# Jaded stage3 Hardened Guide With Grsecurity & Pax ver1.0

## dbasetrinity

To perform a 2005.1 Stage 1/3 Installation with GCC 3.4.4, follow these steps:

With a hardened profile and grsecurity and pax 

This Installation method is only recommended for an X86 install

So you have been wondering how to install gentoo with a hardened profile and hardened-sources but you aren't sure where to start? Then this guide might be for you. First of all i would just like to thank Bob P and everyone else who worked on that great stage 1/3 guide which this is based off of. Though this isn't recommended it does work fine here. If you encounter any problems please report them HERE So we can try to resolve any issues.

This Guide is Depreciated, As Gentoo by default uses GCC3.4.4. So unless you are using an old stage or an old livecd and using the stage on the livecd you this guide wont be much help on the Installation side with the exception of Grsecurity and PaX.

We now Have another Guide updated with GCC3.4.5 and a few other features..Jaded Guide Ver2.0

1. Download and Burn the Minimal Installation CD.  The .ISO image required for the hardware used in this example is

```
wget http://gentoo.osuosl.org/releases/x86/2005.1/installcd/install-x86-minimal-2005.1.iso
```

2. Boot using the Minimal Installation CD. At the "boot:" prompt, press <Enter> to select the default gentoo kernel.

3. Configure LAN Card.  We're assuming that your LAN card has been recognized and that you can obtain a LAN connection via DHCP.

```
# dhcpcd eth0
```

4. Configure Your Hard Disk 

4.1 View the Hard Drive's Operational Parameters. In this example we will assume that only one hard disk will be installed on the system. It will be recognized by Gentoo as /dev/hda. We will start off by viewing the default disk parameters at boot:

```
 # hdparm /dev/hda

/dev/hda:

multcount    = 16 (on)

IO_support   = 0 (default 16-bit)

unmaskirq    = 0 (off)

using_dma    = 1 (on)

keepsettings = 0 (off)

readonly     = 0 (off)

readahead    = 256 (on)

geometry     = 16383/255/63, sectors = 120034123776, start = 0

 # hdparm -i /dev/hda

/dev/hda:

Model=WDC WD1200JB-00GVA0, FwRev=08.02D08, SerialNo=WD-WMAL92634373

Config={ HardSect NotMFM HdSw>15uSec SpinMotCtl Fixed DTR>5Mbs FmtGapReq}

RawCHS=16383/16/63, TrkSize=57600, SectSize=600, ECCbytes=74

BuffType=DualPortCache, BuffSize=8192kB, MaxMultSect=16, MultSect=16

CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=234441648

IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}

PIO modes:  pio0 pio1 pio2 pio3 pio4

DMA modes:  mdma0 mdma1 mdma2

UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5

AdvancedPM=no, WriteCache=enabled

Drive conforms to: device does not report version:

* signifies the current active mode
```

4.2 Tweak the Hard Disk Parameters with Hdparm. In this example we're using a WD1200JB. Its possible to get a little better performance out of this drive by issuing a few parameters with hdparm. The following parameters work well with this drive: 

```
# hdparm -a256A1c1d1m16u1 /dev/hda

/dev/hda:

setting fs readahead to 256

setting 32-bit IO_support flag to 1

setting multcount to 16

setting unmaskirq to 1 (on)

setting using_dma to 1 (on)

setting drive read-lookahead to 1 (on)

multcount    = 16 (on)

IO_support   =  1 (32-bit)

unmaskirq    =  1 (on)

using_dma    =  1 (on)

readahead    = 256 (on)
```

4.3 Test the Hard Drive's Performance.

Typical results for a Pentium 3 with UDMA66:

```
# hdparm -tT /dev/hda

/dev/hda:

Timing cached reads:   520 MB in  2.01 seconds =  258.75 MB/sec

Timing buffered disk reads:   114 MB in   3.01 seconds =  37.90  MB/sec
```

4.4 Partition the Hard Drive

4.4.1 Display the Partition Information

Technically, the syntax of this command is used to change the partition information, but on an unpartitioned drive it will display the partition information that is available: 

```
# fdisk /dev/hda

The number of cylinders for this disk is set to 14593.

There is nothing wrong with that, but this is larger than 1024,

and in certain setups could cause problems with:

1) software that runs at boot time (e.g., old versions of LILO)

2) booting and partitioning software from other OSs

   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/hda: 120.0 GB, 120034123776 bytes

255 heads, 63 sectors/track, 14593 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot Start End Blocks Id System

Command (m for help):
```

4.4.2 Plan Our Partition Scheme:

To keep it simple, we're going to use the following partition scheme. I'll leave out the details, assuming that you know how to partition your hard disk.

```
Partition File System    ID  Size      Description

/dev/hda1 ReiserFS 3.6   83  100 MB    Boot partition

/dev/hda2 (swap)         82  512 MB    Swap partition

/dev/hda3 ReiserFS 3.6   83  Remainder Root Partition
```

4.4.3 Partition the Hard Disk

4.4.4 Verify the partition configuration.

```
Disk /dev/hda: 120.0 GB, 120034123776 bytes

255 heads, 63 sectors/track, 14593 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device     Boot   Start    End     Blocks    Id  System

/dev/hda1    *        1     13     104391    83  Linux

/dev/hda2            14     76     506047+   82  Linux swap

/dev/hda3            77  14593  116607802+   83  Linux
```

4.4.5 Exit Fdisk and Save the Partition Layout Press "w" to write the partition table to disk and exit fdisk.

```

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks 
```

4.5 Installing File Systems. This example covers the installation of Reiser FS 3.6 on the /boot and /root partitions, and swap on the /swap partition.

4.5.1 Install Reiser FS on /dev/hda1 and /dev/hda3:

```
# mkreiserfs /dev/hda1 && mkreiserfs /dev/hda3
```

You will need to answer "Y" when asked if you want to continue installing Reiser FS on the hard disk.

4.5.2 Install the swap partition on /dev/hda2:

```
# mkswap /dev/hda2 && swapon /dev/hda2
```

4.6 Mounting the File Systems. Mount the partitions using the "mount" command.

```
# mount /dev/hda3 /mnt/gentoo

# mkdir /mnt/gentoo/boot

# mount /dev/hda1 /mnt/gentoo/boot
```

5. Installing the Gentoo Installation Files.

5.1 Download the athlon-xp Stage 3 Tarball from the Internet. (Make sure to use the Correct Stage for your system)

Go to the gentoo mount point on your hard disk:

```
# cd /mnt/gentoo
```

We will need to download 2 files from the mirrors: The Stage 3 tarball and its checksum file. We will download the following four files using the "wget" command at the bash prompt. The entire command must be typed on one line:

```
# wget http://gentoo.osuosl.org/releases/x86/2005.1/stages/athlon-xp/stage3-athlon-xp-2005.1.tar.bz2 

# wget http://gentoo.osuosl.org/releases/x86/2005.1/stages/athlon-xp/stage3-athlon-xp-2005.1.tar.bz2.md5
```

If you need to check the list of Gentoo Mirrors,http://www.gentoo.org/main/en/mirrors.xml

5.2 Verify the md5sum of the Tarballs.

```
# md5sum -c stage3-athlon-xp-2005.1.tar.bz2.md5

stage3-athlon-xp-2005.1.tar.bz2: OK
```

5.3 Unpack the Stage 3 Tarball. Unpack the Stage 3 tarball using the following command.

```

tar -xjpvf stage3-athlon-xp-2005.1.tar.bz2
```

Now is a good time to take a break to re-dose with some caffeine, as this will take a little while...

5.4 Installing Portage

5.4.1 Download a Fresh Portage Snapshot from the Internet.

```
# wget http://gentoo.osuosl.org/snapshots/portage-latest.tar.bz2
```

5.4.2 Extract the Portage Snapshot

```
tar -xjvf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
```

Some of these steps will take a while to complete.

6. Installing the Gentoo Base System

6.1 Copy DNS Information Copy the DNS information in /etc/resolv.conf to ensure that networking works in our new Gentoo environment.

```
# cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
```

6.2 Mount the proc filesystem We will mount the /proc file system to allow our Gentoo installation to use kernel-provided information within the chrooted environment.

```
# mount -t proc none /mnt/gentoo/proc

# mount -o bind /dev /mnt/gentoo/dev

# cp /proc/mounts /mnt/gentoo/etc/mtab
```

6.3 Chroot into the New Environment

```
# chroot /mnt/gentoo /bin/bash

# env-update

# source /etc/profile
```

6.4 Set the Date and Time

6.4.1 Set the Correct Date and Time.

The date command uses the syntax MMDDHHMMYYYY, where MM is the month, DD is the day, HHMM is the time, and YYYY is the year. As I type this, it is Tuesday  December 05, 2005 at 19:30:

```
# date 120519302005

Tuesday Dec 05 91:30:00 Local time zone must be set--see zic manual page 2005
```

6.4.2 Set the Time Zone Symlink.

This example displays the available time zone selections for the Western Hemisphere:

```
# ls /usr/share/zoneinfo/America
```

I'll set the local time zone to Pacific Time because I live in Los Angeles. To do this, I first remove the symlink to the default time zone, and then replace it with a symlink to my local time zone:

```
# rm /etc/localtime

# ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Tuesday Dec 05 19:32:50  2005
```

6.4.3 Get it Right for Daylight Savings Time. 

The previous example showed how to select a city when setting the timezone symlink. It is my opinion that you should always choose a city that is in your time zone, and use the city to set the time zone symlink. You should NEVER choose a time zone as your symlink for the setting the time zone. 

 In this example, we're compiling for a Athlon-xp-class box on the x86 architecture. Our CHOST setting will be i686-pc-linux-gnu. Since all of the 686-class boxes use the same CHOST, it really doesn't matter which tarball we start off with. More accurately, you can start off with the i686 tarball and properly complete the install for any of the 686-class boxes. The advantage for doing this is that the i686 tarball is not effected by the permissions problems that plague some of the other 686-class tarballs. All that you need to worry about is changing the architecture specification for your processor.

This Guide uses a minimalist setting of the USE variable. You are free to add additional USE flags as needed for your specific system requirements, but it is recommended that you do not add them to /etc/make.conf until after you have completed the entire installation.

Please note: The specification of the "nptl" and the exclusion of the "nptlonly" USE flag is intentional, in order to provide both NPTL threading support in glibc as well as fallback support for linuxthreads. Use of the "nptlonly" USE flag is NOT recommended! The use of hardened GCC 3.4.4 is not recommended on any x86 systems except AMD64.

```
# nano -w /etc/make.conf

CHOST="i686-pc-linux-gnu"

CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe"

CXXFLAGS=${CFLAGS}

ACCEPT_KEYWORDS="x86"

PORTAGE_TMPDIR=/var/tmp

PORTDIR=/usr/portage

DISTDIR=${PORTDIR}/distfiles

PKGDIR=${PORTDIR}/packages

PORT_LOGDIR=/var/log/portage

PORTDIR_OVERLAY=/usr/local/portage

GENTOO_MIRRORS="<your mirror goes here> http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

RSYNC_RETRIES="3"

RSYNC_TIMEOUT=180

MAKEOPTS="-j2"

PORTAGE_NICENESS=3

AUTOCLEAN="yes"

FEATURES="distlocks sandbox userpriv usersandbox" 

CCACHE_SIZE="2G"

USE="nptl"
```

6.6 Additional Portage Configuration

6.6.1 Create Portage Directories

The sample /etc/make.conf listed above specifies directories for Portage log files and overlays that are not included as part of a standard Gentoo installation. If you are going to use the logging and overlay functions listed in the sample make.conf file, then you will need to create two additional directories on your system.

```
# mkdir /var/log/portage

# mkdir /usr/local/portage
```

6.6.2 Package Keywords - Enabling GCC 3.4.4 in the Stable Branch

Skip this step and proceed to the next section if you have configured your system to use the "~x86" testing branch.

At the time that I write this guide, GCC 3.4.4 is part of the unstable or "testing" branch in Portage. If you will be using the "x86" stable branch of the software, then we need to configure Portage to enable the use of GCC 3.4.4 and some other toolkit components, even though they are currently classified in the testing branch.

To configure a stable branch system to utilize a testing branch ebuild, we need to let Portage know that we have approved this subset of the testing branch for use on our system. This is accomplished by specifying the name of the package and the applicable keyword in the /etc/portage/package.keywords file. We will enable support for four testing branch ebuilds in our system.

```
# nano -w /etc/portage/package.keywords

~sys-devel/gcc-3.4.4 ~x86

sys-devel/gcc-config ~x86

sys-libs/libstdc++-v3 ~x86

sys-libs/glibc ~x86

sys-devel/binutils ~x86

sys-libs/timezone-data ~x86
```

6.6.3 Time to create the Hardened Profile.

```
# cd /etc

# rm make.profile

# ln -s ../usr/portage/profiles/hardened/x86/2.6 make.profile
```

 6.6.4 Update the Portage Tree

We will now update our portage snapshot to include the current portage tree.

```
emerge --sync
```

6.7 Activate User Locales

When compiling glibc (we'll do this in an upcoming step), Gentoo's default behavior is to compile a full set of all of the available user locales. We will activate the userlocales local USE flag to limit the compilation of userlocales to those that we specify. Limiting the scope of userlocales will save us a tremendous amount of time while compiling glibc. (While we're editing this file, we'll also add "ithreads" as a package-specific USE flag for perl and libperl to allow interpreter level threading. This flag is optional but recommended.)

6.7.1 Activate the userlocales USE flag for glibc

```
# nano -w /etc/portage/package.use

sys-libs/glibc userlocales

sys-devel/libperl ithreads

dev-lang/perl ithreads
```

6.7.2 Specify the user locales to build.

Create the /etc/locales.build file with your favorite editor. I'm located in the USA, so I'll use the following values.

```
# nano -w /etc/locales.build

en_US/ISO-8859-1

en_US.UTF-8/UTF-8
```

7. Building the Toolkit

7.1 Building the Toolkit: GCC 3.3.5

To enable NPTL support we are required to use a 2.6 kernel and linux26-headers. Linux26-headers is now contained in the 2005.0 Stage 3 tarball, so it is no longer necessary to manipulate the linux headers as it was when installing with 2004.3 media. 

```
# env-update && source /etc/profile

# emerge gcc-config glibc binutils libstdc++-v3 gcc
```

This is a good opportunity to take an extended break, as these instructions will take quite some time to complete.

7.2 Re-Building the Toolkit: GCC 3.4.4

After emerging a new version of GCC, we need to pause for a moment and think about what we've done. We've just used GCC 3.3.5 and a toolchain built with GCC 3.3.5 to compile GCC 3.4.4. Before we spend any more time building our Gentoo system we should rebuild the entire toolchain, re-compiling it so that we have GCC 3.4.4 that was built with GCC 3.4.4.

Before we do this we need to examine /etc/make.conf and make changes to the CFLAGS statements in order to take advantage of the new performance-enhancing features of GCC 3.4.4. After making necessary updates to /etc/make.conf we need to rebuild the toolkit using the new GCC 3.4.4 compiler. The result will be a 3.4.4 tooklit, compiled by a 3.4.4 toolkit that was built with a 3.3.5 toolkit. Clear as mud?  :Rolling Eyes: 

7.2.1 Updating make.conf

Here are some settings for /etc/make.conf that may be worth considering. They are the actual CFLAGS that I used to build my systems and have proven reliable on multiple installations. They include extreme levels of code optimization (notice the -O3 flag), and some very safe and stable performance-enhancing CFLAGS. Depending upon your individual hardware, you may have to simplify some of the CFLAGS settings.

```
 CFLAGS="-O2 -march=athlon-xp -fforce-addr -fomit-frame-pointer -ftracer -pipe"

CXXFLAGS="${CFLAGS} -fvisibility-inlines-hidden"
```

l still be getting most of the benefits of GCC 3.4.4, so this isn't a bad compromise. This may be a better approach for those who don't want to be on the bleeding edge or don't want to spend time troubleshooting.

7.2.2 Configuring the Default C Compiler

Although we have emerged GCC 3.4.4, it has not been automatically installed as our default compiler. If you have any doubts about this, take a quick peek at the output of "emerge info" or "gcc-config -l". Although GCC 3.4.4 has already been emerged, GCC 3.3.5 is still installed as out

```
# gcc-config -l

 [1] i386-pc-linux-gnu-3.3.5-20050130

 [2] i386-pc-linux-gnu-3.3.5-20050130-hardenednopie

 [3] i386-pc-linux-gnu-3.3.5-20050130-hardenednopiessp

 [4] i386-pc-linux-gnu-3.3.5-20050130-hardenednossp

 [5] i386-pc-linux-gnu-3.3.5-20050130-vanilla

 [6] i686-pc-linux-gnu-3.4.4 *

 [7] i686-pc-linux-gnu-3.4.4-hardenednopie

 [8] i686-pc-linux-gnu-3.4.4-hardenednopiessp

 [9] i686-pc-linux-gnu-3.4.4-hardenednossp

 [10] i686-pc-linux-gnu-3.4.4-vanilla

```

Change the default compiler to gcc 3.4.4 by issuing the following command. Note that the numbers may have changed. 

```
# gcc-config 6
```

7.2.3 Updating the System Environment

An additional command updates our system environment: 

```
# env-update && source /etc/profile
```

7.2.4 Rebuilding the System Toolkit

Now its time to rebuild the toolkit. We'll start off by recompiling glibc, binutils, gcc, and by updating portage. This will rebuild our GCC 3.4.4 compiling toolkit (which had previuosly been compiled with GCC 3.3.5) with the GCC 3.4.4 compiler, taking advantage of our new USE flags and CFLAGS compiler settings.

```
# emerge glibc binutils libstdc++-v3 gcc portage 
```

Upon completion of the rebuild of the compiling toolkit, we will recompile the entire system to assure that our entire toolkit has been compiled using GCC 3.4.4 and our hardware-specific settings.

The result will be a 3.4.4 tooklit and an entire system that is built with a 3.4.4 toolkit, that was built with a 3.4.4 toolkit.  :Wink: 

```
# emerge -e system && emerge -e system
```

7.2.5 Prune the GCC Compiler

Now that GCC 3.4.4 has been installed as the default compiler and our system has been rebuilt, we can prune GCC 3.3.5 from our system by issuing the following commands. First, verify that GCC 3.4.4 has indeed been installed as the default compiler using the "l" parameter with gcc-config. (Just to avoid any confusion, the parameter used is a lower case "L", not the number "one".) Then, after confirming that GCC 3.4.4 has been installed as the default compiler, prune GCC 3.3.5 from your system.

```
# gcc-config -l

# emerge -P gcc
```

8.0 Building the World

8.1 Emerge Ccache (Optional)

Now that our toolkit has been built, we'll emerge the ccache program. Ccache is a compiler cache that will help to reduce compile times when previously compiled programs are being recompiled. It will not effect the time required to compile programs on the first pass, so this is an optional step. (Note: the ccache_size was set to 512 MB in the sample make.conf. If you have sufficient disk space, and you're planning on emerging a bloated window manager like Gnome or KDE (or if you are performing an emerge -e system or an emerge -e world), then you may want to increase the to something like ccache_size="2G".) 

```
# emerge ccache
```

8.2 Emerging Programs

Now its time to add a few useful packages to our world profile:

```
# emerge syslog-ng xinetd grub vixie-cron reiserfsprogs sysfsutils dhcpcd hotplug coldplug gentoolkit

# emerge --nodeps acpid ntp 

# emerge chpax paxctl paxtest ufed
```

8.3 Updating the Environment

Now we'll add these services to the default runlevel. Here two ways to accomplish this task that are functionally equivalent. Choose the one you like best. 

```
# rc-update add syslog-ng default

# rc-update add net.eth0 default

# rc-update add vixie-cron default

# rc-update add xinetd default

# rc-update add sshd default

# rc-update add hotplug default

# rc-update add coldplug default

# rc-update add acpid default

# rc-update add ntp-client default

# rc-update add chpax default
```

8.4 Configuring the NTP Client

In the previous steps we emerged a Network Time Protocol client to allow us to use NTP time servers to synchronize our system clock. In this step we'll configure the ntp-client to eliminate clock skew: 

```
# ntpdate -b -u pool.ntp.org
```

9. Kernel

9.1 Downloading the Kernel

The decision to enable NPTL support requires that we use a 2.6 kernel. You are free to choose any flavor of 2.6 kernel that you like. In this example, we'll be using the Gentoo (Development) Sources kernel. Note that a 2.4 kernel will not work properly with this Installation Guide.

9.2(OPTIONAL) This is if you want the freshest kernel avaliable. I'm running a 2.6.14-hardened...

```
nano -w /etc/portage/package.keywords

sys-kernel/hardened-sources ~x86
```

9.3 Now we are going to emerge are kernel source....What ever kernel you decide to go with 2.6 stable just make sure to use HARDENED-SOURCES.....

```
emerge hardened-sources
```

9.4 Building the Kernel Symlink 

```
# rm /usr/src/linux

# cd /usr/src

# ln -s linux-2.6.12-gentoo-r6 linux
```

9.5 Configuration

9.5.1 Enable udev Support

Edit your /etc/conf.d/rc file so that it contains the following statements: 

```
RC_NET_STRICT_CHECKING="no"

RC_DEVICES="udev"

RC_DEVICE_TARBALL="no"  
```

 9.5.2 Configure Kernel Options

If you're following this Installation Guide, we're going to assume that you want the best performance from your system, and that you'll be using a custom-compiled kernel instead of genkernel. When configuring your kernel, be sure to include support for hotplug firmware loading. Also be sure to remove devfs filesystem support, as we are designing udev support into our system.

Configure the kernel:

```
# cd /usr/src/linux

# make menuconfig 
```

9.5.3 Now you can configure your kernel like normal and add a few entries too it. To be able to select the various grsecurity kernel options, you must enable grsecurity in your kernel

```

1. Go into Security Options->>

   A. Go into Pax

           [ * ] Enable  various PaX features

      a. Go In  PaX Control    -----> 

                   [   ] Support soft mode

                   [ * ]  Use legacy ELF header marking

                   [ * ]  Use ELF program header marking

                    MAC  system integration  (none) ----

      b. Go in  Non-exacutable pages  -----> 

                   [ * ] Enforce non-executable pages

                   [ * ]      Paging based non-executable pages

                   [ * ]      Segmentation based non-execuatable pages

                    Default non-executable page method (SEGMEXEC)

                   [   ] Emulate trampolines

                   [ * ] Restrict mprotect ()

                   [   ] Disallow ELF text relocations

                   [   ] Enforce non-executable kernel pages

             c. Go in Address Space Layout Randomization  ----->

                   [ * ] Address Space Layout Randomization

                   [ * ] Randomize kernel stack base

                   [ * ] Randomize user stack base                              

                   [ * ] Randomize mmap() base

                    ---  Disable the vsyscall page

2.Go into Grsecurity ------>

   A. [ * ] Grsecurity

      a.Security Level (Custom)  ----->

      b. Go in  Address Space Protection  ----->

                   [ * ] Deny writing to /dev/kmem, /dev/mem, and /dev/port

                   [   ] Disable privileged I/O

                   [ * ] Remove addresses from /proc/<pid>/[smaps|maps|stat]

                   [ * ] Deter exploit bruteforcing

                   [   ] Hide kernel symbols

      c. Go in Role Based Access Control Options  ----->

                   [ * ] Hide kernel processes

         (3)  Maximum tries before password lockout

         (30) Time to wait after max password tries, in seconds

      d. Go in Filesystem Protections  ----->

                   [ * ] Proc restrictions                                      

                   [   ]   Restrict /proc to user only 

                   [ * ]  Allow special group                                  

                         (1001) GID for special group                              

                   [ * ] Additional restrictions                                  

                   [ * ] Linking restrictions                                     

                   [ * ] FIFO restrictions                                

                   [ * ] Chroot jail restrictions                

                   [ * ]   Deny mounts

                   [ * ]   Deny double-chroots

                   [ * ]   Deny pivot_root in chroot

                   [ * ]   Enforce chdir("/") on all chroots

                   [ * ]   Deny (f)chmod +s

                   [ * ]   Deny fchdir out of chroot

                   [ * ]   Deny mknod

                   [ * ]   Deny shmat() out of chroot

                   [ * ]   Deny access to abstract AF_UNIX sockets out of chroot

                   [ * ]   Protect outside processes

                   [ * ]   Restrict priority changes

                   [ * ]   Deny sysctl writes

                   [ * ]   Capability restrictions

      e. Go in Kernel Auditing  -----> 

                   [   ] Single group for auditing

                   [   ] Exec logging

                   [ * ] Resource logging

                   [   ] Log execs within chroot 

                   [   ] Chdir logging

                   [ * ] (Un)Mount logging

                   [   ] IPC logging 

                   [ * ] Signal logging

                   [ * ] Fork failure logging

                   [ * ] Time change logging

                   [   ] /proc/<pid>/ipaddr support

                   [   ] ELF text relocations logging (READ HELP)

      f. Go in Executable Protections  ----->

                   [ * ] Enforce RLIMIT_NPROC on execs

                   [   ] Destroy unused shared memory

                   [ * ] Dmesg(8) restriction

                   [ * ] Randomized PIDs

                   [   ] Trusted Path Execution (TPE)

      g. Go in Network Protections  ----->

                   [ * ] Larger entropy pools

                   [ * ]  Randomized TCP source ports

                   [   ]  Socket restrictions

      h. Sysctl support  -----> 

                i. Go in Logging Options  ----->

                   (10) Seconds in between log messages (minimum)

                   (4) Number of messages in a burst (maximum)

```

Those Are all the Selection for Grsecurity & PaX that i have Selected in my kernel...

9.5.4 Compiling the Kernel

To compile your kernel and install the kernel and selected modules, issue the following command. I find that this one works a bit better than some of the other one-liner kernel compilation commands. If you should run into a problem where kernel compilation fails, its easy to determine where the problem was. In addition, this command will also install the kernel for you:

```
# make && make modules && make modules_install && make install
```

10. Configuring the System

10.1 Configure Network Adapters

Configure your network adapters as recommended in the Gentoo Installation Handbook. In our case, we'll use DHCP:

```
# nano -w /etc/conf.d/net

iface_eth0="dhcp"

dhcpcd_eth0="-t 10"
```

10.2 Set Hostnames and Domainnames

The following hostname and domainname locations referenced in the Gentoo Installation Handbook and some of the other HowTo appear to have been deprecated. The first example in each of the following two sections uses the old configuration method, which has been deprecated but this is not yet reflected in many of the installation guides. The second option in each of the following two examples is more current:

10.2.1 Set Your Hostname

The following examples provide instruction for setting the hostname on your Gentoo box. We'll use the "boatanchor" as the hostname in this example.

```
# nano -w /etc/conf.d/hostname

HOSTNAME="boatanchor"
```

10.2.2 Set Your Domainname

```
# nano -w /etc/conf.d/domainname

OVERRIDE=1

DNSDOMAIN="mydomain.com"

NISDOMAIN="nis.mydomain.com"
```

10.2.3 Update /etc/hosts

If nameservers on your network handle all name resolution, then you can skip this step.

If your PC is a standalone system, or if your PC has a static IP address and you don't have DNS entries for your machine in a nameserver somwehere on your network, then you should specify the following information in the /etc/hosts file.

```
# nano -w /etc/hosts

127.0.0.1        localhost.localdomain       localhost

192.168.0.5      boatanchor.mydomain.com     boatanchor
```

10.2.4 Add domainname to the Default Runlevel   

```
# rc-update add domainname default
```

10.4 Grub Bootloader

10.4.1 Grub.conf

To boot our installation of Gentoo Linux we'll need to configure a boot menu for the Grub Bootloader. Use your favorite text editor to create the /boot/grub/grub.conf file. In this case we'll use nano:

If you cant remember what kernel image you have this is what i do alot since i tend to forget when i get to grub.conf.

```
# ls /boot
```

And i look for this: vmlinuz-2.6.14-hardened-r1 or similar this is what you would add to your Grub.conf

```
System.map                     boot    config-2.6.14-hardened-r1  lost+found  vmlinuz-2.6.14-hardened-r1

System.map-2.6.14-hardened-r1  config  grub                       vmlinuz
```

```
# cd /boot/grub

# nano -w grub.conf
```

```
# Which listing to boot as default. 0 is the first, 1 the second etc.

default 0

# How many seconds to wait before the default listing is booted.

timeout 30

# Nice, fat splash-image to spice things up :)

# Comment out if you don't have a graphics card installed

splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title=Gentoo Linux 2.6.14-hardened-r1

# Partition where the kernel image (or operating system) is located

root (hd0,0)

kernel /boot/vmlinuz-2.6.14-hardened-r1 root=/dev/hda3

# The next four lines are only if you dualboot with a Windows system.

# In this case, Windows is hosted on /dev/hda6.

title=Windows XP

rootnoverify (hd0,5)

makeactive

chainloader +1
```

10.4.2 Installing Grub onto the Hard Disk

Start Grub from the command prompt and use the following commands to embed grub into the hard disk. Remember, when counting hard disks we like to start at 1, but Grub likes to start at 0, so /dev/hda1 corresponds to hard disk 0, partition 0 in Grub.

```
# grub

grub> root (hd0,0)

grub> setup (hd0)

grub> quit 
```

10.5 Filesystem - Configuring fstab

This is a sample /etc/fstab file that reflects the disk partition scheme used earlier in this Installation Guide. Make changes as appropriate if your partition scheme is different.

```
# <fs>               <mountpoint>  <type>       <opts>               <dump/pass>

/dev/hda1            /boot         reiserfs     noauto,notail        1 2

/dev/hda3            /             reiserfs     notail               0 1

/dev/hda2            none          swap         sw                   0 0

/dev/cdroms/cdrom0   /mnt/cdrom    iso9660      user,noauto,ro,exec  0 0

/dev/fd0             /mnt/floppy   auto         noauto,users         0 0

# NOTE: The next line is critical for boot!

none                 /proc         proc         defaults             0 0

# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for

# POSIX shared memory (shm_open, shm_unlink).

# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will

# use almost no memory if not populated with files)

# Adding the following line to /etc/fstab should take care of this:

none                 /dev/shm      tmpfs        nodev,nosuid         0 0 
```

10.6 Setting HD Paramaters

Back in Section 4 we developed optimized operating parameters for our hard disk. Now that we're in the chrooted environment of our newly designed Gentoo system, we need to make these configuration changes permanent. To do this, we'll write the HD parameters to the /etc/conf.d/hdparm file: 

```
# nano -w /etc/conf.d/hdparm

disc0_args="-a256A1c1d1m16u1"

cdrom0_args="-d1c1u1"
```

After editing the contents of /etc/conf.d/hdparm type the following command to add hdparm to the boot runlevel.

```
# rc-update add hdparm boot
```

10.7 Set-Up User Accounts

We must change the password of the root user in our newly installed system. Then we will add non-root users to the system. Substitute the username examples "bob" and "mary" with your own usernames.

First, change the root password: 

```
# passwd

New password: (Enter your new password)

Re-enter password: (Re-enter your password) 
```

Now add users who will be allowed to "su" their way to temporary root status. These users must be added to the "wheel" user group:

The groups the user is member of define what activities the user can perform. The following table lists a number of important groups you might wish to use:

 *Quote:*   

> Group       	            Description
> 
> audio 	          =            be able to access the audio devices
> 
> cdrom 	        =           be able to directly access optical devices
> ...

 

For instance, to create a user called john who is member of the wheel, users and audio groups, log in as root first (only root can create users) and run useradd:

```
# useradd -m -G users,wheel,audio -s /bin/bash john

# passwd john

Password: (Enter the password for john)

Re-enter password: (Re-enter the password to verify)
```

This is now the time i start adding my use-flags VIA ufed

```
# ufed
```

Nice GUI pops up and your off in running you will notice that with HARDENED there are some selection made for you. DO NOT REMOVE these. As far as anything else you can enter the flags you normally would..There are a few that seem to be needed for xorg or your fonts will look alittle funny and it might take you an hour or two rebuilding xorg if not used, and those are:

 *Quote:*   

> truetype-fonts
> 
> type1-fonts

 

Then after all that is said and done....I move on to finishing my install with 

```
emerge kdebase mozilla-firefox gyach
```

After those emerge then you can setup xorg

```
xorgconfig
```

Of course some might prefer to boot into their installation before emerging fun stuff like that: Either way after the emerge you would.

10.10 Exiting Chroot and Unmounting Partitions

We will now exit the chrooted environment and unmount all of the mounted partitions.

```
exit

cd ~/

umount /mnt/gentoo/proc /mnt/gentoo/boot /mnt/gentoo

swapoff /dev/hda2 
```

11. REBOOT!

And now, the moment you've been waiting for!

```
# shutdown -r now
```

Congradulations! You have completed the installation. This guide was made up from references from the following sites which are great for furthering reading: 

This is the New guide Featuring Hardned Stage3, Grsecurity, PaX, GCC3.4.5

Jaded Guide Ver 2.0 

https://forums.gentoo.org/viewtopic-t-345229.html

http://www.gentoo.org/doc/en/handbook/index.xml

http://www.gentoo.org/proj/en/hardened/

http://www.grsecurity.net/Last edited by dbasetrinity on Mon May 08, 2006 12:00 am; edited 36 times in total

----------

## nixnut

Moved from Installing Gentoo to Documentation, Tips & Tricks.

Looks a lot like documentation, so moved here.

----------

## lutel

this one is very helpfull, I sugest make it sticky

----------

## pjp

Unfortunately, we can't sticky everything.

----------

## tux_wooster

Great guide, i've used this method and it works very well.

----------

## blackwhite

I have encoutered such a problem, the perl fails to emerge, if enabling FEATURE="usersandbox".

----------

## dbasetrinity

What Type of system are you trying this on...and is it  failing on emerge -e system && emerge -e system?

----------

## mfkr79

Nice guide !

I'm building right now a hardened x86 sys from stage1

with hardware & settings similar to the poster

An advice, follow the guide and don't try ldflags (like me idiot), or you'll got compile failures in the configure phase,

or perhaps a broken system...

For example, bootstrap fails on sys-apps/texinfo if I set LDFLAGS="-Wl, -O1"

I have a question too:

Is it normal that portage merges devfsd as system package instead of udev ???

IIRC on not-hardened platforms like x86, or amd64, udev is stable and the default choice since months

----------

## dbasetrinity

 *Quote:*   

> I have a question too:
> 
> Is it normal that portage merges devfsd as system package instead of udev ???

 

Well as for devfsd. I think that you would find that it does not emerge devfsd by default on a hardened profile or not.

however it is in portage. If you have devfsd enabled then you would have to edit  /etc/conf.d/rc and specify devfs or else i think the default is udev as of the 2.6 kernels....Also the 2.6 kernel doesnt seem to include a way to enable devfs anymore.

I think the only reason for devfs at all to still be in portage is for those who remain to use the older kernel. 

If you have any idea Tips on other kernel options for GrSecurity or PaX...Any Tips are Greatly Welcome...

----------

## mfkr79

I've used settings similar to yours, except I've tried nptlonly for glibc,

and have set these options too in kernel config

Under PaX --> Go in  Non-exacutable pages -->

[ * ] Enforce non-executable kernel pages (as help says, make difficult to inject or exec foreign code in kernel memory)

Under Grsecurity --> Go in  Address Space Protection  -->

[ * ] Deter exploit bruteforcing (should protect from exploits against forking daemons, ie apache or ssh)

[ * ] Disable privileged I/O [ ONLY IF XFree/X.org is not installed !!! ]

The system seems working well, but consider I begin playing in the hardened-world only recently

----------

## blackwhite

 *dbasetrinity wrote:*   

> What Type of system are you trying this on...and is it  failing on emerge -e system && emerge -e system?

 

I use ext3 fs. during emerge -e system stage, perl fails to emerge if enabling FEATURE="usersandbox". I just disable it, then perl can be emerged again.

----------

## j-m

 *blackwhite wrote:*   

> 
> 
> I use ext3 fs. during emerge -e system stage, perl fails to emerge if enabling FEATURE="usersandbox". I just disable it, then perl can be emerged again.

 

Bug 97671 ?   :Idea: 

----------

## dbasetrinity

mfkr79 wrote

 *Quote:*   

> Under PaX --> Go in Non-exacutable pages -->
> 
> [ * ] Enforce non-executable kernel pages (as help says, make difficult to inject or exec foreign code in kernel memory)
> 
> Under Grsecurity --> Go in Address Space Protection -->
> ...

 

I added a few of your kernel options with the exception of [ * ] Disable privileged I/O [ ONLY IF XFree/X.org is not installed !!!.

First i try to enable both the PaX & GrSecurity

```
 [ * ] Enforce non-executable kernel pages (as help says, make difficult to inject or exec foreign code in kernel memory)

Under Grsecurity --> Go in Address Space Protection -->

[ * ] Deter exploit bruteforcing (should protect from exploits against forking daemons, ie apache or ssh)
```

With Both options set in my kernel I rebooted to test it out 

As the system was booting i got a list of Error about device couldn't be initiated and once it got to device drivers being loaded system just frooze right there. So i had to assume right then it was probably the PaX option so i went back into my menuconfig via a livecd and removed [ * ] Enforce non-executable kernel pages (as help says, make difficult to inject or exec foreign code in kernel memory)

Under Grsecurity --> Go in Address Space Protection --> And i Left the Grsecurity option [ * ] Deter exploit bruteforcing (should protect from exploits against forking daemons, ie apache or ssh And from there my system was back up and running fine. 

I wanted to test out with just using the Pax options just to see if there was a confict of some kind with the Grsecurity option so on another system with the same setup i tested it with just the Pax option and again i got the same device drivers Error and it hangs... 

I just wanted to thank you most of all for the post and the insight...So ill update the guide with that new kernel option as soon as i get some time.

----------

## Dr.Dran

 *dbasetrinity wrote:*   

> 
> 
> 7.2.2 Configuring the Default C Compiler
> 
> Although we have emerged GCC 3.4.4, it has not been automatically installed as our default compiler. If you have any doubts about this, take a quick peek at the output of "emerge info" or "gcc-config -l". Although GCC 3.4.4 has already been emerged, GCC 3.3.5 is still installed as out
> ...

 

Excuse me but I've a little doubt... why you didn't choose the i686-pc-linux-gnu-3.4.4-hardened profile?

----------

## dbasetrinity

 *DranXXX wrote:*   

>  *dbasetrinity wrote:*   
> 
> 7.2.2 Configuring the Default C Compiler
> 
> Although we have emerged GCC 3.4.4, it has not been automatically installed as our default compiler. If you have any doubts about this, take a quick peek at the output of "emerge info" or "gcc-config -l". Although GCC 3.4.4 has already been emerged, GCC 3.3.5 is still installed as out
> ...

 

Well because of this :

Time to create the Hardened Profile.

```

# cd /etc

# rm make.profile

# ln -s ../usr/portage/profiles/hardened/x86/2.6 make.profile
```

----------

## Dr.Dran

I'm a bit perplexed: after you have re-build the system I thought you can switch to the gcc-hardened profile, for security issue...

Could you explain if and why I'm not right...   :Razz:   :Wink: 

----------

## dbasetrinity

Well that is an option i know its not one that ive tried thus far.

See i was wondering that very thing myself just the past few days. Only because i seen someone posted why use a hardened system if you dont hardened GCC

Im looking into using it and including it into this guide but im still confused on the HARDENED PROFILE  thinking that is was supposably HARDENing the toolchain

and i always thought the toolchain consisted of GCC glibc libstdc++ and binutils.

I asked a friend of mine and he said that it would be good to do GCC3.4.4 hardened for the fact the fact that the compiling process is more secure but i'm not exactly sure what are the advantages and disadvantages of this. (conflicts with other packages?) 

But im probably going to give it a try after X-mas here and see how it goes.

So if you are trying it let me know how it works out, Im very interesting in learning more.

----------

## dbasetrinity

 *DranXXX wrote:*   

> I'm a bit perplexed: after you have re-build the system I thought you can switch to the gcc-hardened profile, for security issue...
> 
> Could you explain if and why I'm not right...   

 

Ok your right on one account this is what i discovered apon researching for days to discover that GCC-CONFIG

is inaccurate on the guide its self. If you were to do the process following the guide to the gcc-config -l you would not see the "gcc-hardened"

I never realized that til yesterday apon a new installation. So i have updated the guide above. And very sorry if this caused any confusion.

Me and my Partner  Gentoology are now in the process of making a new guide.

----------

## Dr.Dran

Wow now that's right   :Very Happy: 

thanx and good hacking   :Very Happy: 

----------

## cheater1034

I've never used or seen anyone used a hardened installation  :Confused: 

What are the benefits, or reasons anyone would want to run hardened?

----------

## Dr.Dran

Well... is an hard question, but i would suggest to you to think about security... what happen if in a server run a potential executable that may cause a buffer overflow? If an attakker find that executable what do u think that happen?

Thi is the first doubt that reside at the base concept of the hardened linux...

This is some documentation:

http://www.grsecurity.org/

http://pax.grsecurity.net/

http://pax.grsecurity.net/docs/

http://www.openwall.com/linux/

http://www.10east.com/~hlein/hap-linux/

And in Gentoo

http://www.gentoo.org/proj/en/hardened/primer.xml

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml

I hope that I've help you!   :Wink:  Byez   :Very Happy: 

----------

## gentoology

 *cheater1034 wrote:*   

> I've never used or seen anyone used a hardened installation 
> 
> What are the benefits, or reasons anyone would want to run hardened?

 

The obvious answer would be to tighten the security of the computer you are on. With this guide it will  supply you with the gentoo stage 3, setup your make.profile for the hardened profile, then recompile your entire system fore the hardened tool chain and later on you'll be asked to emerge hardened-sources which included PaX + grsecurity. So basically this isn't the answer to all your security problems but just steps which should make your installation more secure using the hardened stage. 

By the way version 2.0 of the guide just came out, some of the changes include using the hardened stage instead of regular stage3 and the use of GCC 3.4.5. Here is the link: https://forums.gentoo.org/viewtopic-t-417415.html

If you would like to read more about this take a look at the links which are at end of both of our guides for further reading

----------

