diff options
Diffstat (limited to 'core/hardening.html')
-rw-r--r-- | core/hardening.html | 157 |
1 files changed, 6 insertions, 151 deletions
diff --git a/core/hardening.html b/core/hardening.html index 478c911..024c4c9 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -2,20 +2,20 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>Hardening</title> + <title>2.2. Hardening</title> </head> <body> - <a href="index.html">Tools Index</a> + <a href="index.html">Core OS Index</a> - <h1>Hardening</h1> + <h1>2.2. Hardening</h1> <p>Kernel in ports have upstream linux kernel and grsecurity patch, it should break some functionality for the user and pkgmk user if tpe protection is active.</p> <pre> - $ sudo prt-get depinst gradm paxtest paxd checksec lynis + $ sudo prt-get depinst gradm paxtest paxctld checksec lynis </pre> <p>Check <a href="grsecurity.html">grsecurity</a> on how to setup @@ -40,154 +40,9 @@ <p>Add unnecessary tests to profile to have less noise.</p> - <h2 id="toolchain">Rebuild Toolchain</h2> - <p>Add flags to pkgmk configuration and change specific ports that - don't build with hardening flags. More information about - <a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>, - gentoo security, - <a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options - and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a> - configuring and compiling. Edit /etc/pkgmk.conf;</p> - - <pre> - export CPPFLAGS="-D_FORTIFY_SOURCE=2" - export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="-z relro" - </pre> - - <h3>Core</h3> - - <p>Ports in core collection that need to be changed in order - to build with pkgmk harden configuration.</p> - - <h4>Glibc</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li> - </ul> - - <pre> - export CPPFLAGS="" - export CFLAGS="-O2 -march=native -mtune=native" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="" - </pre> - - <pre> - ../$name-${version:0:4}/configure --prefix=/usr \ - --libexecdir=/usr/lib \ - --with-headers=$PKG/usr/include \ - --enable-kernel=3.12 \ - --enable-add-ons \ - --enable-static-nss \ - --disable-profile \ - --disable-werror \ - --without-gd \ - --enable-obsolete-rpc \ - --enable-multi-arch \ - --enable-stackguard-randomization \ - --enable-stack-protector=strong - </pre> - - <h4>Gcc</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li> - </ul> - - <pre> - export CPPFLAGS="" - export CFLAGS="-O2 -march=native -mtune=native" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="" - </pre> - - <h4>libcap</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li> - </ul> - - <h4>bzip2</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li> - </ul> - - <h4>hdparm</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li> - </ul> - - <h3>Opt</h3> - - <h4>lsof</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li> - </ul> - - <h4>python</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li> - </ul> - - <h4>zip</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li> - </ul> - - <h4>glew</h4> - - <ul> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li> - </ul> - - <h4>dmenu</h4> - - <ul> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li> - </ul> - - <h4>Boost</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li> - </ul> - - <pre> - export CPPFLAGS="" - export CFLAGS="-O2 -march=native -mtune=native" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="" - </pre> - - <h3>Contrib</h3> - - <h4>gsl</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li> - </ul> - - - <a href="index.html">Tools Index</a> - <p>This is part of the c9-doc Manual. + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> |