Re: [gentoo-hardened] can i help with anything?

El 13/04/11 12:34, Anthony G. Basile escribió: On 04/13/2011 01:54 AM, peter harmsen wrote: Hello, Hi, I'm sorry for taking so long to answer. I have installed gentoo with hardened profile and toolset. I'm willing to help with testing or whatever non dev related stuff. kind regards, peter

Re: [gentoo-hardened] Hardened stage3 tarballs

El 07/06/11 17:08, Michael Orlitzky escribió: On 06/06/11 17:05, Matthew Thode wrote: On Mon, 06 Jun 2011 16:38:06 -0400 Michael Orlitzky mich...@orlitzky.com wrote: On 06/06/2011 03:54 PM, Sven Vermeulen wrote: The last one now is of 20110602, which is fairly recent. The autobuilds are

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

El 15/06/11 19:45, Sven Vermeulen escribió: Or do we see if we can deviate from upstream here and start our own path (in my opinion, we can't as long as we do not have a critical developer mass - in numbers, not in kilogram). Hey, I'm not that fat :P signature.asc Description: OpenPGP

Re: [gentoo-hardened]

El 05/08/11 14:37, Javier Juan Martínez Cabezón escribió: Don't click in the link is a fucking spammer and maybe he could be trying to exploit navigator vulnerabilities to get remote access. Please Ban the mail sender ip, is the second time he did this.. Not the same IP but the same From: I'm

Re: [gentoo-hardened]

El 05/08/11 16:35, Javier Juan Martínez Cabezón escribió: Maybe they are looking for a titular like this: gentoo hardened freaks owned by L00$3R :-) Indeed the account belonged to someone doing a contribution in 2004 that's what worries me the most, there must be many phantom users in here since

Re: [gentoo-hardened] Bringing back RSBAC sources

El 05/09/11 01:07, Anthony G. Basile escribió: I tested but hit a compile time error, but I didn't test very hard. If you're instrested in RSBAC, please test and we'll start to bug report and send patches upstream to help them out blueness didn't state out but I will, RSBAC docs may be also

Re: [gentoo-hardened] Newbee alarm....

Hi Nico, First of all don't get me wrong, read this assuming I have a big smile in my face: I also have been a newbie and over all, its not everyday you find somebody wanting to give a hand on the project. First regarding your e-mails, strange as it may seem it would be more helpful if you could

Re: [gentoo-hardened] Grsec X11 Rbac Selinux Priviledged/Raw I/O Mprotect Firefox

El 07/11/11 18:45, Javier Juan Martínez Cabezón escribió: At least now (AFAIK) with KMS ioperm/iopl is not required, only propietary drivers need them (and having them running is per se a security bug). I think this doesn't hold for radeon based on my empirical experience should try again

Re: [gentoo-hardened] udev-171-r2 and 3.0.9-hardened

El 18/11/11 03:18, Stan Sander escribió: I did a sync and a world update earlier today and among the updates was the 3.0.9 hardened sources. I built the new kernel with the same settings as the previous one (3.0.8-hardened), using make oldconfig however when I try to boot the 3.0.9 kernel

Re: [gentoo-hardened] udev-171-r2 and 3.0.9-hardened

El 18/11/11 05:02, Stan Sander escribió: I actually have the grsecurity turned off in the kernel right now, though PAX is enabled. I'm still trying to transition to running SELinux, then I'll turn on the grsecurity stuff. I have gradm because I intend to eventually use it and I re-emerged it

Re: [gentoo-hardened] Gentoo reintroduction of rsbac-sources

El 07/01/12 22:08, Anthony G. Basile escribió: Hi everyone, A long time ago, Gentoo used to provide RSBAC sources. For those of you unfamiliar with RSBAC = rules set based access control, it provides hardening similar to grsec. See their web page at: https://www.rsbac.org These

Re: [gentoo-hardened] Interesting: CVE-2012-0056

El 24/01/12 12:52, Kevin Chadwick escribió: On Tue, 24 Jan 2012 09:33:36 +0100 Tóth Attila wrote: My only concern against bruteforce protection is the possiblity of a DoS. But it's always better to get DoSed, than to get bruteforced... Is ptrace disabled on hardened gentoo too? No, but it

Re: [gentoo-hardened] Security Level: high/server/workstation/virtualization

El 27/01/12 22:20, Alex Efros escribió: Hi! On Fri, Jan 27, 2012 at 03:14:12PM -0600, Matthew Thode wrote: You should be using the virt profile. Why? As far as I understand, virt profile is for guest OS, not host OS. Virt profile is for both of them, that's why it is called virt. Anyway and

Re: [gentoo-hardened] gcc 4.5.3 doesn't build on x86 hardened profile

El 06/02/12 08:59, Joseph C. Lininger escribió: /var/tmp/portage/sys-devel/gcc-4.5.3-r1/work/gcc-4.5.3/gcc/config/i386/i386.md: In function 'internal_dfa_insn_code': /var/tmp/portage/sys-devel/gcc-4.5.3-r1/work/gcc-4.5.3/gcc/config/i386/i386.md:360:1: internal compiler error: Bus error Hi,

[gentoo-hardened] Please make our new dev lejonet suffer.

Hi guys, I suppose some of you may know but a new developer has joined our ranks. His name is Daniel though all of you that usually roam the #gentoo-hardened channel may know him as lejonet. I'd appreciate if you guys give him a warm welcome, you know filling his address with bugs with requests

Re: [gentoo-hardened] RFC: Removing -unicode from all hardened profiles

El 21/04/12 16:55, Vinícius Ferrão escribió: Anthony, All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too. Same here blueness, for me it can go and nobody will notice :D signature.asc Description: OpenPGP digital signature

[gentoo-hardened] Gentoo Hardened Meeting 2012-05-16 20:00UTC

floor Also, attached to the e-mail you will find an event invitation may you want to add the meeting time to your calendar so you don't forget about it. We look forward to see you in the meeting. Best regards, Francisco Blas Izquierdo Riera (klondike) Gentoo Hardened Project Staffer BEGIN:VCALENDAR

Re: [gentoo-hardened] hardened profile for desktops?

El 08/06/12 09:44, Grant escribió: I started a discussion on gentoo-user about the fact that the hardened profile appears to only be for servers and not desktops. I thought I'd check with you guys on this. Is that the case? I have been using Gentoo on Desktop systems for some time, mainly

Re: [gentoo-hardened] ipv6 on by default for hardened profile

El 26/06/12 07:43, Michael Orlitzky escribió: It's easy enough to set USE=-ipv6 manually of course, but the same argument works for USE=ipv6. So, I think the default should be what most people want; i.e. what the fewest people will have to override. Do most hardened machines use ipv6? These

Re: [gentoo-hardened] ipv6 on by default for hardened profile

El 26/06/12 08:26, Jonny Kent escribió: On Jun 25, 2012, at 10:43 PM, Michael Orlitzky mich...@orlitzky.com wrote: On 06/25/12 23:03, Alex Efros wrote: Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two different routing tables and two different firewalls. Also, I

Re: [gentoo-hardened] ipv6 on by default for hardened profile

El 26/06/12 09:38, Darknight escribió: Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf? - no scary (j/k) ipv6 enabled by default - ipv6 enabled in a matter of seconds without need for an internet connection The news item and a word about the sysctl thing in the docs would be good.

Re: [gentoo-hardened] ipv6 on by default for hardened profile

El 27/06/12 09:19, Alex Efros escribió: Safe, but don't working. Do you enable ipv6 USE flag just to force people to either disable unintentionally enabled IPv6 in kernel and/or add this ip6tables configuration? No, we do it because otherwise the stage3 is unusable on ipv6 only environments and

Re: [gentoo-hardened] Re: Required Priorities (Security) = slow server

El 17/08/12 19:06, Grant escribió: Interesting, I would have thought Gentoo would keep hardened-sources in sync with upstream's recommendation/support. There are a few reasons for that not being the case but of them I'd go for the fact that in order to get stabilished a package must have been on

Re: [gentoo-hardened] Meeting 2012-08-22 20:00UTC

:20120821T025547 LAST-MODIFIED:20120821T005824Z DTSTAMP:20120821T005824Z UID:6118b544-e261-4562-a063-cd40fca14bc4 SUMMARY:Gentoo Hardened Meeting STATUS:CONFIRMED ORGANIZER;RSVP=FALSE;CN=Francisco Blas Izquierdo Riera (klondike);CUTYPE=I NDIVIDUAL:mailto:klond...@gentoo.org ATTENDEE;RSVP=TRUE;PARTSTAT

Re: [gentoo-hardened] Meeting 2012-08-22 20:00UTC

El 22/08/12 20:19, Sven Vermeulen escribió: On Tue, Aug 21, 2012 at 03:06:38AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote: Hi Time for meeting. Agenda 1.0 Project leads 2.0 Toolchain 3.0 Kernel 4.0 Selinux 5.0 Grsec/PaX 6.0 Profile 7.0 System interity 8.0 Doc 9.0 Media

[gentoo-hardened] What should we talk about at FOSDEM?

Hi folks! As you may know last year we gave a talk at FOSDEM about the security features of our project, which you can check at http://video.fosdem.org/2012/crossdistro/Introduction_to_hardening,_the_Gentoo_Hardened_approach.webm In general FOSDEM requires us to speak about development related

Re: [gentoo-hardened] hardened-sources shrinks Processor Family list

El 21/12/12 22:05, Grant escribió: It turns out the extra choices are due to this patch: https://github.com/init6/init_6/blob/master/sys-kernel/geek-sources/files/3.7.1/fix/kernel-37-gcc47-1.patch I'm sorry to have bothered the hardened list with this. - Grant Actually looks like a quite

Re: [gentoo-hardened] Clarification on Cleaning up the hardened profiles

El 28/01/13 22:59, Tóth Attila escribió: hardened/linux/amd64/x32/ ? http://lwn.net/Articles/500482/ says gcc-4.7 is a requirement. Anybody using hardened x32? How mature it is? Does it copes well with PaX? Just don't, IIRC 4.7.1 is still not supported. signature.asc Description: OpenPGP

Re: [gentoo-hardened] First step to move Gentoo hardened project to wiki: accounts!

El 23/08/13 22:05, Matthew Thode escribió: On 08/23/2013 12:57 PM, Sven Vermeulen wrote: Hi guys The Gentoo Wiki is almost ready to host project pages. All documents on our location are ready (converted in my home space into wiki format) and should be easy to transfer within a few hours to

Re: [gentoo-hardened] Re: Meeting 2013-08-29 20:00UTC

El 28/08/13 20:44, klondike escribió: For those of you who prefer google calendar stuff: https://www.google.com/calendar/event?action=TEMPLATEtmeid=NTdjaHZoZTc3NWJ2dnBmNmY2aDg5MmY3cjAgZnJhbnhpc2NvMTk4OEBttmsrc=franxisco1988%40gmail.com Attached is also astandard ical invitation. Idiot me set

Re: [gentoo-hardened] The state of grsecurity in gentoo

El 02/09/15 a las 18:13, Anthony G. Basile escribió: > Hi everyone, > > So by now most people have heard the news that the Grsecurity/PaX team > are no longer going to be making their stable patches available. The > reason is that they are in dispute with a certain embedded systems > vendor and

Re: [gentoo-hardened] hardened sources 4.1.7 vs 4.3.3

El 19/02/16 a las 21:30, Alexander Tsoy escribió: > В Fri, 19 Feb 2016 21:19:37 +0100 > Gandalf пишет: > >> Doing an update on my server today marked an update of the >> hardened-sources. However, it was labelled 4.1.7 vs my installed version >> 4.3.3. What is up? Is it

[gentoo-hardened] Fwd: [gentoo-dev] News item for sys-kernel/hardened-sources removal

For those of you wondering about the future of hardened-sources. They will be removed in a bit more than a month. Input regarding the news item is more than welcome. Title: sys-kernel/hardened-sources removal Author: Francisco Blas Izquierdo Riera (klondike) <klond...@gentoo.org> Posted: 2

[gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

El 15/08/17 a las 17:01, Francisco Blas Izquierdo Riera (klondike) escribió: > Hi! > > I'd like to get this one up by Saturday so that we can proceed with > masking and removing of the hardened-sources after upstream stopped > releasing new patches. > > This is my first time

[gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

El 16/08/17 a las 09:40, Marek Szuba escribió: > Two tiny bits of formal nitpicking from my side: > - it's "grsecurity" (not a typo, they do use a lowercase g except when > the name appears at the beginning of a sentence), not "grsec"; > - the patches were not *distributed by* grsecurity, they

Re: [gentoo-hardened] Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

El 16/08/17 a las 15:36, Robert Sharp escribió: > On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote: >> El 16/08/17 a las 09:40, Marek Szuba escribió: >>> Two tiny bits of formal nitpicking from my side: >>> - it's "grsecurity" (not a typo,

[gentoo-hardened] About sys-kernel/hardened-sources removal

to gentoo-hardened which is the porject's mailing list. El 18/08/17 a las 02:59, R0b0t1 escribió: > On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera > (klondike) <klond...@gentoo.org> wrote: >> El 15/08/17 a las 17:50, R0b0t1 escribió: >>> Where was this d

Re: [gentoo-hardened] stack-clash implications

El 21/06/17 a las 01:02, "Tóth Attila" escribió: > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > The advisory suggests: > 1. Increase the size of the stack guard-page to at least 1MB > - I skip this point > 2. Recompile all userland code with GCC's "-fstack-check" option > - I

[gentoo-hardened] Gentoo Hardened and Stack Clash

Executive summary With Gentoo Hardened no ebuilds compiled with a hardened toolchain with version 4.8 or higher should be affected by this issue as -fstack-check=specific is enabled by default. The only known exceptions are media-video/vlc and (on HPPA) dev-lang/tcl wich disable this feature.

Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream

El 23/06/17 a las 18:28, Anthony G. Basile escribió: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > >