Hardening

Kernel in ports have upstream linux kernel and grsecurity patch, it should break some functionality for the user and pkgmk user if tpe protection is active.

        $ sudo prt-get depinst gradm paxtest paxd checksec lynis
        

Check grsecurity on how to setup kernel, pax and gradm.

Lynis tries to give system overall configuration, without changing default profile run irrelevant tests. Create a lynis profile by coping default one and run lynis;

        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
        $ sudo lynis configure settings color=yes
        $ sudo lynis show settings
        $ sudo lynis show profile
        

        $ lynis audit system > lynis_report
        $ mv /tmp/lynis.log .
        $ mv /tmp/lynis-report.dat .
        

Add unnecessary tests to profile to have less noise.

Rebuild Toolchain

Add flags to pkgmk configuration and change specific ports that don't build with hardening flags. More information about arch security, gentoo security, gcc instrumentation-options and glibc configuring and compiling. Edit /etc/pkgmk.conf;

        export CPPFLAGS="-D_FORTIFY_SOURCE=2"
        export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
        export CXXFLAGS="${CFLAGS}"
        export LDFLAGS="-z relro"
        

Core

Ports in core collection that need to be changed in order to build with pkgmk harden configuration.

Glibc

• lfs
• arch

        export CPPFLAGS=""
        export CFLAGS="-O2 -march=native -mtune=native"
        export CXXFLAGS="${CFLAGS}"
        export LDFLAGS=""
        

        ../$name-${version:0:4}/configure --prefix=/usr \
                --libexecdir=/usr/lib \
                --with-headers=$PKG/usr/include \
                --enable-kernel=3.12 \
                --enable-add-ons \
                --enable-static-nss \
                --disable-profile \
                --disable-werror \
                --without-gd \
                --enable-obsolete-rpc \
                --enable-multi-arch \
                --enable-stackguard-randomization \
                --enable-stack-protector=strong
        

Gcc

• lfs
• arch

        export CPPFLAGS=""
        export CFLAGS="-O2 -march=native -mtune=native"
        export CXXFLAGS="${CFLAGS}"
        export LDFLAGS=""
        

libcap

• lfs
• arch

bzip2

• lfs
• arch

hdparm

• lfs
• arch

Opt

lsof

• lfs
• arch

python

• lfs
• arch

zip

• lfs
• arch

glew

• arch

dmenu

• arch

Boost

• lfs
• arch

        export CPPFLAGS=""
        export CFLAGS="-O2 -march=native -mtune=native"
        export CXXFLAGS="${CFLAGS}"
        export LDFLAGS=""
        

Contrib

gsl

• lfs
• arch

This is part of the c9-doc Manual. Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.