From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RZgVc-0000Bi-AQ for garchives@archives.gentoo.org; Sun, 11 Dec 2011 10:19:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1F59921C086; Sun, 11 Dec 2011 10:19:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C52B521C044 for ; Sun, 11 Dec 2011 10:18:51 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id 5CA131B400D; Sun, 11 Dec 2011 10:18:51 +0000 (UTC) Date: Sun, 11 Dec 2011 10:18:51 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm... Message-ID: <20111211101851.GA1810@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <4EE3BE6B.6050507@libertytrek.org> <20111210145204.39ec9cba@khorne.mthode.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20111210145204.39ec9cba@khorne.mthode.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 291d1463-bd94-4c6f-a296-7121dbcb125b X-Archives-Hash: 4024f8d40e2cba2a12f3bbbeba123c34 On Sat, Dec 10, 2011 at 02:52:04PM -0600, Matthew Thode wrote: > As with most things gentoo, 'best' is a mater of opinion. I personally > use grsec (includes pax) for hardening and selinux for policies. To > convert you generally do the following. > > profile-config set 12 (this sets to nomultilib selinux) > emerge system > emerge world > > Since I'm paranoid revdep-rebuild too. If you're considering SELinux, please follow the instructions at http://hardened.gentoo.org/selinux/selinux-handbook.xml?part=2&chap=1 There's a little more to it than emerge system/world: - Your /tmp might need a specific mount option (in /etc/fstab) - If you use LVM or XFS, you need to take specific measures if you want your system to bootup properly - You need to build a SELinux-aware kernel as well - You need to install SELinux utilities - You need to relabel the system etc. That said, my opinion on a server is the same as with Matthew: use hardened with the options given (grsec, selinux) and perhaps even TPE (trusted path execution). Also consider hardening your system settings-wise. I would appreciate if you take a look at http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html. With the instructions given, you can even have your system validated (as far as possible) automatically. Wkr, Sven Vermeulen