[gentoo-hardened] kernel 3.7 -> internal 'udev'; signed lkms; file hash validation

Found this interesting: Are there Gentoo guidelines on using these new kernel features? TIA

[gentoo-hardened] Re: Please test hardened-sources 2.6.32-r88 and3.2.2

On 01/29/12 05:38, Alex Efros wrote: > Hi! > > On Sat, Jan 28, 2012 at 03:16:28PM -0500, 7v5w7go9ub0o wrote: >> gcc. (I'm using vanilla because I'm also using nvidia drivers, which >> apparently need to be both compiled with a vanilla compiler, and need to > >

[gentoo-hardened] Re: Please test hardened-sources 2.6.32-r88 and3.2.2

On 01/28/12 15:16, 7v5w7go9ub0o wrote: > So I'm recompiling with [5] x86_64-pc-linux-gnu-4.4.6-vanilla * and > will see if that helps. Well, that didn't help - at this point I'm guessing I screwed up a Loop-AES setting or component; time to dig in. Thanks for your quick replies!

[gentoo-hardened] Re: Please test hardened-sources 2.6.32-r88 and3.2.2

On 01/28/12 13:26, pageexec-y8qezhmunlyt9ig0jae...@public.gmane.org wrote: > On 28 Jan 2012 at 20:24, 7v5w7go9ub0o wrote: > >> No joy. hardened-sources-3.2.2-r1.ebuild still fails for me. > > what's dmesg say? and what's 'readelf -eW'' say on the modu

[gentoo-hardened] Re: Please test hardened-sources 2.6.32-r88 and3.2.2

On 01/28/12 00:41, Anthony G. Basile wrote: > > I believe pipacs has fixed this. Please everyone, retest > > hardened-sources-2.6.32-r89.ebuild > hardened-sources-3.2.2-r1.ebuild > > I just added them to the tree. I'll rapid stabilize these in about 24 > hours if no one has any issues. > No joy.

[gentoo-hardened] Re: Please test hardened-sources 2.6.32-r88 and 3.2.2

On 01/27/12 08:37, Anthony G. Basile wrote: > Hi everyone, > > I just added hardened-sources 2.6.32-r88 and 3.2.2 to the tree. They > address CVE-2012-0056. I've tested and they do indeed resist the > exploit. I will be stabilizing them within 24 hours. However, I feel > very uncomfortable doing

[gentoo-hardened] Re: hardened-sources & tp_smapi, firefox-9.0 install stucks

On 12/31/11 08:43, "Tóth Attila" wrote: > Isn't it miserable to see, that as time is passing by, more and more > important softwares (java, python, libreoffice, firefox) conflict > with more and more PAX restrictions? I would expect exactly the > opposite. But it seems, that developers become less

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

On 06/29/11 17:39, Tom Hendrikx wrote: On 29/06/11 16:47, 7v5w7go9ub0o wrote: 2. At this point, the 'clearest' way to build a hardened box from scratch seems to go a few steps into the Gentoo handbook, then migrate using the steps above. Not ideal, but until the documentation can

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

On 06/29/11 07:19, Anthony G. Basile wrote: [snip] > > The safest approach in either switching or recompiling everything > is: > > 1. Make the profile is set "eselect profile list" and pick your > hardened box. Careful on amd64 about changing multilib/nomultilib. > Stick with your mutilib-edness

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

On 06/28/11 17:42, 7v5w7go9ub0o wrote: IF anyone can point me to current documentation about building a hardened box (which should include the make.conf and other hardened settings), please post it here. I just dropped by #gentoo-hardened on irc.freenode.net and asked about instructions for

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

On 06/15/11 07:35, Jean-François Maeyhieux wrote: Hi ! another "hardcore" solution could be to create a chroot fresh installation whithin you import your system's preferences: - Create directory - Untar last hardened stage 3 - Copy your /etc in the chroot - Copy your world file in the chroot -

[gentoo-hardened] Re: Security notice regarding hardened-sources

On 09/17/10 00:06, Magnus Granberg wrote: [] > All the hardened overlay work is in the tree now > /Magnus (Zorry) Ah! EXCELLENT!!! Thank You, Sir!

[gentoo-hardened] Re: Security notice regarding hardened-sources

On 09/16/10 17:15, Anthony G. Basile wrote: [] > > > As a result, certain configurations of hardened-sources are also > vulnerable. As a work around until I get the fix into the tree and > fast track stabilization, keep the following in mind: [] Thank you for this note, Anthony! 1. Will harden

[gentoo-hardened] Re: New Lead for the Hardened Project

On 08/21/10 08:34, Anthony G. Basile wrote: [] It is with great pleasure that I get to announce to the Gentoo Community that Magnus Granberg (aka Zorry) will be taking the lead for the Hardened project. It was the unanimous feeling at a meeting of the team yesterday that Zorry is the guy for the

[gentoo-hardened] Re: recommented hardened-sources

On 05/15/10 13:19, Matthew Summers wrote: [] > > Hello, I just wanted to drop a note here that there is a team of devs > actively working on support for the 2.6.32& 2.6.33 hardened-sources > kernels. There are a number of issues that have needed resolution for > quite some time. > > Many of the po

[gentoo-hardened] Re: recommented hardened-sources

On 05/15/10 11:25, Alex Efros wrote: [] > > Hmm. So, what is recommended way to run reliable and secure server > and/or workstation today? > > - use stable x86 kernel from main portage, which is outdated .28 > without support from PaX/GrSec team? - use development kernel from > anarchy overlay, whi

[gentoo-hardened] Re: Joanna Rutkowska's Qubes on Gentoo Hardened?

Thank you for the reply! On 04/17/10 10:50, Javier J. Martínez Cabezón wrote: > I didn't implement it but i would like to say something about this > interesting question. > > Until my knowledge qubes only gets you isolation and nothing more. It > creates "domains" (that is nothing more than a name

[gentoo-hardened] Joanna Rutkowska's Qubes on Gentoo Hardened?

Has anyone implemented Qubes on hardened gentoo? If so, your thoughts please. TIA

[gentoo-hardened] Re: Hardened Overlay guide (?)

On 04/17/10 04:30, Claes Gyllenswärd wrote: 2010/4/17 7v5w7go9ub0o<7v5w7go9ub0o-re5jqeeqqe8avxtiumw...@public.gmane.org>: Where can I find the latest directions for installing hardened Gentoo?  Is this it?  "[HOWTO] The Hardened GCC4 Toolchain Overlay  Guide" from http://f

[gentoo-hardened] Hardened Overlay guide (?)

Where can I find the latest directions for installing hardened Gentoo? Is this it? "[HOWTO] The Hardened GCC4 Toolchain Overlay Guide" from http://forums.gentoo.org/viewtopic-t-705939.html still the current directions? TIA

[gentoo-hardened] Re: to chroot or not to chroot

different wrote: On 16:21 Sun 14 Jun , 7v5w7go9ub0o wrote: [... SNIP ...] Nope that's all there is to the wrapper. gcc runchroot.c -o runchroot chown root runchroot chmod u+s runchroot Ouch. Do _not_ set the setuid-bit on runchroot. Otherwise it would be a piece of cake fo

[gentoo-hardened] Re: to chroot or not to chroot

Vlad "SATtva" Miller wrote: 7v5w7go9ub0o (11.06.2009 23:53): RijilV wrote: 2009/6/10 7v5w7go9ub0o <7v5w7go9ub0o-re5jqeeqqe8avxtiumwx3w-xmd5yjdbdmrexy1tmh2...@public.gmane.org>: FWIW, I jail/chroot everything that connects to the net; e.g. browsers, mail client, tor client,

[gentoo-hardened] Re: to chroot or not to chroot

RijilV wrote: 2009/6/10 7v5w7go9ub0o <7v5w7go9ub0o-re5jqeeqqe8avxtiumw...@public.gmane.org>: FWIW, I jail/chroot everything that connects to the net; e.g. browsers, mail client, tor client, DNS server, nmap, snort, dhcpcd . everything. What are you using to do your chrooting? .r

[gentoo-hardened] Re: to chroot or not to chroot

Jan Klod wrote: Hello, I would like to see some opinions on chrooting - 1) how big are possible risks of hardened gentoo system compromise, if apache is run normally, therefore a need of chrooting? 2) suppose I chroot Apache: what chances it still has to harm something in the outside OS? My

[gentoo-hardened] NVidia 180.51 working on hardened overlay (amd64)

FYI. FWICT, it seems to work fine. Used the "NVIDIA-Linux-x86_64-180.51-pkg.run" script available at the nvidia site; compiled it with x86_64-pc-linux-gnu-4.3.3-vanilla.

[gentoo-hardened] Re: NVidia setup instructions?

Volker Armin Hemmann wrote: On Dienstag 05 Mai 2009, Mark Knecht wrote: On Mon, May 4, 2009 at 4:23 PM, Volker Armin Hemmann wrote: On Dienstag 05 Mai 2009, Mark Knecht wrote: Thanks Brandon. I'm up in X now on the 6200 AGP so it's functional. glxgears seems sort of slow at about 230FPS b

[gentoo-hardened] Re: persistent paxctl -m?

Ned Ludd wrote: ... firefox itself behaves. It's more likely he is using a plugin which does not. Ditto the above. No FF problems at all, compiling with the 4.33 overlay on AMD64.

[gentoo-hardened] kudos to hardened-sources

FWICT, hardened-sources has offered, for a few days now, a more recent kernel than gentoo-sources! (not that there's any sort of competition :-) ) Good show! (thanks!!)

[gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

Dale Pontius wrote: 7v5w7go9ub0o wrote: Romain BERGE wrote: Hey list, I am planning buying a laptop. I would like to install a hardened (workstation) profile on it. Which hardware features/components should I take care of ? (to be the most compatible with hardened) In the opposite, are

[gentoo-hardened] Re: Which laptop compatible with hardened-workstation ?

Romain BERGE wrote: Hey list, I am planning buying a laptop. I would like to install a hardened (workstation) profile on it. Which hardware features/components should I take care of ? (to be the most compatible with hardened) In the opposite, are there some hardware components/brand to avoi

[gentoo-hardened] hardened profile/kernel on intel I7?

I expect to assemble a small I7 in a week or so. My initial thought is to use a 64 bit OS: 1. Does anyone have an I7 running a hardened profile/kernel? If so, any tips, please. 2. Will the current gcc 3.4.6-r2 still function well, or should I forgo propolice/ssp and go to 4.3.2-r2 'til the n

[gentoo-hardened] Re: Tin Hat 20090119 released

basile wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone, I'd like to announce to the list that there is a new release of Tin Hat out. Tin Hat is a fully featured Linux desktop based on Hardened Gentoo which runs purely in RAM. It aims to be very secure, stable, and fast.

[gentoo-hardened] Re: Profile switch: hardened to non-hardened?

Grant wrote: I've been able to do so; basically I switched over to the standard profile, disabled selinux in the kernel, and re-emerged system for new use flags. There were some other details but overall the process was pretty painless, anyone ambitious enough to configure a hardened system can p

[gentoo-hardened] Re: hardened workstation - is that worth it?

[EMAIL PROTECTED] wrote: On Sze, November 26, 2008 03:02, 7v5w7go9ub0o wrote: I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, rbac control, and jails for anything that accesses the LAN/WAN.(heh... I even chroot and kill dhcpcd after 5 seconds). Avira has h

[gentoo-hardened] Re: hardened workstation - is that worth it?

Alex Efros wrote: Hi! On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote: I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel, rbac control, and jails for anything that accesses the LAN/WAN.(heh... I even chroot and kill dhcpcd after 5 seconds). Avira ha

[gentoo-hardened] Re: hardened workstation - is that worth it?

Jan Klod wrote: Suppose, I want to take some extra precautions and set up PaX&co and MAC on a workstation with Xorg and other nice KDE apps (only some of which should be granted access to files in folder X). I would like to read others opinion, if I can get considerable security improvements or

[gentoo-hardened] Re: Tin Hat = hardened Gentoo distro in RAM

dante wrote: Hi everyone, My students and I have started a new gnome-based desktop linux distro derived from hardened Gentoo. It may be of interest to people on this list. Tin Hat is pretty much Gentoo, but it runs purely in RAM. It boots from CD or pen drive, but is not a liveCD in that it

[gentoo-hardened] Re: Is gentoo-wiki Down?

Drew Tomlinson wrote: Andrew Gaydenko wrote: === On Monday 14 April 2008, Drew Tomlinson wrote: === For the past few days, anytime I've attempted to get to gentoo-wiki or gentoo-portage, my browser just "sits". I connect to other sites just fine. It may be my firewall/IDS but I'm no

[gentoo-hardened] Re: Problem with chroot

vitamona wrote: but when i try to enter into this chroot something doens't work. # chroot /chroot/apache/ /bin/sh chroot: cannot run command `/bin/sh': No such file or directory Sorry about this question; do you have gradm disabled? -- gentoo-hardened@lists.gentoo.org mailing list

[gentoo-hardened] Re: ping solar

Ned Ludd wrote: Sorry bro.. I don't have time to answer your questions. I'm on the way out the door, catching a flight later today then I'm taking a mini vacation.. Thanks for the reply; have a great vacation! -- gentoo-hardened@lists.gentoo.org mailing list

[gentoo-hardened] Re: ping solar

RB wrote: I have to clarify a few points: On Wed, Apr 2, 2008 at 8:59 AM, 7v5w7go9ub0o <[EMAIL PROTECTED]> wrote: Had a conversation with aoz in the hardened IRC room yesterday, discussing how non-tech types such as I might help the hardened effort; 1. He suggested that Bugzilla took

[gentoo-hardened] ping solar

Had a conversation with aoz in the hardened IRC room yesterday, discussing how non-tech types such as I might help the hardened effort; 1. He suggested that Bugzilla took a lot of time. How could some of that time be outsource to a non-techie? 2. We discussed the possibility of incorporating lin

[gentoo-hardened] Re: Intel quad core and hardened

dexters84 wrote: I've setup a hardened gentoo on the following settings: CHOST="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe" My cpu is quad core xeon + 4 GB ram, it is working without any problems. While it is perfectly doable to create a hardened setup for mentioned CPU i think that

[gentoo-hardened] Intel quad core and hardened

Is anyone running hardened on a quad core? If so, are there any problems? I'd guess you're using -march=i686 (and that there is no -march=prescott, or march=prescott -mtune=generic) on gcc 3.4.6. Am planning to upgrade to an Intel q9550 in a month or so. TIA -- gentoo-hardened@lists.gentoo.org

[gentoo-hardened] Re: Hardened with 1 user and 0 services?

Marcel Meyer wrote: Am Sonntag, 24. Februar 2008 schrieb 7v5w7go9ub0o: The hardened toolchain'll protect you outright against some types of memory attacks; GRSEC'll provide additional PAX protections; putting net-clients into the much-harder jails provided by some hardened ke

[gentoo-hardened] Re: Hardened with 1 user and 0 services?

Alex Efros wrote: Hi! On Sun, Feb 24, 2008 at 06:15:22AM -0800, Grant wrote: Are a hardened profile, kernel, and related USE flags beneficial on a machine on which only I log in and no ports are open? If you open website, or download and run mp3, or download and open .xls, etc. - do any actio

[gentoo-hardened] 2.6.20-r2 .... FLIES! (thanks)

First, a big Thanks to Caleb Cushing, Javier Barrio, and Brian Kroth for generously offering their assistance to this newbie; both in getting the configuration repaired, and in starting with iptables which seems presently necessary in order to firewall the '20x kernel series. It's easy to lurk; tha

[gentoo-hardened] Re: 2.6.20-r2 is slow!?

On Fri, 4 May 2007 09:16:28 +0200 Javier Barrio <[EMAIL PROTECTED]> wrote: > El Thu, 3 May 2007 20:28:26 -0400 > "Caleb Cushing" > <[EMAIL PROTECTED]> escribió: > > > http://slave-network.org/firewall.txt > > Mine here, just in case you want to look at it: > > http://www.fluzo.org/~javi/firewal

Re: [gentoo-hardened] 2.6.20-r2 is slow!?

7;t noticed any issues with slowness I'm running 2.6.20 on 3 boxes, but not hardened. so it could be a hardened patch. I just know iptables had major changes. On 5/2/07, 7v5w7go9ub0o <[EMAIL PROTECTED]> wrote: > > Thank You!! for the quick response. > > Yes please do let m

Re: [gentoo-hardened] 2.6.20-r2 is slow!?

don't know about being slow but iptables had major changes in 2.6.20.x so you probably will have to go through those manually. I can give you my config for iptables if you need help getting it working. On 5/1/07, 7v5w7go9ub0o <[EMAIL PROTECTED]> wrote: > > Just installed 2.6.20-

[gentoo-hardened] 2.6.20-r2 is slow!?

Just installed 2.6.20-r2, and find it particularly slow - slow to boot, slow to operate (high cpu), while 2.6.18-r6 is quick, with low cpu useage. Any ideas, please? (e.g. there was a configuration option a few releases ago that snuck in and slowed things down; I've forgotten which it was :-( )

[gentoo-hardened] "DieHard" ? ( hardens against memory errors)

Anyone using this on a hardened box (e.g. to augment a precompiled, non-ssp binary, such as OOffice)? http://www.diehard-software.org/ (Emery Berger, UMass) "DieHard completely prevents particular memory management errors from having any effect (these are "double frees" and "invalid frees")

Re: Re : [gentoo-hardened] Which hardened (SUB)project

That is how I (newbie) have been doing it install/get everything working as I like it, then use learning mode to both document and enforce how things relate. (the Policy file, built from learning mode, makes for interesting reading as documentation :-) ) Gradm/grsecurity works extremely

Re: [gentoo-hardened] Re: Mini Gentoo in VMWare

On Mon, 06 Nov 2006 12:11:44 -0500, Longman, Bill <[EMAIL PROTECTED]> wrote: Well, this gets at my original musing.. are you really safer with a grsecurity-hardened-chrooted VMware application (with root privileges, that uses at least some of the host's kernel) or a grsecurity-hardened-chr

Re: [gentoo-hardened] Re: Mini Gentoo in VMWare

On Sat, 04 Nov 2006 13:54:56 -0500, John Schember <[EMAIL PROTECTED]> wrote: On Sat, 2006-11-04 at 13:40 -0500, Kwon wrote: Can a hacked instance of VMWare bring down the entire system? Considering that VMware server uses kernel modules for operation on the host system. Also that it likes to

[gentoo-hardened] Re: Mini Gentoo in VMWare

Basically what I want to do is create a series of VERY tiny VMs that are all independent of each other, which provide one service. For instance, I might put apache on one VM, and tomcat on another, and so on. Obviously, I would want their memory usage to be absolutely minimized, seeing that I

[gentoo-hardened] Re: Do I need RBAC?

If you are talking about Grsecurity (which has a learning mode that makes configuration very easy), and if your users are doing limited, standard things, then a strong Yes! (though IIUC, SeLinux is difficult to configure) The RBAC protection will protect you if -you- or a trusted user doe

Re: [gentoo-hardened] Hardening SSHD

On Mon, 23 Oct 2006 15:21:29 -0400, Brian Davis <[EMAIL PROTECTED]> wrote: What do you folks do to harden SSHD? I'm looking for some pointers. Thanks, Brian If you're using grsecurity, put it in a jail. It'll then acquire the (significant) additional protections provided to jails (as we

[gentoo-hardened] 2.6.17-r1 works well!.....Thanks, guys!

(I was following the -dormant- change log wondering what was happening, and suddenly BANG - out it comes; and works well .. an early Christmas present!) Thanks! -- gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Re: GOT protection

On Tue, 17 Oct 2006 11:25:13 -0400, Alejo Sanchez <[EMAIL PROTECTED]> wrote: On 10/17/06, Javier Barrio <[EMAIL PROTECTED]> wrote: > Now to the question. I was wondering if there is a way to protect GOT > (besides having ET_DYN) in the way OpenBSD does > (http://undeadly.org/cgi?action=arti

Re: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)

On Mon, 09 Oct 2006 15:06:15 -0400, Brian G. Peterson <[EMAIL PROTECTED]> wrote: On Monday 09 October 2006 13:37, 7v5w7go9ub0o wrote: Given my lack of expertise, I'll work on a patch later, and in the short   term I'll automate the momentary use of the dhcpcd client in a

Re: [gentoo-hardened] Securing dhcpcd (client)

On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa Filipe <[EMAIL PROTECTED]> wrote: this patch seems to be for the dhcpd (that is, the dhcp server, not the client).. and its for dhcpd version 2, which is outdated. But there are other patches for this, for updated versio

Re: [gentoo-hardened] Securing dhcpcd (client)

On Mon, 09 Oct 2006 04:56:21 -0400, Daniel Black <[EMAIL PROTECTED]> wrote: On Monday 09 October 2006 07:26, 7v5w7go9ub0o wrote: Other distributions distribute dhcpcd with a "paranoia" patch incorporated <http://www.episec.com/people/edelkind/patches/dhcp/dhcp

[gentoo-hardened] Securing dhcpcd (client)

It is my understanding that dhcpcd client requires root or a privileged user. Am presently running dhcpcd in a chroot jail (ssp and grsecurity-hardened kernel) as user root (ugh). (This is a laptop used at hotspots, so I think I need to use dhcp). Other distributions distribute dhcpcd with a "par

[gentoo-hardened] Re: Downgrading glibc

Thanks for the note. Hi, did you upgrade to gcc-4.1? If yes you may not use the hardened profile but the hardened use flag. gcc-4.1 is not yet supported by the hardened profile. AFAIK Yep. :-( View your current profile ls -l /etc/make.profile I had a standard profile; now it's

Re: [gentoo-hardened] Downgrading glibc

On Thu, 14 Sep 2006 23:51:49 -0400, Ned Ludd <[EMAIL PROTECTED]> wrote: On Thu, 2006-09-14 at 12:34 -0400, 7v5w7go9ub0o wrote: I went through the gcc upgrade and discovered that ssp no longer works (suppose it was documented somewhere - but I missed it) So I'm trying to reverse

[gentoo-hardened] Downgrading glibc

I went through the gcc upgrade and discovered that ssp no longer works (suppose it was documented somewhere - but I missed it) So I'm trying to reverse the upgrade process (this time using using a hardened profile) and glibc won't allow me to downgrade. How do I get around this, please? I'

Re: [gentoo-hardened] Gcc4.1.1 with hardened

(O.K... I'll be the sacrificial bozo :-) ) I've been running hardened kernels for a year or so with hardened pic in make.conf; but never changed my profile to hardened. PAX seemed to work fine (killed some flakey stuff), as did grsecurity. So IIUC, I now have 4.1.1 with neither PAX nor