From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RZTw8-0002TV-6R for garchives@archives.gentoo.org; Sat, 10 Dec 2011 20:54:24 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1EC4B21C0B0; Sat, 10 Dec 2011 20:54:14 +0000 (UTC) Received: from mx1.mthode.org (rrcs-24-173-105-85.sw.biz.rr.com [24.173.105.85]) by pigeon.gentoo.org (Postfix) with ESMTP id 40D9921C091 for ; Sat, 10 Dec 2011 20:53:33 +0000 (UTC) Received: from khorne.mthode.org (unknown [64.39.4.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.mthode.org (Postfix) with ESMTPSA id 1716BBB89; Sat, 10 Dec 2011 15:53:31 -0500 (EST) Date: Sat, 10 Dec 2011 14:52:04 -0600 From: Matthew Thode (prometheanfire) To: gentoo-hardened@lists.gentoo.org Cc: tanstaafl@libertytrek.org Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm... Message-ID: <20111210145204.39ec9cba@khorne.mthode.org> In-Reply-To: <4EE3BE6B.6050507@libertytrek.org> References: <4EE3BE6B.6050507@libertytrek.org> X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.5; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/2pLB5tBnTNGwsQ4/8XkArYW"; protocol="application/pgp-signature" X-Archives-Salt: 126aec0c-5fe6-4933-9649-de1a77999522 X-Archives-Hash: c09d8e928357fa136ea8f44515a3faa2 --Sig_/2pLB5tBnTNGwsQ4/8XkArYW Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 10 Dec 2011 15:17:47 -0500 Tanstaafl wrote: > Hello all, >=20 > I'm considering rolling out a new server with gentoo, but wanted to > base it on the hardened profile, but the gentoo docs I've read so far > all seem to be a bit vague about all the details. >=20 > I've been using gentoo for a while on my hobby server, but I > installed it about 8 years ago, and chose the 'server' profile, and I > must say it has been a real pleasure to maintain, with the only real > hiccup I ever experienced being the mailman update that moved the > directories for the lists without telling me what to do about it (the > fix was simple, and the devs swiftly fixed the lack of post-install > docs). >=20 > Does anyone know of a good How-To that covers *all* of the bases? Ie,=20 > which model is best - grsecurity, PAX, SeLinux - and how best to=20 > implement it? >=20 > The purpose of this server will be as a mail server (dovecot, > postfix, amavisd-new/spamassassin, mailman), and hosting a few small > websites. >=20 > Thanks... >=20 As with most things gentoo, 'best' is a mater of opinion. I personally use grsec (includes pax) for hardening and selinux for policies. To convert you generally do the following. profile-config set 12 (this sets to nomultilib selinux) emerge system emerge world Since I'm paranoid revdep-rebuild too. --=20 Matthew Thode (prometheanfire) --Sig_/2pLB5tBnTNGwsQ4/8XkArYW Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBAgAGBQJO48aLAAoJECRx6z5ArFrDGQ8P/18YpzkzV0RK6QnxgfZ7eVYI Xpfq71G9AfWhlaVgAO8+1r1+LtTPHiNzK9hKbN476GVRppUyLmOmdOlubTQAT0iX JOksNVd8XNkwIrIOVW4zTl4jhje0SLWykkkPEGIeJTeAmTTL4ooimmcpLLa+VT6V E6UqF7bKaVO5QvWSqCeTgD4LzTmSnmjCZGBgQlHCtq7y0yPDbeWDDnxtY/L3hKBP cZqQ2HblP7//7T3Nl/OTS4pM9oiNGYhgbxQMtUBM/xWCELmkawtksR6sX5VGdq5q ywnHBwVl6xsCz7uJa/V210iXqICYU2ju9VO88WVk3A2d4wioX81cg/boQmNUNeXr TcVJhrmYUcH4FnTUlr2u8BaMSa6A5jwVU65yeFR3FsiHPAx3anuwNicc4NrZxVDH ZaRWwJZkMNSInHrhhY0PSgliyW8rAtmDv9tY6BgEkZDpC+93wjJdAD57FB/Q7UjR GslaumP00dhtdsKjL4xjCkpaWdFIkKBAl04h1pc1ePvKuSSJaW+jWUzB7/K6Xuog Sz/UAC/tXIx+edF1m5VNW1Sg/1bV6dQOXhWehhFuEgCzT/mlHnUBT5WS5a+YTkw5 hDvC44UsdE8pZXO7EjdZoQg7w7dacJP7famVTPZPMfw9ZqzpY3Z0kxHspSQwoG4f Y1yrAU4dE/LmCc5obN22 =KGc4 -----END PGP SIGNATURE----- --Sig_/2pLB5tBnTNGwsQ4/8XkArYW--