diff options
Diffstat (limited to 'core/hardening.html')
| -rw-r--r-- | core/hardening.html | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/core/hardening.html b/core/hardening.html new file mode 100644 index 0000000..478c911 --- /dev/null +++ b/core/hardening.html @@ -0,0 +1,197 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Hardening</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + + <h1>Hardening</h1> + + <p>Kernel in ports have upstream linux kernel and + grsecurity patch, it should break some functionality + for the user and pkgmk user if tpe protection is active.</p> + + <pre> + $ sudo prt-get depinst gradm paxtest paxd checksec lynis + </pre> + + <p>Check <a href="grsecurity.html">grsecurity</a> on how to setup + kernel, pax and gradm.</p> + + <p>Lynis tries to give system overall configuration, without + changing default profile run irrelevant tests. Create a lynis + profile by coping default one and run lynis;</p> + + <pre> + $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf + $ sudo lynis configure settings color=yes + $ sudo lynis show settings + $ sudo lynis show profile + </pre> + + <pre> + $ lynis audit system > lynis_report + $ mv /tmp/lynis.log . + $ mv /tmp/lynis-report.dat . + </pre> + + <p>Add unnecessary tests to profile to have less noise.</p> + + <h2 id="toolchain">Rebuild Toolchain</h2> + + <p>Add flags to pkgmk configuration and change specific ports that + don't build with hardening flags. More information about + <a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>, + gentoo security, + <a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options + and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a> + configuring and compiling. Edit /etc/pkgmk.conf;</p> + + <pre> + export CPPFLAGS="-D_FORTIFY_SOURCE=2" + export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="-z relro" + </pre> + + <h3>Core</h3> + + <p>Ports in core collection that need to be changed in order + to build with pkgmk harden configuration.</p> + + <h4>Glibc</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <pre> + ../$name-${version:0:4}/configure --prefix=/usr \ + --libexecdir=/usr/lib \ + --with-headers=$PKG/usr/include \ + --enable-kernel=3.12 \ + --enable-add-ons \ + --enable-static-nss \ + --disable-profile \ + --disable-werror \ + --without-gd \ + --enable-obsolete-rpc \ + --enable-multi-arch \ + --enable-stackguard-randomization \ + --enable-stack-protector=strong + </pre> + + <h4>Gcc</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <h4>libcap</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li> + </ul> + + <h4>bzip2</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li> + </ul> + + <h4>hdparm</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li> + </ul> + + <h3>Opt</h3> + + <h4>lsof</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li> + </ul> + + <h4>python</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li> + </ul> + + <h4>zip</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li> + </ul> + + <h4>glew</h4> + + <ul> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li> + </ul> + + <h4>dmenu</h4> + + <ul> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li> + </ul> + + <h4>Boost</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <h3>Contrib</h3> + + <h4>gsl</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li> + </ul> + + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> |