Hardened Gentoo
Gentoo Hardened is a Gentoo project that offers multiple additional security services on top of the well-known Gentoo Linux installation. Although each of them can be selected separately, Gentoo Hardened enables several risk-mitigating options in the toolchain, SELinux, TPE and more.
Whether running an Internet-facing server or a flexible workstation, when dealing with multiple threats it can be advantageous to harden the system further than just automatically applying the latest security patches. Hardening a system means taking additional countermeasures against attacks and other risks and is usually a combined set of activities performed on the system.
Within Gentoo Hardened, several projects are active that help further harden a Gentoo system through:
- Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks. See the table.
- Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
- Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering.
Of course, this includes the necessary userspace utilities to manage these extensions.
Hardened プロファイルに切り換える
Read relevant documentation before performing any profile changes.
Select a hardened profile, so that package management will be done in a hardened way.
root #eselect profile listroot #eselect profile set [hardened のプロファイル番号]root #source /etc/profileBy choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for the system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.
root #emerge --oneshot sys-devel/gccroot #emerge --oneshot sys-devel/binutils sys-libs/glibcThe above commands rebuilt GCC, which can now be used to compile hardened software. Make sure that the compiler selected is the version just built:
root #gcc-config -l
[1] x86_64-pc-linux-gnu-9.3.0 * [2] x86_64-pc-linux-gnu-8.5.0
Finally source the new profile settings:
root #source /etc/profileIf using the "prelink" package, remove it, since it isn't compatible with the hardened profile:
root #emerge --depclean prelinkNow reinstall all packages with the new hardened toolchain:
root #emerge --emptytree --verbose @worldInstall kernel sources:
root #emerge --ask gentoo-sourcesNow configure/compile the sources and add the new kernel to the boot manager (e.g. GRUB).
ヒントと小技
Disable hardening settings on a per package basis
This method is not supported by Gentoo and is extremely unlikely to be necessary nowadays. All major distributions ship with PIE by default now.
To disable protections per-package, use C(XX)FLAGS via package.env. Create the file /etc/portage/env/nossp and add to that:
/etc/portage/env/nosspDisable SSPCFLAGS="${CFLAGS} -fno-stack-protector"
CXXFLAGS="${CXXFLAGS} -fno-stack-protector"
To allow for disabling PIE, create and add to /etc/portage/env/nopie:
/etc/portage/env/nopieDisable PIECFLAGS="${CFLAGS} -no-pie"
CXXFLAGS="${CXXFLAGS} -no-pie"
LDFLAGS="${LDFLAGS} -no-pie"
Finally for the package concerned, add either PIE or SSP for to /etc/portage/package.env and the relevant /etc/portage/env/<filename>, for this example sys-libs/zlib is used here:
/etc/portage/package.envDisable PIE for sys-libs/zlibsys-libs/zlib nopie
関連項目
For more information, check out the following resources: