Greetings,
I am looking to build a new Opteron server soon, and I want to look at
securing it with SELinux.
Due to my own ignorance, I am a little confused as to the differences
between the Hardened project and SELinux, PaX, GRSecurity etc.
My feeling is that the hardened project is really a collection of
like-minded security projects (ie selinux, grsecurity, pax).
And that using the hardened USE flag binaries that support it will build
with hardened security features.
As I am building this new AMD64 system from scratch, where should I
start? What stage tarball should I be using? What livecd?
Most importantly what profile do I use?
/usr/portage/profiles/hardened/amd64/ or /usr/portage/profiles/selinux/ ?
Should I be using the selinux USE flag these days, or is that
depreciated in favour of the selinux profile? Should I have both?
My guess is that I should use the a PaX enabled kernel with SELinux, or
perhaps GRSecurity, or even both.
Any pointers to get me started would be most appreciated.
Cheers,
Chris
--
gentoo-security@gentoo.org mailing list
I am looking to build a new Opteron server soon, and I want to look at
securing it with SELinux.
Due to my own ignorance, I am a little confused as to the differences
between the Hardened project and SELinux, PaX, GRSecurity etc.
My feeling is that the hardened project is really a collection of
like-minded security projects (ie selinux, grsecurity, pax).
And that using the hardened USE flag binaries that support it will build
with hardened security features.
As I am building this new AMD64 system from scratch, where should I
start? What stage tarball should I be using? What livecd?
Most importantly what profile do I use?
/usr/portage/profiles/hardened/amd64/ or /usr/portage/profiles/selinux/ ?
Should I be using the selinux USE flag these days, or is that
depreciated in favour of the selinux profile? Should I have both?
My guess is that I should use the a PaX enabled kernel with SELinux, or
perhaps GRSecurity, or even both.
Any pointers to get me started would be most appreciated.
Cheers,
Chris
--
gentoo-security@gentoo.org mailing list