> Cool, puppet is great. Hardened Version? What have you changed?
Not much actually. Most of the work is with the toolchain settings so that
software is built with hardened flags by default.
binutils - grsecurity patch
glibc - libs built PIC/binaries PIE
gcc - patched to build hardened PIE binaries by default/use specs file to
build vanilla packages
kernel26-lts - patched with grsecurity to take advantage of
PIE/stack-protector-all etc built binaries and grsec hardening features
I've also enabled tests in the PKGBUILDS to run during the build process on
the toolchain packages to make sure there are no compilation or run errors.
Very few packages these days don't work well with hardened flags. The
following I've had to build vanilla because of text relocations:
grub
mailx
libarchive
imap
enchant
Everything else in core and extra compiles and runs fine. Below is my
process list:
* System-wide ASLR: PaX ASLR enabled
* Does the CPU support NX: No (using an older P4 without NX for development)
COMMAND PID RELRO STACK CANARY PIE
init 1 Full RELRO Canary found PIE enabled
udevd 1178 Full RELRO Canary found PIE enabled
udevd 1219 Full RELRO Canary found PIE enabled
rsyslogd 1300 Full RELRO Canary found PIE enabled
dhcpcd 1335 Full RELRO Canary found PIE enabled
crond 1352 Full RELRO Canary found PIE enabled
sshd 1363 Full RELRO Canary found PIE enabled
mysqld_safe 1375 Full RELRO Canary found PIE enabled
mysqld 1473 Full RELRO Canary found PIE enabled
agetty 1497 Full RELRO Canary found PIE enabled
agetty 1498 Full RELRO Canary found PIE enabled
agetty 1499 Full RELRO Canary found PIE enabled
agetty 1500 Full RELRO Canary found PIE enabled
agetty 1501 Full RELRO Canary found PIE enabled
agetty 1502 Full RELRO Canary found PIE enabled
sshd 1503 Full RELRO Canary found PIE
enabled
bash 1506 Full RELRO Canary found PIE
enabled
sftp-server 1527 Full RELRO Canary found PIE enabled
httpd 2553 Full RELRO Canary found PIE enabled
httpd 2555 Full RELRO Canary found PIE enabled
httpd 2556 Full RELRO Canary found PIE
enabled
sshd 5186 Full RELRO Canary found PIE
enabled
bash 5190 Full RELRO Canary found PIE
enabled
puppetmasterd 6150 Full RELRO Canary found PIE enabled
puppetd 6177 Full RELRO Canary found PIE
enabled
udevd 912 Full RELRO Canary found PIE enabled
> Hm, the FHS states, that "the opt-directory is intended for the
installation of software other than that packaged with the operating
system". IMHO ruby-enterprise is not packaged by us, right? We are just
calling the installer. Therfor /opt is the correct location IMHO.
Most application packages I would agree. Although I would consider ruby more
a scripting language for the operating system on the order of bash, perl &
python etc.. instead of an outside application like vmware which I always
install in /opt if I have that option.
On Sat, Sep 25, 2010 at 4:25 AM, Markus M. May <[email protected]> wrote:
>
> Am 25.09.2010 um 01:47 schrieb Andre Rhone <[email protected]>:
>
> > Hi Archserver,
>
> Hi Andre,
>
> >
> > I've created PKGBUILDS for puppet and facter (dependency for puppet)
> > that I use for my hardened version of Archserver and I would like to
> > make them available to the project. I'm also working on a puppet
> > provider for pacman (not finished as yet unfortunately)
>
> Cool, puppet is great. Hardened Version? What have you changed?
> >
> > However, I've had to adjust the PKGBUILD installation of
> > ruby-enterprise to /usr instead of /opt/ruby-enterprise to avoid
> > having to:
> >
> > 1. add the path /opt/ruby-enterprise/bin to the shell PATH as
> > instructed by the current archserver ruby-enterprise package
> > post-install.
> >
> > 2. write a script in the puppet.install file to add
> > /opt/ruby-enterprise/bin as a default shell path for the puppet and
> > puppetmaster users.
> >
> > Adjusting the install directory to /usr from /opt will remove a step
> > for the administrator having to edit the default path so ruby is
> > available to other users by default. For puppet, it would allow puppet
> > to start running immediately once installed without editing.
> >
> > Would you consider adjusting the install directory to /usr from
> > /opt/ruby-enterprise?
>
> Hm, the FHS states, that "the opt-directory is intended for the
> installation of software other than that packaged with the operating
> system". IMHO ruby-enterprise is not packaged by us, right? We are just
> calling the installer. Therfor /opt is the correct location IMHO.
>
> R,
>
> Markus
> >
> > The puppet PKGBUILD creates two packages called 'puppet-master' and
> > 'puppet-agent' for server and client respectively.
> > http://docs.puppetlabs.com/guides/tools.html
> > _______________________________________________
> > ArchServer Project General Mail List
> > Post messages to: [email protected]
> > Administer your subscription:
> http://lists.archserver.org/listinfo/general
> _______________________________________________
> ArchServer Project General Mail List
> Post messages to: [email protected]
> Administer your subscription: http://lists.archserver.org/listinfo/general
>
_______________________________________________
ArchServer Project General Mail List
Post messages to: [email protected]
Administer your subscription: http://lists.archserver.org/listinfo/general
