From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-user+bounces-132316-garchives=archives.gentoo.org@lists.gentoo.org>) id 1RZTKl-0000GW-2S for garchives@archives.gentoo.org; Sat, 10 Dec 2011 20:15:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 95F5821C261; Sat, 10 Dec 2011 20:15:38 +0000 (UTC) Received: from homiemail-a57.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by pigeon.gentoo.org (Postfix) with ESMTP id A917121C234 for <gentoo-user@lists.gentoo.org>; Sat, 10 Dec 2011 20:14:41 +0000 (UTC) Received: from homiemail-a57.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a57.g.dreamhost.com (Postfix) with ESMTP id 03FC4208060 for <gentoo-user@lists.gentoo.org>; Sat, 10 Dec 2011 12:14:41 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=libertytrek.org; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s= libertytrek.org; b=JbwzKKbrSs732/0J5/9IXqXmeQXSi0Hqb+qNQBUOKsumt RkfYsv7j4rc2JADnwNdg1KvqNRkhiYDk9BDzcbmmMU6sqnmmZA2zPXUwUjeugvop 9gDFphYMi/6C5SogeZxl1f6rt5h7RAYHd+ZoyucQdK1KxP0rNMQyE59nlPTZWM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=libertytrek.org; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s= libertytrek.org; bh=bg2E1hETl3vibiDjWezCCKPQZws=; b=ZOwFptAEoEfP 3yIXQ+JZQ8Qdh7GhW//Fyxh4w+F70gOblRx4WrD6u5cuKO+JwZ/ZSUOGfQLNDdXn RIVTHwDZmDl7AnKeqPD4NT51jocgee1sjLKCwpwkv0zi+3TCtzssJYMXeW6ItGEt xfxCsMB3G1eWwv7z4LyZxJKXTLa4roM= Received: from [127.0.0.1] (smtp.media-brokers.com [70.43.81.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: tanstaafl@libertytrek.org) by homiemail-a57.g.dreamhost.com (Postfix) with ESMTPSA id CD20E20805B for <gentoo-user@lists.gentoo.org>; Sat, 10 Dec 2011 12:14:40 -0800 (PST) Message-ID: <4EE3BDAB.6010907@libertytrek.org> Date: Sat, 10 Dec 2011 15:14:35 -0500 From: Tanstaafl <tanstaafl@libertytrek.org> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20111105 Thunderbird/8.0 Precedence: bulk List-Post: <mailto:gentoo-user@lists.gentoo.org> List-Help: <mailto:gentoo-user+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-user.gentoo.org> X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] New Server, considering hardened, need pointers to tfm... References: <4EE39AB6.3090108@libertytrek.org> <CAGF8hsvALpjpqAWaUxXLwffdFMrOBo7wE3XG-9X7s1fVwDdwaA@mail.gmail.com> In-Reply-To: <CAGF8hsvALpjpqAWaUxXLwffdFMrOBo7wE3XG-9X7s1fVwDdwaA@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 3f256b6f-96f4-408e-824c-eac1c49a3754 X-Archives-Hash: 2360bbd4071b00bb7bc77e734b2c5bff On 2011-12-10 3:07 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote: > > You may be able to get a better response from the -hardened list, Dang, I had forgotten gentoo has a bunch of other lists... thanks, just subscribed... > but I built a hardened server a few months ago without much > difficulty. As far as I know, the correct model to use depends on > what you want to do with the server/what security you are looking to > implement. When I went hardened, I used PaX and grsec [1] because it > offered the security I was looking for but didn't restrict userland > usability on a server on which I was the only user. My understanding > is that this restriction would be a consequence of using SeLinux. Yeah, I was leaning toward avoiding SeLinux already from what I've been reading, thanks... > [1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml > > As for a solid comparison of the different models and tutorials for > them, I don't know of any. I just used [1] as well as the PaX page to > install and configure them and I didn't run into any problems. Good to know, and thanks again...