > >> > binary drivers. Most of us are using a hardened X setup. > >> > >> Excellent, thank you. You think the "Hardened Gentoo (workstation)" > >> and "Hardened Gentoo (server)" grsecurity setups are adequate > >> low-maintenance solutions? > > > > > > Re: "low maintenance" > > I'm not sure we can dumb down the hardening efforts anymore than we > > already have. It's all pretty transparent and seems mostly like a normal > > install of anything else. The ELF's are just smarter. > > Low maintenance definitely. Is the security OK? Please think before you type and hit send. Pretend you have 0 extra security now. Then you take an entire project that devotes itself to proactive security measures. It enables features that are security based. So 0 vs 1... > >> What does a hardened profile do for my server? > > > > Enables things to match the kernel options/blocks things that conflict. > > Is the grsecurity "Hardened Gentoo (workstation)" setting useful > without the hardened profile? Of course it is. Is your make menuconfig (read help) broken? We are also getting way off topic here and this thread is going on for a week. the orig question was answered with a simple "yes". If you have lots of interactive new questions, jump on irc where you can learn more in an hour than you can in two months of playing ping/pong on the list.