[gentoo-hardened] Towards better profiles for hardened.

[gentoo-hardened] Towards better profiles for hardened.

[basile]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

Hi guys,

I'm emailing because the profile issue came up again in IRC.  I'd like
to continue the discussion here.  Let me try to get it started.

Here's some general issues with the current profile stucture:

1) It is horribly complex and difficult to read the inheritance
strucutre.  Its not clear the inheritance even works.  As a result, the
user is not sure what is  going on.  This ambiguity makes it difficult
to even start a coherent criticism!

2) There doesn't appear to be a good structure for seperation of various
features.  In OO language, I can't choose what to inherit.   I wind up
getting stuff from other profiles which I don't want and can't control
this, so I'm tempted to just USE="-*" and start from scratch, which is
not a good thing.

3) There is a clear bias towards the desktop.  If you go that route, you
get what you need/want.  When you deviate, you start to get more things
that you don't want/need and have to struggle against points 1 and 2.

This effects hardened and hardened+server most.  Comments?

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-hardened] Towards better profiles for hardened.

[Shinkan]

[-- Attachment #1: Type: text/plain, Size: 1393 bytes --]

2010/1/13 basile <basile@opensource.dyc.edu>

> Hi guys,
>
> I'm emailing because the profile issue came up again in IRC.  I'd like
> to continue the discussion here.  Let me try to get it started.
>
> Here's some general issues with the current profile stucture:
>
> 1) It is horribly complex and difficult to read the inheritance
> strucutre.  Its not clear the inheritance even works.  As a result, the
> user is not sure what is  going on.  This ambiguity makes it difficult
> to even start a coherent criticism!
>
> 2) There doesn't appear to be a good structure for seperation of various
> features.  In OO language, I can't choose what to inherit.   I wind up
> getting stuff from other profiles which I don't want and can't control
> this, so I'm tempted to just USE="-*" and start from scratch, which is
> not a good thing.
>
> 3) There is a clear bias towards the desktop.  If you go that route, you
> get what you need/want.  When you deviate, you start to get more things
> that you don't want/need and have to struggle against points 1 and 2.
>
> This effects hardened and hardened+server most.  Comments?
>

I don't really get the productive side of this message, but I do agree with
all that points.


-- 
Pierre.
"Sometimes when I'm talking, my words can't keep up with my thoughts. I
wonder why we think faster than we speak. Probably so we can think twice." -
Bill Watterson

[-- Attachment #2: Type: text/html, Size: 1858 bytes --]

Re: [gentoo-hardened] Towards better profiles for hardened.

[Ed W]

[-- Attachment #1: Type: text/plain, Size: 2064 bytes --]

On 14/01/2010 12:16, Shinkan wrote:
>
>
> 2010/1/13 basile <basile@opensource.dyc.edu 
> <mailto:basile@opensource.dyc.edu>>
>
>     Hi guys,
>
>     I'm emailing because the profile issue came up again in IRC.  I'd like
>     to continue the discussion here.  Let me try to get it started.
>
>     Here's some general issues with the current profile stucture:
>
>     1) It is horribly complex and difficult to read the inheritance
>     strucutre.  Its not clear the inheritance even works.  As a
>     result, the
>     user is not sure what is  going on.  This ambiguity makes it difficult
>     to even start a coherent criticism!
>
>     2) There doesn't appear to be a good structure for seperation of
>     various
>     features.  In OO language, I can't choose what to inherit.   I wind up
>     getting stuff from other profiles which I don't want and can't control
>     this, so I'm tempted to just USE="-*" and start from scratch, which is
>     not a good thing.
>
>     3) There is a clear bias towards the desktop.  If you go that
>     route, you
>     get what you need/want.  When you deviate, you start to get more
>     things
>     that you don't want/need and have to struggle against points 1 and 2.
>
>     This effects hardened and hardened+server most.  Comments?
>
>
> I don't really get the productive side of this message, but I do agree 
> with all that points.
>

I think to some extent this may need to get pushed further up to whoever 
manages the main gentoo profiles?  The problem seems a bit deeper 
routed, but things seem to be either getting worse or better depending 
on whether you like the current direction of progress?

A follow on point is that getting some public docs/howtos on building 
your own profiles would be really useful.  I figured out the major 
details and use it here on a bunch of linux-vservers and it's absolutely 
fantastic for getting all servers largely the same and baselining the 
software install.  However, it wasn't that intuitive to start with

Anyway, sounds good - what do we do next?

Ed

[-- Attachment #2: Type: text/html, Size: 2749 bytes --]