[gentoo-user] Re: Simplified apache2

[gentoo-user] Re: Simplified apache2

[James]

Michael Crute <mcrute <at> gmail.com> writes:


> Those look a bit excessive for a "minimalist" machine. I would start over 

> You probably want to set your machine up with a similar
 USE= string in make.conf

> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl 
python readline"


> net-www/apache mpm-prefork threads

Hello Mike,

I'll give this approach a whirl.
I use hardened on my firewalls and it works well.

thx

James



-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[James]

Ryan Tandy <tarpman <at> gmail.com> writes:


> Michael Crute wrote:
> > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python 
> > readline"

Hello Ryan,

glibc croaked during an upgrade/recompile and told me to add:
'nptl nptlonly' to make.conf. I did and the sytem completed a deep recompile
late last night.

> Even this is a bit more bloated than it needs to be.  I have never used 
> 'tcpd' or 'berkdb' on any system I run, and 'perl' and 'python' are 
> *much* more useful (IMO) as local flags (in package.use) than as global 
> ones.  Even 'ssl' doesn't *have* to be there, especially in the global 
> scope - 'www-client/links ssl' in package.use should be more than 
> sufficient.  One flag missing from that line that I like to have is 
> 'bzip2' - tar just isn't quite the same without bz2 support. ;)


Ok,
So I'll test your suggestions. 
The more minimized the global flags are, the more secure the server.

> Also, be careful using the hardened flag without running the hardened 
> profile.  The hardened profile masks out a couple of packages and flags 
> that don't work so well on a hardened system.

Hmmmm,

Not sure I fully grasp what you mean by a 'hardened system'. If you mean
running a hardened kernel with only necessary software installed, then
yes, I run hardened kernels on most servers {dns, web, mail, firwalls....}

If running a hardened system means more than that, please explain,
or point me to some docs.


> BTW, the flags with underscores in them (kernel_linux, userland_GNU, 
> elibc_glibc, video_cards_radeon and such) are known as USE_EXPAND or 
> expanded USE flags.  

This is nice to know. 
I did not get the memo on this.
Any docs for further reading you can point me to?

thanks for all of the information,
thanks to everyone for help on this,



James



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Rumen Yotov]

Hi,
On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
James <wireless@tampabay.rr.com> wrote:
> Ryan Tandy <tarpman <at> gmail.com> writes:
> 
> 
> > Michael Crute wrote:
> > > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
> > > python readline"
> 
You could omit "pic" here IIRC (on a hardened profile) "hardened"
includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
If using a vanilla (desktop & server) profile you'll need 'pie' as well.
Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
> Ok,
> So I'll test your suggestions. 
> The more minimized the global flags are, the more secure the server.
> 
+1
Could also check the flags in "hardened" profile.
> > Also, be careful using the hardened flag without running the
> > hardened profile.  The hardened profile masks out a couple of
> > packages and flags that don't work so well on a hardened system.
+1
> Hmmmm,
> 
> Not sure I fully grasp what you mean by a 'hardened system'. If you
> mean running a hardened kernel with only necessary software
> installed, then yes, I run hardened kernels on most servers {dns,
> web, mail, firwalls....}
> 
> If running a hardened system means more than that, please explain,
> or point me to some docs.
Check hardened docs page on w.g.o, in short hardened means a kernel
with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
or SELinux and all user-land build with SSP,pic,pie (IMHO).
> > BTW, the flags with underscores in them (kernel_linux,
> > userland_GNU, elibc_glibc, video_cards_radeon and such) are known
> > as USE_EXPAND or expanded USE flags.  
> 
> This is nice to know. 
> I did not get the memo on this.
> Any docs for further reading you can point me to?
> 
...SKIP...
> James
HTH.Rumen
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Michael Crute]

On 9/13/06, James <wireless@tampabay.rr.com> wrote:
>
> Not sure I fully grasp what you mean by a 'hardened system'. If you mean
> running a hardened kernel with only necessary software installed, then
> yes, I run hardened kernels on most servers {dns, web, mail, firwalls....}
>
> If running a hardened system means more than that, please explain,
> or point me to some docs.

I guess I should have clarified when I made my initial suggestion. A
hardened system is one that is running the hardened profile. All my
server systems are built from the hardened stage 1 tarball. So
basically, you should not use the hardened useflag if your system was
not built with the hardened profile.

Note that there is more to "hardening" a system than just using a
certain profile or a combination of useflags but its a good start.

-Mike


-- 
________________________________
Michael E. Crute
http://mike.crute.org

I may not have gone where I intended to go, but I think I have ended
up where I intended to be. --Douglas Adams
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Bo Ørsted Andresen]

[-- Attachment #1: Type: text/plain, Size: 213 bytes --]

On Wednesday 13 September 2006 14:36, James wrote:
> The more minimized the global flags are, the more secure the server.

Were I the only one who wasn't quite convinced by that statement?

-- 
Bo Andresen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Simplified apache2

[Stefan G. Weichinger]

Bo Ørsted Andresen wrote:
> On Wednesday 13 September 2006 14:36, James wrote:
>> The more minimized the global flags are, the more secure the server.
> 
> Were I the only one who wasn't quite convinced by that statement?

No.

Stefan

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

On Wed, 13 Sep 2006 19:01:18 +0200, Bo Ørsted Andresen wrote:

> > The more minimized the global flags are, the more secure the server.  
> 
> Were I the only one who wasn't quite convinced by that statement?

If that means leaving GAPING_SECURITY_HOLE out of USE, then it holds some
truth ;-)


-- 
Neil Bothwick

New Intel opcode #007 PUKE: Put unmeaningful keywords everywhere

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Simplified apache2

[Daniel da Veiga]

On 9/13/06, Bo Ørsted Andresen <bo.andresen@zlin.dk> wrote:
> On Wednesday 13 September 2006 14:36, James wrote:
> > The more minimized the global flags are, the more secure the server.
>
> Were I the only one who wasn't quite convinced by that statement?
>

No... I think it is a little "rush" to state something like that...

-- 
Daniel da Veiga
Computer Operator - RS - Brazil
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V-
PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++
------END GEEK CODE BLOCK------

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[Harm Geerts]

On Wednesday 13 September 2006 21:13, Daniel da Veiga wrote:
> On 9/13/06, Bo Ørsted Andresen <bo.andresen@zlin.dk> wrote:
> > On Wednesday 13 September 2006 14:36, James wrote:
> > > The more minimized the global flags are, the more secure the server.
> >
> > Were I the only one who wasn't quite convinced by that statement?
>
> No... I think it is a little "rush" to state something like that...

There is a little truth in it.
If you decrease the amount of packages installed, you also decrease the amount 
of packages installed that contain a security hole.

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Simplified apache2

[James]

Brian Davis <bridavis <at> comcast.net> writes:


> Can one covert a non-hardended machine to use the hardended-profile, or 
> do you have to start from scratch?


Hello Brian,

The short  answer is YES. The correct answer is you have to 
read quite a lot (I'm in the middle of that) and decide
which 'path/technology' you want to follow. Here's docs
you should start looking at:

http://www.gentoo.org/proj/en/hardened/primer.xml
http://www.gentoo.org/proj/en/hardened/

I choose 'SElinux' as the path to follow for me
that makes most sense. Since the NSA was the prime
motivator, it's an easy path to convince my clients
to follow. Although SElinux is not a complete
solution, other complementary software  combined with 
SElinux does provide for a complete (security) solution,
almost..... 


http://www.gentoo.org/proj/en/hardened/selinux/
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2

hth,
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2
James



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[bridavis]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]

Thanks James!

-------------- Original message -------------- 
From: James <wireless@tampabay.rr.com> 

> Brian Davis comcast.net> writes: 
> 
> 
> > Can one covert a non-hardended machine to use the hardended-profile, or 
> > do you have to start from scratch? 
> 
> 
> Hello Brian, 
> 
> The short answer is YES. The correct answer is you have to 
> read quite a lot (I'm in the middle of that) and decide 
> which 'path/technology' you want to follow. Here's docs 
> you should start looking at: 
> 
> http://www.gentoo.org/proj/en/hardened/primer.xml 
> http://www.gentoo.org/proj/en/hardened/ 
> 
> I choose 'SElinux' as the path to follow for me 
> that makes most sense. Since the NSA was the prime 
> motivator, it's an easy path to convince my clients 
> to follow. Although SElinux is not a complete 
> solution, other complementary software combined with 
> SElinux does provide for a complete (security) solution, 
> almost..... 
> 
> 
> http://www.gentoo.org/proj/en/hardened/selinux/ 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2 
> 
> hth, 
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2 
> James 
> 
> 
> 
> -- 
> gentoo-user@gentoo.org mailing list 
> 

[-- Attachment #2: Type: text/html, Size: 1733 bytes --]

Re: [gentoo-user] Re: Simplified apache2

[Brian Davis]

Rumen Yotov wrote:
> Hi,
> On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
> James <wireless@tampabay.rr.com> wrote:
>   
>> Ryan Tandy <tarpman <at> gmail.com> writes:
>>
>>
>>     
>>> Michael Crute wrote:
>>>       
>>>> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
>>>> python readline"
>>>>         
> You could omit "pic" here IIRC (on a hardened profile) "hardened"
> includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
> If using a vanilla (desktop & server) profile you'll need 'pie' as well.
> Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
>   
I have a question on this, why would a package have to use a pic USE 
flag if all that was needed was to complie with -fpic?

>> Ok,
>> So I'll test your suggestions. 
>> The more minimized the global flags are, the more secure the server.
>>
>>     
> +1
> Could also check the flags in "hardened" profile.
>   
>>> Also, be careful using the hardened flag without running the
>>> hardened profile.  The hardened profile masks out a couple of
>>> packages and flags that don't work so well on a hardened system.
>>>       
> +1
>   
>> Hmmmm,
>>
>> Not sure I fully grasp what you mean by a 'hardened system'. If you
>> mean running a hardened kernel with only necessary software
>> installed, then yes, I run hardened kernels on most servers {dns,
>> web, mail, firwalls....}
>>
>> If running a hardened system means more than that, please explain,
>> or point me to some docs.
>>     
> Check hardened docs page on w.g.o, in short hardened means a kernel
> with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
> or SELinux and all user-land build with SSP,pic,pie (IMHO).
>   
>>> BTW, the flags with underscores in them (kernel_linux,
>>> userland_GNU, elibc_glibc, video_cards_radeon and such) are known
>>> as USE_EXPAND or expanded USE flags.  
>>>       
>> This is nice to know. 
>> I did not get the memo on this.
>> Any docs for further reading you can point me to?
>>
>>     
> ...SKIP...
>   
>> James
>>     
> HTH.Rumen
>   
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Simplified apache2

[Brian Davis]

I think I've answered my own question:

On my system, gzip is the only package that contains the pic USE flag. 
Looking at the ebuild, the pic USE flag is used to tell the system not 
to use the assembler code optimizations.

Presumably, assembler code can't be relocated.

Thanks,
Brian

Brian Davis wrote:
>
>
> Rumen Yotov wrote:
>> Hi,
>> On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
>> James <wireless@tampabay.rr.com> wrote:
>>  
>>> Ryan Tandy <tarpman <at> gmail.com> writes:
>>>
>>>
>>>    
>>>> Michael Crute wrote:
>>>>      
>>>>> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
>>>>> python readline"
>>>>>         
>> You could omit "pic" here IIRC (on a hardened profile) "hardened"
>> includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
>> If using a vanilla (desktop & server) profile you'll need 'pie' as well.
>> Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
>>   
> I have a question on this, why would a package have to use a pic USE 
> flag if all that was needed was to complie with -fpic?
>
>>> Ok,
>>> So I'll test your suggestions. The more minimized the global flags 
>>> are, the more secure the server.
>>>
>>>     
>> +1
>> Could also check the flags in "hardened" profile.
>>  
>>>> Also, be careful using the hardened flag without running the
>>>> hardened profile.  The hardened profile masks out a couple of
>>>> packages and flags that don't work so well on a hardened system.
>>>>       
>> +1
>>  
>>> Hmmmm,
>>>
>>> Not sure I fully grasp what you mean by a 'hardened system'. If you
>>> mean running a hardened kernel with only necessary software
>>> installed, then yes, I run hardened kernels on most servers {dns,
>>> web, mail, firwalls....}
>>>
>>> If running a hardened system means more than that, please explain,
>>> or point me to some docs.
>>>     
>> Check hardened docs page on w.g.o, in short hardened means a kernel
>> with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
>> or SELinux and all user-land build with SSP,pic,pie (IMHO).
>>  
>>>> BTW, the flags with underscores in them (kernel_linux,
>>>> userland_GNU, elibc_glibc, video_cards_radeon and such) are known
>>>> as USE_EXPAND or expanded USE flags.        
>>> This is nice to know. I did not get the memo on this.
>>> Any docs for further reading you can point me to?
>>>
>>>     
>> ...SKIP...
>>  
>>> James
>>>     
>> HTH.Rumen
>>   
>
-- 
gentoo-user@gentoo.org mailing list