From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-hardened+bounces-2343-garchives=archives.gentoo.org@lists.gentoo.org>) id 1LHlF9-0007n3-SU for garchives@archives.gentoo.org; Tue, 30 Dec 2008 20:31:12 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8BD06E0660; Tue, 30 Dec 2008 20:31:10 +0000 (UTC) Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21]) by pigeon.gentoo.org (Postfix) with ESMTP id 2C4D0E0660 for <gentoo-hardened@lists.gentoo.org>; Tue, 30 Dec 2008 20:31:10 +0000 (UTC) Received: by ewy14 with SMTP id 14so6063177ewy.10 for <gentoo-hardened@lists.gentoo.org>; Tue, 30 Dec 2008 12:31:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=tmmc1PyhESB1/xL0/NgQFwaQC4Zw0KSf52zMXxKUXUk=; b=AjV1xEyrCla2qic5n1LrfEXvAxRY1It+iheAEK1pdyFMSRD47j19S9Yt1I0Py3stku CJZwyBIqZI80EZWWvfUVC2KRVtgG3pscWd8EU/6AYv5vHfStyF/ZJueDkpkDGkWP6HmL M+fnkR35s2PsYhcNg/HUFUC7vAZTigkwdDpwQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=m+rHVvJ0A+zcba2/SbqDtK2e1FA/bK8/qLgMVKC4BzlsEz588dqJtcgRE3nFw+wcSM NCcaXNY2Y8Vd+Xxf8ePJPhaI25bvPJmvKqMMdkJyztsNSeatdsd/XTy9TPzxzMkboxce ZOeJRRS5t0NOzMZnhQvYNoFYoNdWxA7RjUl+w= Received: by 10.210.126.18 with SMTP id y18mr10458492ebc.17.1230669069578; Tue, 30 Dec 2008 12:31:09 -0800 (PST) Received: by 10.210.88.6 with HTTP; Tue, 30 Dec 2008 12:31:09 -0800 (PST) Message-ID: <49bf44f10812301231v4b1223d2le83703473a04b98f@mail.gmail.com> Date: Tue, 30 Dec 2008 12:31:09 -0800 From: Grant <emailgrant@gmail.com> To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened? In-Reply-To: <1230616337.5528.9.camel@localhost> Precedence: bulk List-Post: <mailto:gentoo-hardened@lists.gentoo.org> List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org> X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com> <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com> <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com> <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com> <49bf44f10812270747y9f5bee3jb192efa6e911b999@mail.gmail.com> <897813410812270818u49459nd83e9f628e946e07@mail.gmail.com> <49bf44f10812271230p7558e8fbt819e595e1cbc960b@mail.gmail.com> <1230417351.8383.17.camel@localhost> <49bf44f10812291705r12a6ac9akb4360eac91d8995e@mail.gmail.com> <1230616337.5528.9.camel@localhost> X-Archives-Salt: 980f295e-a7d9-403f-9cf9-c6b6b1f7188b X-Archives-Hash: faa0982f3bffe27821e9c975ef5da798 >> >> What else would you recommend for me? >> > >> > I'd suggest to completely ignore the grsec (low/med/high) options and >> > use the Hardened Gentoo level in the hardened-sources all the time. >> > >> > Xorg should not cause problems unless you are stuck using 3rd party >> > binary drivers. Most of us are using a hardened X setup. >> >> Excellent, thank you. You think the "Hardened Gentoo (workstation)" >> and "Hardened Gentoo (server)" grsecurity setups are adequate >> low-maintenance solutions? > > > Re: "low maintenance" > I'm not sure we can dumb down the hardening efforts anymore than we > already have. It's all pretty transparent and seems mostly like a normal > install of anything else. The ELF's are just smarter. Low maintenance definitely. Is the security OK? >> What does a hardened profile do for my server? > > Enables things to match the kernel options/blocks things that conflict. Is the grsecurity "Hardened Gentoo (workstation)" setting useful without the hardened profile? - Grant