Hardened Gentoo
Gentoo Hardened is a Gentoo project that offers multiple additional security services on top of the well-known Gentoo Linux installation.
Whether running an Internet-facing server or a flexible workstation, when dealing with multiple threats it can be advantageous to harden the system further than just automatically applying the latest security patches. Hardening a system means taking additional countermeasures against attacks and other risks and is usually a combined set of activities performed on the system.
The base of Gentoo Hardened is a hardened toolchain by enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks. See the table.
Within Gentoo Hardened, several additional projects are active that help further harden a Gentoo system through:
- Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
- Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering.
Of course, this includes the necessary userspace utilities to manage these extensions.
Switching to a Hardened profile
Read relevant documentation before performing any profile changes.
Select a hardened profile, so that package management will be done in a hardened way.
root #
eselect profile list
root #
eselect profile set [number of hardened profile]
root #
source /etc/profile
By choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for the system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.
root #
emerge --oneshot sys-devel/gcc
root #
emerge --oneshot sys-devel/binutils sys-libs/glibc
The above commands rebuilt GCC, which can now be used to compile hardened software. Make sure that the compiler selected is the version just built:
root #
gcc-config -l
[1] x86_64-pc-linux-gnu-9.3.0 * [2] x86_64-pc-linux-gnu-8.5.0
Finally source the new profile settings:
root #
source /etc/profile
If using the "prelink" package, remove it, since it isn't compatible with the hardened profile:
root #
emerge --depclean prelink
Now reinstall all packages with the new hardened toolchain:
root #
emerge --emptytree --verbose @world
If not using the distribution kernel, reinstall the kernel sources:
root #
emerge --ask gentoo-sources
Now configure/compile the sources and add the new kernel to the boot manager (e.g. GRUB).
Tips and tricks
Disable hardening settings on a per package basis
This method is not supported by Gentoo and is extremely unlikely to be necessary nowadays. All major distributions ship with PIE by default now.
To disable protections per-package, use C(XX)FLAGS via package.env. Create the file /etc/portage/env/nossp and add to that:
CFLAGS="${CFLAGS} -fno-stack-protector"
CXXFLAGS="${CXXFLAGS} -fno-stack-protector"
To allow for disabling PIE, create and add to /etc/portage/env/nopie:
CFLAGS="${CFLAGS} -no-pie"
CXXFLAGS="${CXXFLAGS} -no-pie"
LDFLAGS="${LDFLAGS} -no-pie"
Finally for the package concerned, add either PIE or SSP for to /etc/portage/package.env and the relevant /etc/portage/env/<filename>, for this example sys-libs/zlib is used here:
sys-libs/zlib nopie
See also
For more information, check out the following resources: