How to: Have a Hardened Gentoo
This is the hardened howto for the OSL. Some people probably would like much stricter settings, but these are the ones I use for boxes. It seems to allow for flexibility with software while not being too strict on programs. You need to get the current hardened stages from any of the gentoo mirrors. The install is pretty much like any other gentoo install. Make sure that you get the right stages. if the name of the stage has ’selinux’ in it then you do not want that.
The biggest difference between this install and a regular install is the make.conf file. Another difference is that it’s a much cleaner install, meaning that the hardened profile sets a lot of special use flags that strip it down to just the “needed” packages. Below are listed the make.conf and kernel config settings that are used. Note: please read the gentoo install guide for explanations of CFLAGS and other settings iff you do not know what they mean. Do not use these CFLAGS unless you understand what they mean. The only exception to this is the -fforce-addr flag. This is part of the hardened stuff.
(begin make.conf)
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -fforce-addr" CHOST="i686-pc-linux-gnu" CXXFLAGS="${CFLAGS}" USE="hardened -X -gtk -gnome -alsa -kde -qt -X -java -arts" MAKEOPTS="-j7" SYNC="rsync://raptor.gentoo.org/gentoo-portage" GENTOO_MIRRORS="http://local.gentoo.osuosl.org"
(end make.conf)
Make sure that you consult the gentoo install guide if you do not understand use flags, or the MAKEOPTS options. I do not recommend this install for a beginner to gentoo. a lot of things can be confusing, and it takes a while to learn. Kernel config settings for this can be confusing as well. I always enable PAX and Grsecurity. NOTE: read the grsecurity pages before you use the grsecurity settings. it is very easy to make a mistake, and you can get yourself locked out of your box, and sometimes things can behave strangely if you do not understand what it’s doing.
(begin kernel config options)
# # Security options # # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # # CONFIG_GRKERNSEC_KMEM is not set # CONFIG_GRKERNSEC_IO is not set # CONFIG_GRKERNSEC_PROC_MEMMAP is not set CONFIG_GRKERNSEC_BRUTE=y # CONFIG_GRKERNSEC_HIDESYM is not set # # Role Based Access Control Options # # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y # CONFIG_GRKERNSEC_PROC_ADD is not set CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y # CONFIG_GRKERNSEC_CHROOT_CHDIR is not set # CONFIG_GRKERNSEC_CHROOT_CHMOD is not set # CONFIG_GRKERNSEC_CHROOT_FCHDIR is not set # CONFIG_GRKERNSEC_CHROOT_MKNOD is not set # CONFIG_GRKERNSEC_CHROOT_SHMAT is not set # CONFIG_GRKERNSEC_CHROOT_UNIX is not set CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y # CONFIG_GRKERNSEC_CHROOT_SYSCTL is not set # CONFIG_GRKERNSEC_CHROOT_CAPS is not set # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y CONFIG_GRKERNSEC_AUDIT_CHDIR=y CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_AUDIT_IPC=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y # # Executable Protections # # CONFIG_GRKERNSEC_EXECVE is not set CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDISN=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_RANDSRC=y CONFIG_GRKERNSEC_RANDRPC=y CONFIG_GRKERNSEC_SOCKET=y # CONFIG_GRKERNSEC_SOCKET_ALL is not set # CONFIG_GRKERNSEC_SOCKET_CLIENT is not set # CONFIG_GRKERNSEC_SOCKET_SERVER is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # # PaX # CONFIG_PAX=y # # PaX Control # CONFIG_PAX_SOFTMODE=y CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y # CONFIG_PAX_PAGEEXEC is not set # CONFIG_PAX_SEGMEXEC is not set # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # CONFIG_PAX_NOVSYSCALL is not set # CONFIG_SECURITY is not set
(end kernel config options)
I seriously recommend using the sysctl options shown above. They allow for a lot of flexibility, and it makes for easier control.
Related Posts
