-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darknight wrote: > [...] > I've "dropped" hardened source due to lack of time to learn and properly > activate their features... It's on todo list... :) >
Hi Darknight, thank you for your interest in the Gentoo Hardened project. To learn more about the features like rulesets for access restriction, memory protection, randomization for executables and stack overwrite protection, you can get a first read at the docs at http://hardened.gentoo.org But if this is not enough, the documentation of grsec at www.grsecurity.net, pax.grsecurity.net and the SELinux documentation at the respective pages will give you further insights how the technology works. To answer some of the questions from your correspondence, the only thing that would let you benefit from the hardened toolchain without a PaX enabled kernel is the SSP protection which means code is automatically inserted into hardened compiled executables and libraries to guard against stack smashing attacks. Without a PaX kernel you will not benefit from PIE randomization nor will you have advanced security from MPROTECT features and Stack non-executability. Moving from a nonhardened to a hardened setup involves some steps like switching profile and kernel, configuring applications with paxctl, recompiling and testing applications and rolling out an access policy which is best done by someone who a) understands the technology behind it b) can assess the impact on the applications she or he is using c) has a plan for restoring back to a vanilla system if problems affect productive systems and thus loss of availability or performance Frankly speaking, security is not the profile you are switching to or the hardened compiler specs you are using, it's the knowledge in your head about the technology you are employing to reach a certain state for your operating system and applications. Of course it can also be done in "crash and burn" style which i myself prefer sometimes too... ;) But for learning about the big picture and getting a deeper grip on the technology, i recommend you spend some time learning about the technical changes we did and why we did these. If you are willing to hit the learning curve, i recommend you join us at the irc channel or ask for more hints about further readings and technical implications of our provided security solutions. One of my personal goals is that people like you should have fun and enjoy tackling the task of making their system more secure while having full understanding and knowledge why they are doing it and what they are doing there. Because then, the "how" they are doing it becomes clear to them too. Thanks again and hope i could help you a bit, Alex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJTxDlpSgoWRXlxURAjCgAJ49XoeSARmKbXds4qNeGrhKserqzwCggaQk Jlq8eJoLhHc7nRSPPif0jlA= =s771 -----END PGP SIGNATURE----- -- [email protected] mailing list
