Grsecurity/The Administration Utility. Gradm, the administration utility for the role-based access control system, is a powerful tool that parses your ACLs (Access Control Lists), performs the enforcement of a secure base policy, optimizes the ACLs, as well as handles parsing of the learning logs, merges them with your ACL set and outputs the final ACLs. Before you install gradm, boot into your patched grsecurity kernel. You can compile gradm in any kernel you wish, but the installation will fail if the kernel does not support grsecurity.
Installation[edit] If your Linux distribution provides ready-made grsecurity kernel packages, they will very likely provide a package for gradm too. If that is the case you should consider using it before compiling gradm yourself. Before compiling and installing gradm, make sure you have the following applications installed in your system: lex or flex and byacc or bison. Change to the directory you downloaded gradm and grsecurity to earlier. . $ make NOTE: Look at the output from make. Hardened Gentoo Adventures by radegand. UPDATED 23/10 - Added info about repos.conf which I've missed previously! Recenty I had to setup a new box with the specs above so I decided to share my installation notes in an attempt to spread the Gentoo virus ;] Apologies if they're not always as detailed as they could be but nevertheless should be helpful for anyone setting up a new Gentoo box.
Ok, off we go! I've mostly used as a reference the following links: The Hardened GCC4 Toolchain Overlay Guide LUKS on Gentoo I used this live CD and this stage3 tarball because I wanted to give a go for the weekly hardened ones just out of curiosity :). Follow the Gentoo Installation handbook up to chapter 4. Command (m for help): nCommand action e extended p primary partition (1-4)p Partition number (1-4): 1 First cylinder (1-10011, default 1): Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-10011, default 10011): +100M Command (m for help): p Device Boot Start End Blocks Id System/dev/sda1 1 14 112423+ 83 Linux WARNING! !!! My weekly Gentoo update process. How often should we update our Gentoo? There is no absolute correct answer for that. Gentoo is just like other distributions (distro), s**t does happen when do update.
No matter what species of penguins you pet, they all might get sick and updating interval is not really relevant. However, you should never wait for a year even just a few months, though your version might still be supported. Since I started to use eix, eix-diff told me the changes on Portage tree. Here is the steps I do: Running sudo eix-sync to update Portage tree, read the diff.See what packages get removed, you might have few removed, see if there are replacements.See what packages get added, play with them.Running emerge -pvuDt world to see what can be upgraded. There are some packages might require you to update partial or even entire system, meaning all packages.
So, when do you need to do such mass rebuild? Gentoo has some guides about upgrade, e.g. Playing With grsecurity | A Brief Tutorial | jude pereira's blog. This howto is intended for those looking for better means to secure the Linux kernel, and the userland by the means of a powerful and simple role based access control policy. Contents What is grsecurity? Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is a set of patches for the Linux kernel with an emphasis on enhancing security.
Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users. Extensive information about grsecurity can be found from the following links: This tutorial briefly gives you an introduction on using grsecurity. Setting up grsecurity + gentoo in a VM To test grsecurity’s features, we’ll setup gentoo hardened in a virtual machine using QEMU.
Create a raw image and set it up: Now download the hardened gentoo stage3. Select the profile “hardened/linux/amd64″For networking, choose the DHCP method. Introduction to Hardened Gentoo. 1. Introduction This guide is meant for anyone unsure about the offerings of the Hardened Gentoo project, how to use them together, and what their respective roles in the project are. The basic security principle that we emphasize is layers of security. Layers are fundamental in ensuring a users machine is not compromised, and if it is, minimizing the damages done. Hardened Gentoo is not a product or solution in itself, it is merely a project with a group of developers all working toward the same goal of very proactive security. 2. PaX At the heart of the project is PaX.
Because of badly written software you are always at risk of a compromise because of buffer and heap overflows. If the attacker knows of an overrun, however, they will have the opportunity to add shellcode to the input and rather than causing the application to crash it will instead execute the instructions they give. Mandatory Access Control 3. Gentoo Linux -- Gentoo Linux News. S Weblog : The PIE is not exactly a lie… One very interesting misconception related to Gentoo, and especially the hardened sub-profile, is related to the PIE (Position-Independent Executable) support.
This is probably due to the fact that up to now the hardened profile always contained PIE support, and since it relates directly to PIC (Position-Independent Code) and PIC as well is tied back to hardened support, people tend to confuse what technique is used for what scope. Let’s start with remembering that PIC is a compilation option that produces the so-called relocatable code; that is, code that is valid no matter what base address it is loaded at. This is a particularly important feature for shared objects: to be able to be loaded by any executable and still share the code pages in memory, the code needs to be relocatable; if it’s not, a text relocation has to happen. Does any of this mean that you need PIC-compiled executables (which is what PIE is) to make use of PaX/NX? Not at all. Once again, no, it’s not that easy. Index:Tutorials. Index:Tutorials From Gentoo Linux Wiki Jump to: navigation , search Tutorials Index This page is an index page and will link to many articles that fall under this category.
If you are unsure how to name a new article please see the Naming Conventions guide. Desktop Filesystems Installation Chroot from a livecd Grub2 Safe Cflags Hardware CFLAGS Home Server - How to setup a basic server for the home environment Speed Up Boot With Wicd Custom Stage4 - How to make rapid deployment images LightScribe Portable USB Gentoo - How to install Gentoo on an external drive Solaris 10/11 Prefix Install - How to quick install Gentoo Prefix on Solaris system Prefix/Cygwin - How to install Gentoo Prefix on Cygwin Install LiveDVD 11.2 to hard disk drive - How to install Gentoo LiveDVD 11.2 to Hard Disk Drive Install LiveDVD 12.1 to hard disk drive - How to install Gentoo LiveDVD 12.1 to Hard Disk Drive Kernel & Hardware Virtualization Network Configuration File Systems FTP Servers Mail Servers Web Servers.
Gentoo maintenance. From Gentoo Linux Wiki The focus of this tutorial is installing new software and updating existing software, in the most common and basic style. Rough understanding of portage is expected. For complicated tinkering, see other pages in this wiki. Installing new software eix To search packages, the utility "eix" in app-portage/eix is recommended. After you emerged eix, build the eix cache by running eix-update . "eix" replaces emerge --search functionality (which is slow) and also emerge --sync. Emerge To actually emerge a package, emerge -av <whatever> can be used. -a, --ask portage will list all packages that it is going to emerge and then asks for confirmation -v, --verbose mainly has the effect, that you'll see USE flags for all packages t, --tree shows the dependency tree for the given target by indenting dependencies.
Per-package USE flag can be set in the file /etc/portage/package.use and add a line like this: File: /etc/portage/package.use app-editors/vim cscope app-editors/vim emerge autounmask. Howto: Table of Contents. Apache2 - Configure SSL This document covers generating ssl certificate key using OpenSSL and set up apache2. This document follows docs from GoDaddy. Bash/shell - cheat sheet This howto is simply a place for me to keep all the little bash tips and tricks that I need and use. I hope you find them valuable, please let me know if you have changes/fixes/additions. How to setup a brand new Windows computer This document will help you setup your new computer properly from the very beginning, with the hopes that this will not elimintate, but help mitigate security related problems down the line (viruses/popups).
Gentoo encryption with dm-crypt and luks This document is not finished! Gentoo - hardened setup This document is intended to help those unfamiliar with the Hardended Gentoo Project to both understand it's purpose, and learn the basics of it's implemenation. Gentoo - kernel upgrade Gentoo - kernel This document will go thru a step by step installation of the linux 2.6.17-gentoo-r7 kernel.
USE Flags. From Gentoo Linux Wiki What is a USE flag? In Gentoo, USE flags are a mechanism for fine-tuning the options and capabilities with which portage installs software. By enabling or disabling these options, users can cut down on dependencies, compile time, and package size to make for a leaner, faster system while retaining important functionality. Flags can be defined on a global or a per-package basis.
For example, mail-client/mutt has twenty USE flags. Some flags such as pop , imap and nntp enable or disable compile-time options. The mutt source file contains all the code for these options; the flag merely determines whether or not that code will be used when building the package. Some flags enable features which require certain commands or libraries; gdbm , berkdb , ssl and sasl all enable features that require additional userspace libraries such as Sleepycat DBM or OpenSSL. Some flags are specific to just fix bugs.
Choosing global USE flags for your system Viewing USE flag descriptions. Pure-ftpd - Gentoo Linux Wiki. De Gentoo Linux Wiki. Introduction Pourquoi installer un serveur FTP ? FTP est l'acronyme de "File Transfer Protocol" : protocole de transfert de fichiers. Il est donc intéressant d'installer un serveur FTP afin de partager tous types de fichiers avec n'importe quel ordinateur du monde relié à Internet ou à un réseau local. Ce protocole a été spécialement élaboré pour l'échange de fichiers, il est donc à privilégier par rapport à un serveur HTTP qui lui est surtout conçu pour l'affichage de pages web qui sont en général, des fichiers certes, mais de petite taille. Pour partager les fichiers à l'intérieur d'un réseau local, on peut recourir à un partage samba.
Quel type de serveur choisir ? Lorsque l'on souhaite installer un serveur FTP, il faut d'abord commencer par se poser quelques questions : Dans quel zone géographique sont situés les utilisateurs? Pourquoi choisir Pure-FTPd ? Pure-FTPd est un serveur qui se configure correctement dans un temps acceptable. Pour les utilisateurs de KDE. Gentoo Linux x86 Handbook.