Hardened Gentoo

From Gentoo Wiki
Jump to:navigation Jump to:search
This page contains changes which are not marked for translation.

Gentoo Hardened is a Gentoo project that offers multiple additional security services on top of the well-known Gentoo Linux installation.

Whether running an Internet-facing server or a flexible workstation, when dealing with multiple threats it can be advantageous to harden the system further than just automatically applying the latest security patches. Hardening a system means taking additional countermeasures against attacks and other risks and is usually a combined set of activities performed on the system.

The base of Gentoo Hardened is a hardened toolchain by enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks. See the table.

Within Gentoo Hardened, several additional projects are active that help further harden a Gentoo system through:

  • Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
  • Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering.

Of course, this includes the necessary userspace utilities to manage these extensions.

Switching to a Hardened profile

Read relevant documentation before performing any profile changes.

Select a hardened profile, so that package management will be done in a hardened way.

root #eselect profile list
root #eselect profile set [number of hardened profile]
root #source /etc/profile

By choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for the system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.

root #emerge --oneshot sys-devel/gcc
root #emerge --oneshot sys-devel/binutils sys-libs/glibc

The above commands rebuilt GCC, which can now be used to compile hardened software. Make sure that the compiler selected is the version just built:

root #gcc-config -l
[1] x86_64-pc-linux-gnu-9.3.0 *
[2] x86_64-pc-linux-gnu-8.5.0

Finally source the new profile settings:

root #source /etc/profile

If using the "prelink" package, remove it, since it isn't compatible with the hardened profile:

root #emerge --depclean prelink

Now reinstall all packages with the new hardened toolchain:

root #emerge --emptytree --verbose @world

Install kernel sources:

root #emerge --ask gentoo-sources

Now configure/compile the sources and add the new kernel to the boot manager (e.g. GRUB).

Tips and tricks

Disable hardening settings on a per package basis

This method is not supported by Gentoo and is extremely unlikely to be necessary nowadays. All major distributions ship with PIE by default now.

To disable protections per-package, use C(XX)FLAGS via package.env. Create the file /etc/portage/env/nossp and add to that:

FILE /etc/portage/env/nosspDisable SSP
CFLAGS="${CFLAGS} -fno-stack-protector"
CXXFLAGS="${CXXFLAGS} -fno-stack-protector"

To allow for disabling PIE, create and add to /etc/portage/env/nopie:

FILE /etc/portage/env/nopieDisable PIE
CFLAGS="${CFLAGS} -no-pie"
LDFLAGS="${LDFLAGS} -no-pie"

Finally for the package concerned, add either PIE or SSP for to /etc/portage/package.env and the relevant /etc/portage/env/<filename>, for this example sys-libs/zlib is used here:

FILE /etc/portage/package.envDisable PIE for sys-libs/zlib
sys-libs/zlib nopie

See also

For more information, check out the following resources: