On 14/06/2012 17:04, "Paweł Hajdan, Jr." wrote:
On 6/14/12 4:51 PM, Anthony G. Basile wrote:
1) We still have the old 10.0 hardened profiles on the tree. They've
been marked deprecated for about two years and I have no idea what state
they're in. I'm going to punt them in a day unless someone gives me a
really good reason to keep them.
Sounds good.
If you have some more time (maybe later) it would be nice to restructure
the profiles so that hardened bits are in profiles/features, to allow
e.g. easy creation of hardened-developer profile.
Paweł
+1
I create my own: /usr/local/portage/profiles/myname/xxx
And in there I create my own sub profiles for all my linux-vserver builds.
Actually, there isn't anything I currently need splitting out of the
current profiles, so not quite sure what I'm +1-ing, but I guess more to
raise awareness that this is quite easy and works extremely nicely
Oh, as an aside, I have settled on linux-vservers+grsec+pax as my tool
of choice for servers (I guess that's roughly a hardened kernel +
linux-vserver). I find that vservers are extremely lightweight and easy
to maintain and the hardened stuff makes me sleep a little easier (the
linux-vserver code already includes all the important restrictions to
make it hard to escape from chroots, the grsec/patch parts for that are
unnecessary). I would recommend that solution to anyone with a server
requirement
Cheers
Ed W
