From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2346-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LIQJs-0000xt-OF
	for garchives@archives.gentoo.org; Thu, 01 Jan 2009 16:22:48 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8D6DAE0589;
	Thu,  1 Jan 2009 16:22:47 +0000 (UTC)
Received: from mail-bw0-f12.google.com (mail-bw0-f12.google.com [209.85.218.12])
	by pigeon.gentoo.org (Postfix) with ESMTP id 27408E0589
	for <gentoo-hardened@lists.gentoo.org>; Thu,  1 Jan 2009 16:22:47 +0000 (UTC)
Received: by bwz5 with SMTP id 5so9734622bwz.10
        for <gentoo-hardened@lists.gentoo.org>; Thu, 01 Jan 2009 08:22:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=DeJ3KYYeMSbgVTJj+VfSzYoM5ZuE0Qb+EEU/7Yq4bEo=;
        b=OB3A1J0uD9Saa756qIa9mccXUbSSWRYX7SZ/nhGRNioBZWLqNy+ByMx1VED4jI9G3R
         w8KVFHOylXJxyYLdWuJmblQ3dymcnbhup8JU1kjJAA48ywZHI2R9GSrsCJMkvVmnWp5/
         4DD4RBsX5e2uFN2J1aUYUTMATL/urMqz7DZwc=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=oYZ+ghuh+D9jWPa8RTfEL06R1D/oRzZ/mJpOjWSGfHcjWl6eNESiS0OUEBGls8jJC5
         WOJxnXCKJfU96wxS5hWb1bZyfy6xyuxRpRWdguCjkLS5nsU+0TRjsfT9lI+tAhceTT0a
         GqbnohUijaFqklDls/j3E/YT+1p8OE1P3Y/0c=
Received: by 10.181.209.5 with SMTP id l5mr6511396bkq.86.1230826966266;
        Thu, 01 Jan 2009 08:22:46 -0800 (PST)
Received: by 10.181.16.3 with HTTP; Thu, 1 Jan 2009 08:22:46 -0800 (PST)
Message-ID: <49bf44f10901010822h19ee27a4reb482bb9ddd8d329@mail.gmail.com>
Date: Thu, 1 Jan 2009 08:22:46 -0800
From: Grant <emailgrant@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened?
In-Reply-To: <1230673455.5778.11.camel@localhost>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com>
	 <897813410812270049x661a7a3el7913d39fe4fbd108@mail.gmail.com>
	 <49bf44f10812270747y9f5bee3jb192efa6e911b999@mail.gmail.com>
	 <897813410812270818u49459nd83e9f628e946e07@mail.gmail.com>
	 <49bf44f10812271230p7558e8fbt819e595e1cbc960b@mail.gmail.com>
	 <1230417351.8383.17.camel@localhost>
	 <49bf44f10812291705r12a6ac9akb4360eac91d8995e@mail.gmail.com>
	 <1230616337.5528.9.camel@localhost>
	 <49bf44f10812301231v4b1223d2le83703473a04b98f@mail.gmail.com>
	 <1230673455.5778.11.camel@localhost>
X-Archives-Salt: bbd17d83-bbfa-4dac-9277-2417121a8678
X-Archives-Hash: 300838eab9e6bca1e58a458a0dc2018d

>> >> >> What else would you recommend for me?
>> >> >
>> >> > I'd suggest to completely ignore the grsec (low/med/high) options and
>> >> > use the Hardened Gentoo level in the hardened-sources all the time.
>> >> >
>> >> > Xorg should not cause problems unless you are stuck using 3rd party
>> >> > binary drivers. Most of us are using a hardened X setup.
>> >>
>> >> Excellent, thank you.  You think the "Hardened Gentoo (workstation)"
>> >> and "Hardened Gentoo (server)" grsecurity setups are adequate
>> >> low-maintenance solutions?
>> >
>> >
>> > Re: "low maintenance"
>> > I'm not sure we can dumb down the hardening efforts anymore than we
>> > already have. It's all pretty transparent and seems mostly like a normal
>> > install of anything else. The ELF's are just smarter.
>>
>> Low maintenance definitely.  Is the security OK?
>
> Please think before you type and hit send.
>
> Pretend you have 0 extra security now. Then you take an entire project
> that devotes itself to proactive security measures. It enables features
> that are security based. So 0 vs 1...
>
>> >> What does a hardened profile do for my server?
>> >
>> > Enables things to match the kernel options/blocks things that conflict.
>>
>> Is the grsecurity "Hardened Gentoo (workstation)" setting useful
>> without the hardened profile?
>
> Of course it is. Is your make menuconfig (read help) broken?
>
> We are also getting way off topic here and this thread is going on for a
> week. the orig question was answered with a simple "yes". If you have
> lots of interactive new questions, jump on irc where you can learn more
> in an hour than you can in two months of playing ping/pong on the list.

Fair enough, thanks to everyone for their help.

- Grant