From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
by finch.gentoo.org with esmtp (Exim 4.60)
(envelope-from <gentoo-user+bounces-132315-garchives=archives.gentoo.org@lists.gentoo.org>)
id 1RZTEC-00073m-5j
for garchives@archives.gentoo.org; Sat, 10 Dec 2011 20:09:00 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id E750221C21A;
Sat, 10 Dec 2011 20:08:49 +0000 (UTC)
Received: from mail-vx0-f181.google.com (mail-vx0-f181.google.com [209.85.220.181])
by pigeon.gentoo.org (Postfix) with ESMTP id C6F2D21C080
for <gentoo-user@lists.gentoo.org>; Sat, 10 Dec 2011 20:07:55 +0000 (UTC)
Received: by vcbfl17 with SMTP id fl17so3473308vcb.40
for <gentoo-user@lists.gentoo.org>; Sat, 10 Dec 2011 12:07:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:content-type;
bh=PAhqKvIpTwoTCjz9FgqAPK6hv2EIwC4Jfq55GvlbsWE=;
b=ThWbCcIFf8AQnoDsr5yNiHzDgnloSo8Ea//pv8Vke2kzJuBlvk1eHh2eVsbqDE+1RV
MH2mRUyZslzlNKjsMALkJ8KKkRkFYgBzC35QwYrPupxH6Vjtc3kCUa42W1vOY56NCSAE
9NPUgr2PztLrv2wf1TA4PEu4V7SRnEULE79mU=
Received: by 10.52.97.34 with SMTP id dx2mr7301318vdb.3.1323547675189; Sat, 10
Dec 2011 12:07:55 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.52.187.104 with HTTP; Sat, 10 Dec 2011 12:07:34 -0800 (PST)
In-Reply-To: <4EE39AB6.3090108@libertytrek.org>
References: <4EE39AB6.3090108@libertytrek.org>
From: Matthew Finkel <matthew.finkel@gmail.com>
Date: Sat, 10 Dec 2011 15:07:34 -0500
Message-ID: <CAGF8hsvALpjpqAWaUxXLwffdFMrOBo7wE3XG-9X7s1fVwDdwaA@mail.gmail.com>
Subject: Re: [gentoo-user] New Server, considering hardened, need pointers to tfm...
To: gentoo-user@lists.gentoo.org
Content-Type: multipart/alternative; boundary=20cf307f346a05e18704b3c27561
X-Archives-Salt: 092766cf-5502-4ed7-b8b2-6dba9730234d
X-Archives-Hash: f01afdfa74318ebe12433639af5b2ec4
--20cf307f346a05e18704b3c27561
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Dec 10, 2011 at 12:45 PM, Tanstaafl <tanstaafl@libertytrek.org>wrote:
> Hello all,
>
> I'm considering rolling out a new server with gentoo, but wanted to base
> it on the hardened profile, but the docs I've read so far all seem to be a
> bit vague about all the details.
>
> I've been using gentoo for a while on my hobby server, but I installed it
> about 8 years ago, and chose the 'server' profile, and I must say it has
> been a real pleasure to maintain, and the only real hiccup I ever
> experienced was the mailman update that moved the directories for the lists
> without telling me what to do about it (the fix was simple, and the devs
> swiftly fixed the lack of post-install docs).
>
> Does anyone know of a good How-To that covers *all* of the bases? Ie,
> which model is best - grsecurity, PAX, SeLinux - and how best to implement
> it?
>
> Thanks...
>
>
You may be able to get a better response from the -hardened list, but I
built a hardened server a few months ago without much difficulty. As far as
I know, the correct model to use depends on what you want to do with the
server/what security you are looking to implement. When I went hardened, I
used PaX and grsec [1] because it offered the security I was looking for
but didn't restrict userland usability on a server on which I was the only
user. My understanding is that this restriction would be a consequence of
using SeLinux.
[1] http://www.gentoo.org/proj/en/hardened/grsecurity.xml
As for a solid comparison of the different models and tutorials for them, I
don't know of any. I just used [1] as well as the PaX page to install and
configure them and I didn't run into any problems.
hope that helps a bit (and I hopefully didn't describe anything
incorrectly).
- Matt
--20cf307f346a05e18704b3c27561
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">On Sat, Dec 10, 2011 at 12:45 PM, Tanstaafl <spa=
n dir=3D"ltr"><<a href=3D"mailto:tanstaafl@libertytrek.org">tanstaafl@li=
bertytrek.org</a>></span> wrote:<br><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hello all,<br>
<br>
I'm considering rolling out a new server with gentoo, but wanted to bas=
e it on the hardened profile, but the docs I've read so far all seem to=
be a bit vague about all the details.<br>
<br>
I've been using gentoo for a while on my hobby server, but I installed =
it about 8 years ago, and chose the 'server' profile, and I must sa=
y it has been a real pleasure to maintain, and the only real hiccup I ever =
experienced was the mailman update that moved the directories for the lists=
without telling me what to do about it (the fix was simple, and the devs s=
wiftly fixed the lack of post-install docs).<br>
<br>
Does anyone know of a good How-To that covers *all* of the bases? Ie, which=
model is best - grsecurity, PAX, SeLinux - and how best to implement it?<b=
r>
<br>
Thanks...<br>
<br>
</blockquote></div><div><br></div>You may be able to get a better response =
from the -hardened list, but I built a hardened server a few months ago wit=
hout much difficulty. As far as I know, the correct model to use depends on=
what you want to do with the server/what security you are looking to imple=
ment. When I went hardened, I used PaX and grsec [1] because it offered the=
security I was looking for but didn't restrict userland=A0usability=A0=
on a server on which I was the only user. My understanding is that this res=
triction would be a consequence of using SeLinux.=A0<div>
<br></div><div>[1]=A0<a href=3D"http://www.gentoo.org/proj/en/hardened/grse=
curity.xml">http://www.gentoo.org/proj/en/hardened/grsecurity.xml</a></div>=
<div><br></div><div>As for a solid comparison of the different models and t=
utorials for them, I don't know of any. I just used [1] as well as the =
PaX page to install and configure them and I didn't run into any proble=
ms.</div>
<div><br></div><div>hope that helps a bit (and I hopefully didn't descr=
ibe anything incorrectly).
</div><div><br></div><div>- Matt</div>
--20cf307f346a05e18704b3c27561--