Hardened Gentoo/zh-cn

Gentoo Hardened 是一个 Gentoo 项目，它在现有 Gentoo Linux 安装上提供了多种额外的安全服务. 虽然这些服务可以分别单独使用，但是 Gentoo Hardened 打开了工具链 (Toolchain) 中几个可以降低被攻击风险的选项，支持 PaX, grSecurity, SELinux, TPE 等等功能.

无论你是运行一台面向互联网的服务器还是一台灵活的工作站，当你面对多种威胁的时候你会更愿意加固你的系统，而不是仅仅自动升级最新的安全补丁. "Hardened"系统意味着你会采取额外的措施来应对攻击和其他风险，这些措施通常是在系统上执行的一系列活动的组合.

Within Gentoo Hardened, several projects are active that help you further harden your Gentoo system through
 * Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks.
 * Enabling PaX extensions in the Linux kernel, which offer additional protection measures like address space layout randomization and non-executable memory.
 * Enabling grSecurity extensions in the Linux kernel, including additional chroot restrictions, additional auditing, process restrictions, etc..
 * Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
 * Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering

Of course, this includes the necessary userspace utilities to manage these extensions.

Switching to a Hardened Profile
Select a hardened profile, so that package management will be done in a hardened way.

By choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for your system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling your programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.

The above commands rebuilt GCC, which can now be used to compile hardened software. Make sure that the hardened option is selected for GCC.

In the example output above, the hardened GCC profile is the one without a suffix. If you want to disable PIE or SSP, choose the relevant hardenedno(pie|ssp) or both, hardenednopiessp. The vanilla profile is of course the one with hardening disabled. Finally source your new profile settings:

If you use the "prelink" package, remove it, since it isn't compatible with the hardened profile:

Now you can reinstall all packages with your new hardened toolchain:

Install hardened kernel sources, so that the kernel will *manage your running system* in a hardened way (especially using PaX):

Now configure/compile the sources and add the new kernel to your boot manager (ie., GRUB).

Hardened Gentoo/Grsecurity chroot
If you want to chroot to a copied environment where the CONFIG_GRKERNSEC_CHROOT is enabled you must use the cd grub and change the root(cd) kernel(cd) initrd(cd) setting to from (cd) to (hdx,y).

Now you can install the grub environment.

Per Package Hardening Settings
Changing the GCC profile to deal with specific packages can be a pain. A way to avoid this is to set per-package C(XX)FLAGS using package.env. Create the file and add to that:

To allow for disabling PIE, create and add to :

Finally add the package you want to disable either PIE or SSP for to and the relevant, for this example  is used here:

External resources

 * http://www.rockfloat.com/howto/gentoo-hardened.html#kernel