This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Hardened Gentoo
Gentoo Hardened is a Gentoo project that offers multiple additional security services on top of the well-known Gentoo Linux installation. Although each of them can be selected separately, Gentoo Hardened enables several risk-mitigating options in the toolchain, supports PaX, grSecurity, SELinux, TPE and more.
Whether you are running an Internet-facing server or a flexible workstation, when you are dealing with multiple threats you will want to harden your system further than just automatically applying the latest security patches. Hardening a system means that you take additional countermeasures against attacks and other risks and is usually a combined set of activities you perform on the system.
Within Gentoo Hardened, several projects are active that help further harden a Gentoo system through:
- Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks.
- Enabling PaX extensions in the Linux kernel, which offer additional protection measures like address space layout randomization and non-executable memory.
- Enabling grSecurity extensions in the Linux kernel, including additional chroot restrictions, additional auditing, process restrictions, etc..
- Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
- Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering
Of course, this includes the necessary userspace utilities to manage these extensions.
Switching to a Hardened profile
Select a hardened profile, so that package management will be done in a hardened way.
root #eselect profile listroot #eselect profile set [number of hardened profile]root #source /etc/profileBy choosing the hardened profile, certain package management settings (masks, USE flags, etc) become default for your system. This applies to many packages, including the toolchain. The toolchain is used for building/compiling your programs, and includes: the GNU Compiler Collection (GCC), binutils (linker, etc.), and the GNU C library (glibc). By re-emerging the toolchain, these new default settings will apply to the toolchain, which will allow all future package compiling to be done in a hardened way.
root #emerge --oneshot gccroot #emerge --oneshot binutils virtual/libcThe above commands rebuilt GCC, which can now be used to compile hardened software. Make sure that the hardened option is selected for GCC.
root #gcc-config -l
[1] i686-pc-linux-gnu-4.5.3 * [2] i686-pc-linux-gnu-4.5.3-hardenednopie [3] i686-pc-linux-gnu-4.5.3-hardenednopiessp [4] i686-pc-linux-gnu-4.5.3-hardenednossp [5] i686-pc-linux-gnu-4.5.3-vanilla
In the example output above, the hardened GCC profile is the one without a suffix. If you want to disable PIE or SSP, choose the relevant hardenedno(pie|ssp) or both, hardenednopiessp. The vanilla profile is of course the one with hardening disabled. Finally source your new profile settings:
root #source /etc/profileIf you use the "prelink" package, remove it, since it isn't compatible with the hardened profile:
root #emerge --depclean prelinkNow you can reinstall all packages with your new hardened toolchain:
root #emerge --emptytree --verbose @worldInstall hardened kernel sources, so that the kernel will *manage your running system* in a hardened way (especially using PaX):
root #emerge --ask hardened-sourcesNow configure/compile the sources and add the new kernel to your boot manager (ie., GRUB).
Tips and tricks
Hardened Gentoo/Grsecurity chroot
If you want to chroot to a copied environment where the CONFIG_GRKERNSEC_CHROOT is enabled you must use the cd grub and change the root(cd) kernel(cd) initrd(cd) setting to from (cd) to (hdx,y).
Now you can install the grub environment.
Per package hardening settings
This method is not supported by Gentoo.
Changing the GCC profile to deal with specific packages can be a pain. A way to avoid this is to set per-package C(XX)FLAGS using package.env. Create the file /etc/portage/env/nossp and add to that:
/etc/portage/env/nosspDisable SSPCFLAGS="${CFLAGS} -fno-stack-protector" CXXFLAGS="${CXXFLAGS} -fno-stack-protector"
To allow for disabling PIE, create and add to /etc/portage/env/nopie:
/etc/portage/env/nopieDisable PIECFLAGS="${CFLAGS} -no-pie" CXXFLAGS="${CXXFLAGS} -no-pie" LDFLAGS="${LDFLAGS} -no-pie"
GCC version 4.x uses -nopie instead of -no-pie.
Finally add the package you want to disable either PIE or SSP for to /etc/portage/package.env and the relevant /etc/portage/env/<filename>, for this example sys-libs/zlib is used here:
/etc/portage/package.envDisable PIE for sys-libs/zlibsys-libs/zlib nopie
See also
For more information, check out the following resources:
- Gentoo Hardened SELinux Project
- Project:Hardened/Grsecurity2_Quickstart
- Project:Hardened/PaX_Quickstart