From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2343-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LHlF9-0007n3-SU
	for garchives@archives.gentoo.org; Tue, 30 Dec 2008 20:31:12 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8BD06E0660;
	Tue, 30 Dec 2008 20:31:10 +0000 (UTC)
Received: from mail-ew0-f21.google.com (mail-ew0-f21.google.com [209.85.219.21])
	by pigeon.gentoo.org (Postfix) with ESMTP id 2C4D0E0660
	for <gentoo-hardened@lists.gentoo.org>; Tue, 30 Dec 2008 20:31:10 +0000 (UTC)
Received: by ewy14 with SMTP id 14so6063177ewy.10
        for <gentoo-hardened@lists.gentoo.org>; Tue, 30 Dec 2008 12:31:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=tmmc1PyhESB1/xL0/NgQFwaQC4Zw0KSf52zMXxKUXUk=;
        b=AjV1xEyrCla2qic5n1LrfEXvAxRY1It+iheAEK1pdyFMSRD47j19S9Yt1I0Py3stku
         CJZwyBIqZI80EZWWvfUVC2KRVtgG3pscWd8EU/6AYv5vHfStyF/ZJueDkpkDGkWP6HmL
         M+fnkR35s2PsYhcNg/HUFUC7vAZTigkwdDpwQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=m+rHVvJ0A+zcba2/SbqDtK2e1FA/bK8/qLgMVKC4BzlsEz588dqJtcgRE3nFw+wcSM
         NCcaXNY2Y8Vd+Xxf8ePJPhaI25bvPJmvKqMMdkJyztsNSeatdsd/XTy9TPzxzMkboxce
         ZOeJRRS5t0NOzMZnhQvYNoFYoNdWxA7RjUl+w=
Received: by 10.210.126.18 with SMTP id y18mr10458492ebc.17.1230669069578;
        Tue, 30 Dec 2008 12:31:09 -0800 (PST)
Received: by 10.210.88.6 with HTTP; Tue, 30 Dec 2008 12:31:09 -0800 (PST)
Message-ID: <49bf44f10812301231v4b1223d2le83703473a04b98f@mail.gmail.com>
Date: Tue, 30 Dec 2008 12:31:09 -0800
From: Grant <emailgrant@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened?
In-Reply-To: <1230616337.5528.9.camel@localhost>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com>
	 <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com>
	 <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com>
	 <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com>
	 <49bf44f10812270747y9f5bee3jb192efa6e911b999@mail.gmail.com>
	 <897813410812270818u49459nd83e9f628e946e07@mail.gmail.com>
	 <49bf44f10812271230p7558e8fbt819e595e1cbc960b@mail.gmail.com>
	 <1230417351.8383.17.camel@localhost>
	 <49bf44f10812291705r12a6ac9akb4360eac91d8995e@mail.gmail.com>
	 <1230616337.5528.9.camel@localhost>
X-Archives-Salt: 980f295e-a7d9-403f-9cf9-c6b6b1f7188b
X-Archives-Hash: faa0982f3bffe27821e9c975ef5da798

>> >> What else would you recommend for me?
>> >
>> > I'd suggest to completely ignore the grsec (low/med/high) options and
>> > use the Hardened Gentoo level in the hardened-sources all the time.
>> >
>> > Xorg should not cause problems unless you are stuck using 3rd party
>> > binary drivers. Most of us are using a hardened X setup.
>>
>> Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
>> and "Hardened Gentoo (server)" grsecurity setups are adequate
>> low-maintenance solutions?
>
>
> Re: "low maintenance"
> I'm not sure we can dumb down the hardening efforts anymore than we
> already have. It's all pretty transparent and seems mostly like a normal
> install of anything else. The ELF's are just smarter.

Low maintenance definitely.  Is the security OK?

>> What does a hardened profile do for my server?
>
> Enables things to match the kernel options/blocks things that conflict.

Is the grsecurity "Hardened Gentoo (workstation)" setting useful
without the hardened profile?

- Grant