Re: [gentoo-user] How to harden a system

> On 25 Dec 2017, at 15:33, Frank Steinmetzger wrote: > > On Mon, Dec 25, 2017 at 12:56:44AM -0600, R0b0t1 wrote: >> On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 wrote: >>> On Sun, Dec 24, 2017 at 1:44 PM, taii...@gmx.com wrote: It is truly

Re: [gentoo-user] How to harden a system

On Mon, Dec 25, 2017 at 12:56:44AM -0600, R0b0t1 wrote: > On Mon, Dec 25, 2017 at 12:55 AM, R0b0t1 wrote: > > On Sun, Dec 24, 2017 at 1:44 PM, taii...@gmx.com wrote: > >> It is truly disturbing to think that someone with an ME exploit could hack > >> 80% of the

Re: [gentoo-user] How to harden a system

On 12/23/2017 10:20 PM, Adam Carter wrote: > > So i'm wondering how much difference there is between hardened and > non-hardened profiles these days. > The hardened profiles ensure that PaX works by setting PAX_MARKINGS="XT" and by making sure that you don't disable xattr support in, say,

Re: [gentoo-user] How to harden a system

I would also consider purchasing a system with libre firmware and without ME/PSP such as: POWER 9: TALOS 2 (server/workstation, brand new and very high performance - the only brand new hardware that is legitimately libre) x86-64: (older, pre-PSP AMD - the best CPU's for C32/G34 are

Re: [gentoo-user] How to harden a system

On 12/24/2017 02:43 AM, Adam Carter wrote: Oh I just noticed that vtv is now default enabled for gcc, so you could try; CXXFLAGS="${CFLAGS} -fvtable-verify=std" I tried this on earlier gccs, and there was a fair bit of breakage so i didnt persue it. Maybe i'll re-try with 7.2 to see how

Re: [gentoo-user] How to harden a system

> > Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin > timeout cut was to clear out tens of thousands of TIME_WAIT sessions. > net.ipv4.tcp_fin_timeout = 20 > net.ipv4.tcp_syncookies = 1 > Oh I just noticed that vtv is now default enabled for gcc, so you could try;

Re: [gentoo-user] How to harden a system

On Sun, Dec 24, 2017 at 1:09 AM, Peter Humphrey wrote: > Hello list, > > Now that grsecurity is off-limits, I'm left wondering how to go about > hardening a no-multilib box that will be exposed to the Big Bad World. > > To start with, it's not obvious which profile to use:

Re: [gentoo-user] How to harden a system

On Saturday, 23 December 2017 17:46:20 GMT Michael Orlitzky wrote: > On 12/23/2017 09:09 AM, Peter Humphrey wrote: > > Hello list, > > > > Now that grsecurity is off-limits, I'm left wondering how to go about > > hardening a no-multilib box that will be exposed to the Big Bad World. > > You can

Re: [gentoo-user] How to harden a system

On 12/23/2017 09:09 AM, Peter Humphrey wrote: > Hello list, > > Now that grsecurity is off-limits, I'm left wondering how to go about > hardening a no-multilib box that will be exposed to the Big Bad World. You can still use grsec/pax if you're willing to stick with an older (LTS) kernel:

[gentoo-user] How to harden a system

Hello list, Now that grsecurity is off-limits, I'm left wondering how to go about hardening a no-multilib box that will be exposed to the Big Bad World. To start with, it's not obvious which profile to use: $ eselect profile list | grep no-multi | grep hardened [23]