# Jaded stage3 hardened Guide With Grsecurity & PaX ver2.0

## dbasetrinity

To perform a 2005.1 Stage 3 Hardened Installation with GCC 3.4.5, follow these steps:

With a hardened Stage3 and grsecurity and pax

If your in search of added security, Well look no further, this guide will take you step by step through the process.  This Guide should be considered  as EXPERIMENTAL. We in the creation of the guide have done alot of testing on this setup         and find it very reliable, however there are always possibilies that a bug could show up. If you do have any issues at all please report them So we can try to resolve the issues.

Guide Features

1. Hardened stage3 Tarball

2. nptl

3. GCC3.4.5

4. Hardened-Sources

1. Download and Burn the Minimal Installation CD. The .ISO image required for the hardware used in this example is 

```
wget http://gentoo.osuosl.org/releases/x86/2005.1/installcd/install-x86-minimal-2005.1.iso
```

Some might find using the minimal a little boring since its none GUI with only links to play with I like something that has Mozilla-firefox and Gaim and Xchat these tend to help if running into problems with the installation. So here are a few i like to use.

http://kanotix.com/

http://www.lxnaydesign.net/

kanotix is a debain based Livecd  And RR4 is a Gentoo Based Livecd

2. Boot using the Minimal Installation CD. At the "boot:" prompt, press <Enter> to select the default gentoo kernel. 

3. Configure LAN Card. We're assuming that your LAN card has been recognized and that you can obtain a LAN connection via DHCP. 

```
# dhcpcd eth0
```

4. Configure Your Hard Disk

4.1 View the Hard Drive's Operational Parameters. In this example we will assume that only one hard disk              will be installed on the system. It will be recognized by Gentoo as /dev/hda. We will start off by viewing the default disk parameters at boot: 

```
# hdparm /dev/hda

/dev/hda:

multcount    = 16 (on)

IO_support   = 0 (default 16-bit)

unmaskirq    = 0 (off)

using_dma    = 1 (on)

keepsettings = 0 (off)

readonly     = 0 (off)

readahead    = 256 (on)

geometry     = 16383/255/63, sectors = 120034123776, start = 0

# hdparm -i /dev/hda

/dev/hda:

Model=WDC WD1200JB-00GVA0, FwRev=08.02D08, SerialNo=WD-WMAL92634373

Config={ HardSect NotMFM HdSw>15uSec SpinMotCtl Fixed DTR>5Mbs FmtGapReq}

RawCHS=16383/16/63, TrkSize=57600, SectSize=600, ECCbytes=74

BuffType=DualPortCache, BuffSize=8192kB, MaxMultSect=16, MultSect=16

CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=234441648

IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}

PIO modes:  pio0 pio1 pio2 pio3 pio4

DMA modes:  mdma0 mdma1 mdma2

UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5

AdvancedPM=no, WriteCache=enabled

Drive conforms to: device does not report version:

* signifies the current active mode
```

4.2 We will be setting hdparm in this step you increase Harddrive Proformance. In this example we're using a WD1200JB. Its possible to get a little better performance out of this Harddrive by issuing a few parameters with hdparm. The following parameters work well with this drive. Here are a few guides on HDparm that might help you decide if those right for your drive:

http://gentoo-wiki.com/HOWTO_Use_hdparm_to_improve_IDE_device_performance

http://gentoo-wiki.com/MAN_hdparm

```
# hdparm -a256A1c1d1m16u1 /dev/hda

/dev/hda:

setting fs readahead to 256

setting 32-bit IO_support flag to 1

setting multcount to 16

setting unmaskirq to 1 (on)

setting using_dma to 1 (on)

setting drive read-lookahead to 1 (on)

multcount    = 16 (on)

IO_support   =  1 (32-bit)

unmaskirq    =  1 (on)

using_dma    =  1 (on)

readahead    = 256 (on)
```

4.3 Test the Hard Drive's Performance.

Typical results for an Athlon-xp::

```
# hdparm -tT /dev/hda

/dev/hda:

Timing cached reads:   2365 MB in  2.00 seconds =  1177.93 MB/sec

Timing buffered disk reads:   174 MB in   3.01 seconds =  57.46  MB/sec
```

4.4 Partition the Hard Drive

4.4.1 Display the Partition Information

Technically, the syntax of this command is used to change the partition information, but on an unpartitioned drive it will display the partition iinformation that is available: 

```
# fdisk /dev/hda

The number of cylinders for this disk is set to 24321.

There is nothing wrong with that, but this is larger than 1024,

and in certain setups could cause problems with:

1) software that runs at boot time (e.g., old versions of LILO)

2) booting and partitioning software from other OSs

 (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/hda: 200.0 GB, 200049647616 bytes

255 heads, 63 sectors/track, 24321 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

Command (m for help):
```

4.4.2 Plan Our Partition Scheme:

My recommendation is that you might want to plan out your partitions out well. I would suggest for debugging purposes to create a seperate /usr /opt /var and possibly a /home and i also like to create a /www partition which i then use to house all my web pages for my LAMP setup.

For Clarity Im going to just keep it simple, we're going to use the following partition scheme. I'll leave out the details, assuming that you know how to partition your hard disk. 

```
Partition File System    ID  Size      Description

/dev/hda1 ReiserFS 3.6   83  100 MB    Boot partition

/dev/hda2 (swap)         82  512 MB    Swap partition

/dev/hda3 ReiserFS 3.6   83  Remainder Root Partition
```

4.5 Partition the Hard Disk

```
Disk /dev/hda: 200.0 GB, 200049647616 bytes

255 heads, 63 sectors/track, 24321 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

4.5.1 [color=indigo]Verify the partition configuration[/color]

Device     Boot   Start    End     Blocks    Id  System

/dev/hda1    *        1     13     104391    83  Linux

/dev/hda2            14     76     506047+   82  Linux swap

/dev/hda3            77  14593  116607802+   83  Linux

```

4.5.2 Exit Fdisk and Save the Partition Layout Press "w" to write the partition table to disk and exit fdisk.

```
Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks 
```

4.6 Time to create the filesystem. This example covers the installation of EXT3 on the /boot and Reiser FS 3.6 on the /root partition, and swap on the /swap partition.

4.6.1 Installing EXT3  on /dev/hda1 and Reiser FS on /dev/hda3:

```
# mke2fs -j /dev/hda1 

# mkreiserfs /dev/hda3
```

You will need to answer "Y" when asked if you want to continue installing Reiser FS on the hard disk.

4.6.2 Install the swap partition on /dev/hda2:

```
# mkswap /dev/hda2 && swapon /dev/hda2
```

4.7 Mounting the File Systems. Mount the partitions using the "mount" command. 

```
# mount /dev/hda3 /mnt/gentoo

# mkdir /mnt/gentoo/boot

# mount -t ext3 /dev/hda1 /mnt/gentoo/boot

```

5. Installing the Gentoo Installation Files.

5.1 Download the Hardened Stage 3 Tarball from the Internet.

Go to the gentoo mount point on your hard disk:

```

# cd /mnt/gentoo
```

We will need to download 2 files from the mirrors: The Stage 3 Hardened tarball and its checksum file. We will download the following two files using the "wget" command at the bash prompt. The entire command must be typed on one line:

```
wget http://gentoo.osuosl.org/releases/x86/2005.1/stages/x86/hardened/stage3-x86-hardened-2.6-2005.1.tar.bz2

wget http://gentoo.osuosl.org/releases/x86/2005.1/stages/x86/hardened/stage3-x86-hardened-2.6-2005.1.tar.bz2.md5
```

If you need to check the list of Gentoo Mirrors,Click Here!

5.2 Checking the md5sum of the Tarballs. This step should never be skipped, Bad things can happen while downloading, a bit here a byte there!  :Smile: 

```
# md5sum -c stage3-x86-hardened-2.6-2005.1.tar.bz2.md5

stage3-x86-hardened-2.6-2005.1.tar.bz2: OK
```

5.3 Extracing  the Hardened Stage 3 Tarball  using the following command. 

```
# tar -xjpvf stage3-x86-hardened-2.6-2005.1.tar.bz2
```

Now is a good time to take a break this can take awhile depending on your system...

5.4 Installing Portage

5.4.1 Download a fresh portage snapshot using the wget command. 

```
# wget http://gentoo.osuosl.org/snapshots/portage-latest.tar.bz2

```

5.4.2 Extract the Portage Snapshot

```
# tar -xjvf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
```

This one might give you a few free moments to refill that coffee cup as this will again take awhile..

6. Installing the Gentoo Base System

6.1 Copy the DNS information in /etc/resolv.conf to ensure that networking works in our new Gentoo environment.

```
# cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
```

6.2 We will mount the /proc file system to allow our Gentoo installation to use kernel-provided information within the chrooted environment.

```
# mount -t proc none /mnt/gentoo/proc

# mount -o bind /dev /mnt/gentoo/dev

# cp /proc/mounts /mnt/gentoo/etc/mtab
```

6.3 Chroot into the New Environment

```
# chroot /mnt/gentoo /bin/bash

# env-update

# source /etc/profile

```

6.4 Set the Date and Time

6.4.1 Set the Correct Date and Time.

The date command uses the syntax MMDDHHMMYYYY, where MM is the month, DD is the day, HHMM is the time, and YYYY is the year. As I type this, it is Tuesday December 05, 2005 at 19:30:

```
# date 120519302005

Tuesday Dec 05 91:30:00 Local time zone must be set--see zic manual page 2005
```

6.4.2 Set the Time Zone Symlink.

This example displays the available time zone selections for the Western Hemisphere:

```
# ls /usr/share/zoneinfo/America
```

I set the local time zone to Pacific Time because I live in Los Angeles. To do this, I first remove the symlink to the default time zone, and then replace it with a symlink to my local time zone: 

```
# rm /etc/localtime

# ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Tuesday Dec 05 19:32:50  2005

```

6.5  Setting up make.conf 

In this example, we're compiling for a Athlon-xp-class box on the x86 architecture. Our CHOST setting will be i686-pc-linux-gnu. Since all of the 686-class boxes use the same CHOST, it really doesn't matter which tarball we start off with. More accurately, you can start off with the i686 tarball and properly complete the install for any of the 686-class boxes. The advantage for doing this is that the i686 tarball is not effected by the permissions problems that plague some of the other 686-class tarballs. All that you need to worry about is changing the architecture specification for your processor.

This Guide uses a minimalist setting of the USE variable. You are free to add additional USE flags as needed for your specific system requirements, but it is Hightly  recommended that you do not add them to /etc/make.conf until after you have Finished emerge -e system. Adding USE-flags before then Can make Compiling the system a Challenge. Also as this being a HARDENED install there is no Default use-flags that are needed for this install and those Use-Flags are listed At the end of the install and should be added to Either to /etc/make.conf or ufed which we use in this guide. .

```
# nano -w /etc/make.conf

CHOST="i686-pc-linux-gnu"

CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe"

CXXFLAGS=${CFLAGS}

ACCEPT_KEYWORDS="x86"

PORTAGE_TMPDIR=/var/tmp

PORTDIR=/usr/portage

DISTDIR=${PORTDIR}/distfiles

PKGDIR=${PORTDIR}/packages

PORT_LOGDIR=/var/log/portage

PORTDIR_OVERLAY=/usr/local/portage

GENTOO_MIRRORS="<your mirror goes here> http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

RSYNC_RETRIES="3"

RSYNC_TIMEOUT=180

MAKEOPTS="-j2"

PORTAGE_NICENESS=3

AUTOCLEAN="yes"

FEATURES="distlocks sandbox userpriv usersandbox"

CCACHE_SIZE="2G"

USE="nptl"
```

6.6 Additional Portage Configuration

6.6.1 Create Portage Directories

The sample /etc/make.conf listed above specifies directories for Portage log files and overlays that are not included as part of a standard Gentoo installation. If you are going to use the logging and overlay functions listed in the sample make.conf file, then you will need to create two additional directories on your system. 

```
# mkdir /var/log/portage

# mkdir /usr/local/portage

```

6.6.2 Package Keywords - Enabling GCC 3.4.5 in the Stable Branch

 GCC 3.4.5 is part of the unstable or "testing" branch in Portage. If you will be using the "x86" stable branch of the software, then we need to configure Portage to enable the use of GCC 3.4.5 and some other toolkit components, even though they are currently classified in the testing branch.

To configure a stable branch system to utilize a testing branch ebuild, We need to let Portage know that we have approved this subset of the testing branch for use on our system. This is accomplished by specifying the name of the package and the applicable keyword in the /etc/portage/package.keywords file. We will enable support for four testing branch ebuilds in our system. 

```
# nano -w /etc/portage/package.keywords

~sys-devel/gcc-3.4.5 -* ~x86

sys-devel/gcc-config ~x86

sys-libs/libstdc++-v3 ~x86

sys-libs/glibc ~x86

sys-devel/binutils ~x86

sys-libs/timezone-data ~x86

```

6.6.3 Update the Portage Tree 

```
# emerge --sync
```

6.7 Activate User Locales

Gentoo's default behavior is to compile a full set of all of the available user locales. We will activate the userlocales local USE flag to limit the compilation of userlocales to those that we specify. Limiting the scope of userlocales will save us a tremendous amount of time while compiling glibc. (While we're editing this file, we'll also add "ithreads" as a package-specific USE flag for perl and libperl to allow interpreter level threading. 

6.7.1 Activate the userlocales USE flag for glibc

```
# nano -w /etc/portage/package.use

sys-libs/glibc userlocales

sys-devel/libperl ithreads

dev-lang/perl ithreads
```

6.7.2 Specify the user locales to build.

Create the /etc/locales.build file with your favorite editor. I'm located in the USA, so I'll use the following values.

```
# nano -w /etc/locales.build

en_US/ISO-8859-1

en_US.UTF-8/UTF-8
```

7. Building the Toolkit

7.1 Building the Toolkit: GCC 3.3.5

To enable NPTL support we are required to use a 2.6 kernel and linux26-headers. Linux26-headers is now contained in the 2005.0 Stage 3 tarball

```
# env-update && source /etc/profile

# emerge gcc-config glibc binutils libstdc++-v3 gcc

```

This step will surely make you think WOW because this step takes awhile to complete. Good time for a nice afternoon nap. Time to compile that toolchain!. 

7.2 Re-Building the Toolkit: GCC 3.4.5

After emerging a new version of GCC, we need to pause for a moment and think about what we've done. We've just used GCC 3.3.5 and a toolchain built with GCC 3.3.5 to compile GCC 3.4.5. Before we spend any more time building our Gentoo system we should rebuild the entire toolchain, re-compiling it so that we have GCC 3.4.5 that was built with GCC 3.4.5.

Before we do this we need to examine /etc/make.conf and make changes to the CFLAGS statements in order to take advantage of the new performance-enhancing features of GCC 3.4.5. After making necessary updates to /etc/make.conf we need to rebuild the toolkit using the new GCC 3.4.5 compiler. The result will be a 3.4.5 tooklit, compiled by a 3.4.5 toolkit that was built with a 3.3.5 toolkit.

7.2.1 Updating make.conf

Here are some settings for /etc/make.conf that may be worth considering.  They include extreme levels of code optimization, and some very safe and stable performance-enhancing CFLAGS. Depending upon your individual hardware, you may have to simplify some of the CFLAGS settings. 

These CFLAGS should be looked at as Examples Only.Please refer to 

http://gentoo-wiki.com/CFLAGS

http://gcc.gnu.org/onlinedocs/gcc-3.3/gcc/Optimize-Options.htm

http://gentoo-wiki.com/Safe_Cflags

```
CFLAGS="-O2 -march=athlon-xp -fforce-addr -fomit-frame-pointer -ftracer -pipe"

CXXFLAGS="${CFLAGS} -fvisibility-inlines-hidden"
```

The Default may be a better approach for those who don't want to be on the bleeding edge or don't want to spend time troubleshooting.

7.2.2 Configuring the Default C Compiler

Although we have emerged GCC 3.4.5, it has not been automatically installed as our default compiler. If you have any doubts about this, take a quick peek at the output of "emerge info" or "gcc-config -l". Although GCC 3.4.5 has already been emerged, GCC 3.3.5 is still installed as out 

```
# gcc-config -l

[1] i386-pc-linux-gnu-3.3.5-20050130

[2] i386-pc-linux-gnu-3.3.5-20050130-hardenednopie

[3] i386-pc-linux-gnu-3.3.5-20050130-hardenednopiessp

[4] i386-pc-linux-gnu-3.3.5-20050130-hardenednossp

[5] i386-pc-linux-gnu-3.3.5-20050130-vanilla

[6] i686-pc-linux-gnu-3.4.5 *

[7] i686-pc-linux-gnu-3.4.5-hardenednopie

[8] i686-pc-linux-gnu-3.4.5-hardenednopiessp

[9] i686-pc-linux-gnu-3.4.5-hardenednossp

[10] i686-pc-linux-gnu-3.4.5-vanilla 
```

Change the default compiler to gcc 3.4.5 by issuing the following command. Warning make sure that the correct Compiler option is selected numbers may change.

```
# gcc-config 6
```

7.2.3 Updating the System Environment

An additional command updates our system environment:

```
# env-update && source /etc/profile
```

7.2.4 Rebuilding the System Toolkit

Now its time to rebuild the toolkit. We'll start off by recompiling glibc, binutils, gcc, and by updating portage. This will rebuild our GCC 3.4.5 compiling toolkit (which had previously been compiled with GCC 3.3.5) with the GCC 3.4.5 compiler, taking advantage of our new USE flags and CFLAGS compiler settings. 

```
# emerge glibc binutils libstdc++-v3 gcc portage
```

Upon completion of the rebuild of the compiling toolkit, we will recompile the entire system to assure that our entire toolkit has been compiled using GCC 3.4.5 and our hardware-specific settings.

The result will be a 3.4.5 toolkit and an entire system that is built with a 3.4.5 toolkit.. 

```
# emerge -e system && emerge -e system
```

7.2.5 Prune the GCC Compiler

Now that GCC 3.4.5 has been installed as the default compiler and our system has been rebuilt, we can prune GCC 3.3.5 from our system by issuing the following commands. First, verify that GCC 3.4.5 has indeed been installed as the default compiler using the "l" parameter with gcc-config. (Just to avoid any confusion, the parameter used is a lower case "L", not the number "one".) Then, after confirming that GCC 3.4.5 has been installed as the default compiler, prune GCC 3.3.5 from your system.

```
# gcc-config -l

# emerge -P gcc

```

8.0 Building the World

8.1 Emerge Ccache (Optional)

Now that our toolkit has been built, we'll emerge the ccache program. Ccache is a compiler cache that will help to reduce compile times when previously compiled programs are being recompiled. It will not effect the time required to compile programs on the first pass, so this is an optional step. (Note: the ccache_size was set to 2G in the sample make.conf. If you have sufficient disk space, and you're planning on emerging a bloated window manager like Gnome or KDE (or if you are performing an emerge -e system or an emerge -e world), then you may want to Keep this setting at:  ccache_size="2G".) If you dont need or want this you can #ccache_size="2G" or just reduce it to ccache_size="512M" in the /etc/make.conf.

```
# emerge ccache
```

8.2 Emerging Programs

Now its time to add a few useful packages to our world profile: 

```
# emerge syslog-ng xinetd grub vixie-cron reiserfsprogs sysfsutils dhcpcd hotplug coldplug gentoolkit esearch udev hdparm

# emerge --nodeps acpid ntp

# emerge chpax paxctl paxtest ufed

```

8.3 Updating the Environment

Now we'll add these services to the default runlevel. 

```
# rc-update add syslog-ng default

# rc-update add net.eth0 default

# rc-update add vixie-cron default

# rc-update add xinetd default

# rc-update add sshd default

# rc-update add hotplug default

# rc-update add coldplug default

# rc-update add acpid default

# rc-update add ntp-client default

# rc-update add chpax default
```

8.4 Configuring the NTP Client

In the previous steps we emerged a Network Time Protocol client to allow us to use NTP time servers to synchronize our system clock. In this step we'll configure the ntp-client to eliminate clock skew:

```
# ntpdate -b -u pool.ntp.org
```

9. Kernel

9.1 Downloading the Kernel

The decision to enable NPTL support requires that we use a 2.6 kernel. You are free to choose any flavor of 2.6 kernel that you like. In this example, we'll be using the HARDENED-Sources kernel. Note that a 2.4 kernel will not work properly with this Installation Guide.

9.3 Now we are going to emerge our kernel source....What ever kernel you decide to go with 2.6 stable just make sure to use HARDENED-SOURCES.....

```
# emerge hardened-sources
```

9.4 Building the Kernel Symlink

This is only needed if you already have a previous kernel installed and you want to point the symlink to the new kernel.

```
# rm /usr/src/linux

# cd /usr/src

# ln -s linux-2.6.12-gentoo-r6 linux
```

9.5 Configuration

9.5.1 Enable udev Support

Edit your /etc/conf.d/rc file so that it contains the following statements:

```
# nano -w /etc/conf.d/rc

RC_NET_STRICT_CHECKING="no"

RC_DEVICES="udev"

RC_DEVICE_TARBALL="no" 
```

 9.5.2 Configure Kernel Options

If you're following this Installation Guide, we're going to assume that you want the best performance from your system, and that you'll be using a custom-compiled kernel instead of genkernel. When configuring your kernel, be sure to include support for hotplug firmware loading. Also be sure to remove devfs filesystem support, as we are designing udev support into our system.

Configure the kernel:

```
# cd /usr/src/linux

# make menuconfig

```

9.5.3 Now you can configure your kernel like normal and add a few entries too it. To be able to select the various grsecurity/PaX kernel options, you must enable grsecurity/PaX in your kernel

```

1. Go into Security Options->>

  A. Go into Pax

           [ * ] Enable  various PaX features

      a. Go In  PaX Control    ----->

                   [   ] Support soft mode

                   [ * ]  Use legacy ELF header marking

                   [ * ]  Use ELF program header marking

                    MAC  system integration  (none) ----

      b. Go in  Non-exacutable pages  ----->

                   [ * ] Enforce non-executable pages

                   [ * ]      Paging based non-executable pages

                   [ * ]      Segmentation based non-execuatable pages

                    Default non-executable page method (SEGMEXEC)

                   [   ] Emulate trampolines

                   [ * ] Restrict mprotect ()

                   [   ] Disallow ELF text relocations

                   [   ] Enforce non-executable kernel pages

             c. Go in Address Space Layout Randomization  ----->

                   [ * ] Address Space Layout Randomization

                   [ * ] Randomize kernel stack base

                   [ * ] Randomize user stack base                             

                   [ * ] Randomize mmap() base

                    ---  Disable the vsyscall page

2.Go into Grsecurity ------>

   A. [ * ] Grsecurity

      a.Security Level (Custom)  ----->

      b. Go in  Address Space Protection  ----->

                   [ * ] Deny writing to /dev/kmem, /dev/mem, and /dev/port

                   [   ] Disable privileged I/O

                   [ * ] Remove addresses from /proc/<pid>/[smaps|maps|stat]

                   [   ] Deter exploit bruteforcing

                   [   ] Hide kernel symbols

      c. Go in Role Based Access Control Options  ----->

                   [ * ] Hide kernel processes

         (3)  Maximum tries before password lockout

         (30) Time to wait after max password tries, in seconds

      d. Go in Filesystem Protections  ----->

                   [ * ] Proc restrictions                                     

                   [   ]   Restrict /proc to user only

                   [ * ]  Allow special group                                 

                         (1001) GID for special group                             

                   [ * ] Additional restrictions                                 

                   [ * ] Linking restrictions                                     

                   [ * ] FIFO restrictions                               

                   [ * ] Chroot jail restrictions               

                   [ * ]   Deny mounts

                   [ * ]   Deny double-chroots

                   [ * ]   Deny pivot_root in chroot

                   [ * ]   Enforce chdir("/") on all chroots

                   [ * ]   Deny (f)chmod +s

                   [ * ]   Deny fchdir out of chroot

                   [ * ]   Deny mknod

                   [ * ]   Deny shmat() out of chroot

                   [ * ]   Deny access to abstract AF_UNIX sockets out of chroot

                   [ * ]   Protect outside processes

                   [ * ]   Restrict priority changes

                   [ * ]   Deny sysctl writes

                   [ * ]   Capability restrictions

      e. Go in Kernel Auditing  ----->

                   [   ] Single group for auditing

                   [   ] Exec logging

                   [ * ] Resource logging

                   [   ] Log execs within chroot

                   [   ] Chdir logging

                   [ * ] (Un)Mount logging

                   [   ] IPC logging

                   [ * ] Signal logging

                   [ * ] Fork failure logging

                   [ * ] Time change logging

                   [   ] /proc/<pid>/ipaddr support

                   [   ] ELF text relocations logging (READ HELP)

      f. Go in Executable Protections  ----->

                   [ * ] Enforce RLIMIT_NPROC on execs

                   [   ] Destroy unused shared memory

                   [ * ] Dmesg(8) restriction

                   [ * ] Randomized PIDs

                   [   ] Trusted Path Execution (TPE)

      g. Go in Network Protections  ----->

                   [ * ] Larger entropy pools

                   [ * ]  Randomized TCP source ports

                   [   ]  Socket restrictions

      h. Sysctl support  ----->

                i. Go in Logging Options  ----->

                   (10) Seconds in between log messages (minimum)

                   (4) Number of messages in a burst (maximum) 
```

		Those are all the Selection for Grsecurity & PaX that I have selected in my kernel...

		9.5.4 Compiling the Kernel

			To compile your kernel and install the kernel and selected modules, issue the following command. I find that this one works a bit better than some of the other one-liner kernel compilation commands. If you should run into a problem where kernel compilation fails, its easy to determine where the problem was. In addition, this command will also install the kernel for you:

```
# make && make modules && make modules_install && make install
```

10. Configuring the System

10.1 Configure Network Adapters

Configure your network adapters as recommended in the Gentoo Installation Handbook. In our case, we'll use DHCP:

```
# nano -w /etc/conf.d/net

iface_eth0="dhcp"

dhcpcd_eth0="-t 10"

```

10.2 Set Hostnames and Domainnames

The following hostname and domainname locations referenced in the Gentoo Installation Handbook and some of the other HowTo appear to have been deprecated. The first example in each of the following two sections uses the old configuration method, which has been deprecated but this is not yet reflected in many of the installation guides. The second option in each of the following two examples is more current:

10.2.1 Set Your Hostname

The following examples provide instruction for setting the hostname on your Gentoo box. We'll use the "gentooviller" as the hostname in this example.

```
# nano -w /etc/conf.d/hostname

HOSTNAME="gentooville"
```

10.2.2 Set Your Domainname 

```
# nano -w /etc/conf.d/domainname

OVERRIDE=1

DNSDOMAIN="mydomain.com"

NISDOMAIN="nis.mydomain.com"

```

10.2.3 Update /etc/hosts

If nameservers on your network handle all name resolution, then you can skip this step.

If your PC is a standalone system, or if your PC has a static IP address and you don't have DNS entries for your machine in a nameserver somwehere on your network, then you should specify the following information in the /etc/hosts file.

```
# nano -w /etc/hosts

127.0.0.1        localhost.localdomain       localhost

192.168.0.5      gentooville.mydomain.com     gentooville

```

10.2.4 Add domainname to the Default Runlevel

```
# rc-update add domainname default
```

10.4 Grub Bootloader

10.4.1 Grub.conf

To boot our installation of Gentoo Linux we'll need to configure a boot menu for the Grub Bootloader. Use your favorite text editor to create the /boot/grub/grub.conf file. In this case we'll use nano:

If you cant remember what kernel image you have this is what i do alot since i tend to forget when i get to grub.conf.

```
# ls /boot
```

And i look for this: vmlinuz-2.6.14-hardened-r1 or similar this is what you would add to your Grub.conf 

```
System.map                     boot    config-2.6.14-hardened-r1  lost+found  vmlinuz-2.6.14-hardened-r1

System.map-2.6.14-hardened-r1  config  grub                       vmlinuz

```

```
# cd /boot/grub

# nano -w grub.conf

```

```
# Which listing to boot as default. 0 is the first, 1 the second etc.

default 0

# How many seconds to wait before the default listing is booted.

timeout 30

# Nice, fat splash-image to spice things up :)

# Comment out if you don't have a graphics card installed

splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title=Gentoo Linux 2.6.14-hardened-r1

# Partition where the kernel image (or operating system) is located

root (hd0,0)

kernel /boot/vmlinuz-2.6.14-hardened-r1 root=/dev/hda3

# The next four lines are only if you dualboot with a Windows system.

# In this case, Windows is hosted on /dev/hda6.

title=Windows XP

rootnoverify (hd0,5)

makeactive

chainloader +1
```

10.4.2 Installing Grub onto the Hard Disk

Start Grub from the command prompt and use the following commands to embed grub into the hard disk. Remember, when counting hard disks we like to start at 1, but Grub likes to start at 0, so /dev/hda1 corresponds to hard disk 0, partition 0 in Grub.

```
# grub

grub> root (hd0,0)

grub> setup (hd0)

grub> quit

```

10.5 Filesystem - Configuring fstab

This is a sample /etc/fstab file that reflects the disk partition scheme used earlier in this Installation Guide. Make changes as appropriate if your partition scheme is different. 

```
# nano -w /etc/fstab
```

```
# <fs>               <mountpoint>  <type>       <opts>               <dump/pass>

/dev/hda1            /boot         reiserfs     noauto,notail        1 2

/dev/hda3            /             reiserfs     notail               0 1

/dev/hda2            none          swap         sw                   0 0

/dev/cdroms/cdrom0   /mnt/cdrom    iso9660      user,noauto,ro,exec  0 0

/dev/fd0             /mnt/floppy   auto         noauto,users         0 0

# NOTE: The next line is critical for boot!

none                 /proc         proc         defaults             0 0

# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for

# POSIX shared memory (shm_open, shm_unlink).

# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will

# use almost no memory if not populated with files)

# Adding the following line to /etc/fstab should take care of this:

none                 /dev/shm      tmpfs        nodev,nosuid         0 0
```

10.6 Setting HD Paramaters

Back in Section 4 we developed optimized operating parameters for our hard disk. Now that we're in the chrooted environment of our newly designed Gentoo system, we need to make these configuration changes permanent. To do this, we'll write the HD parameters to the /etc/conf.d/hdparm file:

```
# nano -w /etc/conf.d/hdparm

disc0_args="-a256A1c1d1m16u1"

cdrom0_args="-d1c1u1"
```

After editing the contents of /etc/conf.d/hdparm type the following command to add hdparm to the boot runlevel.

```
# rc-update add hdparm boot
```

10.7 Set-Up User Accounts

We must change the password of the root user in our newly installed system. Then we will add non-root users to the system. .

First, change the root password:

```
# passwd root

New password: (Enter your new password)

Re-enter password: (Re-enter your password)

```

Now add users who will be allowed to "su" their way to temporary root status. These users must be added to the "wheel" user group:

The groups the user is member of define what activities the user can perform. The following table lists a number of important groups you might wish to use: 

```

Group Description

audio = be able to access the audio devices

cdrom = be able to directly access optical devices

floppy = be able to directly access floppy devices

games = be able to play games

portage = be able to use emerge --pretend as a normal user

usb = be able to access USB devices

video = be able to access video capturing hardware and doing hardware acceleration

wheel = be able to use su
```

For instance, to create a user called gentooian who is member of the wheel, users and audio groups, log in as root first (only root can create users) and run useradd:

```
# useradd -m -G users,wheel,audio,cdrom,floppy,games,portage,usb,video -s /bin/bash gentooian

# passwd gentooian

Password: (Enter the password for john)

Re-enter password: (Re-enter the password to verify)

```

```
# ufed
```

Nice GUI pops up and your off in running. You will notice that with HARDENED profile there are some selection made for you. DO NOT REMOVE these. As far as anything else you can enter the flags you normally would..There are a few that seem to be needed for xorg or your fonts will look alittle funny and it might take you an hour or two rebuilding xorg if not used, and those are:

This is where we need to define the Default Gentoo Use-Flags... This needs to be done due to that in the Hardened Stage these are not activated by default.

```
"alsa apm arts avi bitmap-fonts cups eds emboss encode fortran foomaticdb gdbm gif gnome gpm gstreamer gtk gtk2 imlib jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ogg oggvorbis opengl oss pdflib png qt quicktime sdl spell truetype truetype-fonts type1-fonts vorbis X xml2 xmms xv"
```

Then after all that is said and done....I move on to finishing my install with 

```
# emerge kdebase mozilla-firefox gyach
```

After those emerge then you can setup xorg 

```
# xorgconfig
```

Of course some might prefer to boot into their installation before emerging fun stuff like that: Either way after the emerge you would.

10.10 Exiting Chroot and Unmounting Partitions

We will now exit the chrooted environment and unmount all of the mounted partitions.

```

# exit

# cd ~/

# umount /mnt/gentoo/proc /mnt/gentoo/boot /mnt/gentoo

# swapoff /dev/hda2
```

11. REBOOT!

And now, the moment you've been waiting for!

```
# shutdown -r now
```

Bob .P and his Jackass team are the brains behind this guide they deviced all idea's. I'm sorry i copy and pasted the contents of your Bob P Jackass Grsecurity & Pax guide O so sorry for not giving your props. May the world donate as much money as they can to support Bob P and this installation method that he pawned from others. Give his props for being the first to copyright first or this guide might be writen by the actual original author the one that gets no credit on his guides. So heres your props Bob i said i wouldnt but then i did. Dont worry bob either way we'll still be3 forgotten in the circle of life. Its like the Doors said "No one will remember your name" But great job Bob i dont think the world could possibly revolve with out you writing your glorious GUIDES

Congradulations! You have completed the installation. We are in the process of creating other guides that will go along with this Setup That will increase the security Level of this install. Links to these guide will be added as they are completed...

JADED Guides

Jaded Guide Ver 1.0

For further Information on Hardened Grsecurity or PaX, heres a few links that  you might find greatly helpful.

https://forums.gentoo.org/viewtopic-t-345229.html

http://www.gentoo.org/doc/en/handbook/index.xml

http://www.gentoo.org/proj/en/hardened/

http://www.grsecurity.net/

----------

## Dr.Dran

Excuse me but this is a buggy settings:

```
USE="nptl nptlonly"
```

Because the flag nptlonly include the flag nptL and compile the glibc with the nativ posix threading library only   :Wink: 

Byez   :Very Happy: 

----------

## gentoology

This is not a bug, we wanted it this way because we want our entire system compiled for nptl only and not both nptl and linux threads. we understand that there might be some applications which don't work but we feel they are by far the minority and haven't run into any serious programs that caused problems. The tradeoff for compiling glibc once for nptl on nptlonly is worth it for us instead of having to compile it twice for linux threads and nptl. If you know any *major* conflicts with this then please post them, thank you for responding by the way.

----------

## scrooge

I just finished installing and it worked without a problem.  :Cool: 

I'm not sure if it really matters, but I had to set cchache size by using command "ccache -M 512M" after emerging it. It was set to 512M in make.conf but "ccache -l" showed it as 900+ megs.

Anyways, great guide.  :Smile: 

----------

## Dr.Dran

Ok, my post is only a suggestion, but i suggest to read this thread is interesting:

https://forums.gentoo.org/viewtopic-t-318191-postdays-0-postorder-asc-start-25.html

Bye and good year!!!   :Very Happy: 

----------

## dbasetrinity

 *DranXXX wrote:*   

> Ok, my post is only a suggestion, but i suggest to read this thread is interesting:
> 
> https://forums.gentoo.org/viewtopic-t-318191-postdays-0-postorder-asc-start-25.html
> 
> Bye and good year!!!  

 

Thanks for the Info as usually DranXXX, I think what i am going to do it make nptlonly as "optional" in the guide. However in your posts you mention that Sun JDK is one of the packages that wont compile with nptlonly. So i tested that theory and here is what i found.

sun jdk 1.5.0.6 worked fine.

sun jre 1.5.0.6 also worked fine.

So im not sure it was to do with nptlonly it could have been something maybe with your CFLAGS or LDflags...

also if you are going with GCC4.1 and using glibc2.3.6 you might want to add -friendly -injection to your CXXFlags.

Also going back to emerge -e twice as it seems build a more stable system.

Happy New Year to you as well

----------

## Sheepdogj15

oooh.

i just recently setup a gentoo router box using hardened/pax/grsec/etc. i may have some substantial input in the near future, but for the moment just a couple of comments.

1. Why GCC 3.4.5? usually something is hard masked for a good reason.

2:

 *dbasetrinity wrote:*   

> Also going back to emerge -e twice as it seems build a more stable system.

 

actually, i recommend the emwrap script for this purpose. it'll rebuild your toolchain for you in the proper order, so you don't spend a huge amount of time remerging your whole world. (you should still emerge -e world once at least, but you still get time savings not to mention good stability and simplicity.)

----------

## dbasetrinity

 *Sheepdogj15 wrote:*   

> oooh.
> 
> i just recently setup a gentoo router box using hardened/pax/grsec/etc. i may have some substantial input in the near future, but for the moment just a couple of comments.
> 
> 1. Why GCC 3.4.5? usually something is hard masked for a good reason.
> ...

 

Why GCC3.4.5 well mostly because for being hard masked it seems to be as stable as GCC3.4.4. I've had no issues what so ever with this compiler. Now if we were talking about GCC4.0.2 or GCC4.1.0_beta then there would be a MASSIVE Warning on top Saying good luck you brave souls. lol  But in my opion GCC3.4.5 is a pretty safe option to take.

And we will be looking forward to getting input you can offer up on the ART of Hardened GRsecurity & PaX.....   :Very Happy: 

Also that is a very nice script..We are currently working on a script for this install that should cut down the amount of step that need to be keyed in.

----------

## Dr.Dran

Ehm... the gcc 3.4.5 is build for the G4/G5 processors, there isn't difference for the x86/ia64 and amd64 processors with the 3.4.4-r1   :Wink: 

Best regards   :Very Happy: 

----------

## dbasetrinity

 *DranXXX wrote:*   

> Ehm... the gcc 3.4.5 is build for the G4/G5 processors, there isn't difference for the x86/ia64 and amd64 processors with the 3.4.4-r1  
> 
> Best regards  

 

DranXXX, could you share were you found this information. Ive been searching but im not finding this information.

http://gcc.gnu.org/gcc-3.4/changes.html#3.4.5

As i am look at this log and all its bug fixes if you read into them there are alot of bug fixes in this version that have been issues as long as the GCC 3.4.0. So as far as your statement the would be incorrect i do believe. As far as this update being Minor that would possible considered true since there isnt much of a diffrence that i was able to find other then the bug fixes so sure. But never the less i still remain to believe GCC3.4.5 is surely a solid Choice for something is Hard masked of course. Hence the reason i Stated a EXPERIMENTAL to the Intro...

http://blog.gmane.org/gmane.comp.gcc.announce

Gabriel Dos Reis  | 7 Dec 21:25

GCC 3.4.5 has been released

From: Gabriel Dos Reis <gdr <at> integrable-solutions.net>

Subject: GCC 3.4.5 has been released

Newsgroups: gmane.comp.gcc.announce

Date: 2005-12-07 20:25:09 GMT

I'm pleased to announce that GCC 3.4.5 has been released.

   This version is a minor release, from the 3.4.x series, fixing

regressions with respect to previous versions of GCC.  It can be

downloaded from the FTP servers listed here

http://www.gnu.org/order/ftp.html

A list of known fixed bugs is available from here

http://gcc.gnu.org/gcc-3.4/changes.html

http://tacojuice.org/plnews/Languages/MultipleLanguages/

GCC 3.4.5 Released

Thursday (Dec 08, 2005) 09:50 | /Languages/MultipleLanguages

The GNU Compiler Collection 3.4.5 has been released. It is a portable compiler suite, including support for C, C++, Objective-C, Fortran, Java, and Ada.

This release fixes various internal compiler errors, wrong-code bugs, and other problems.

Well if you could post your source that would be great seeing as i cant seem to find it...

Thanks for posting......  :Very Happy:  Also if i am incorrect on this post in anyway please feel free to correct me as i am always a student.

----------

## Dr.Dran

Yeah cool! My source in the net is the same as you had find, but in partucula if you see the changes you can see that all the major bugs aren't very significant for an hardened installation, but I talk with my friend that study Information Tecnology at the university and he's a expert in computer architecture that assure me that the real gap was from the 3.4 and the 4.x version of the gcc; but on the 3.4.5 is a version that in particula resolve some bad bugs on the G4/G5 C/C++ source.

That's all.

For me, I suggest in particula to utilize the stable versione oF GCC because is hard tested and safe with all packages in gentoo.

But by the way I think that make experiment and hard tuning on some profile is positive and improve knowledge. I suggest to see the Jackass / RockHopper project that rulez for extreme experiments   :Very Happy: 

----------

## dbasetrinity

Yea i like the stage 1/3 which this is for the most part based off least the toolchains part of it..I expecially like the Jackass cd thats coming out built apon GCC3.4.5 lol.. RockHopper project Very extreme and well thought out.

As far as Gcc4.1.0_beta im going to wait another month then see if its improved anymore then ill give it anymore time.

----------

## Dr.Dran

Cool! If you intend to utilize gcc 4.x on hardened profile I would like to be informed, becouse I'm interested too.  :Very Happy: 

Bye thw way have a cool hack day   :Very Happy: 

----------

## Sheepdogj15

ahhh, comprende

----------

## webmaxx

 *dbasetrinity wrote:*   

> 
> 
> Upon completion of the rebuild of the compiling toolkit, we will recompile the entire system to assure that our entire toolkit has been compiled using GCC 3.4.5 and our hardware-specific settings.
> 
> The result will be a 3.4.5 toolkit and an entire system that is built with a 3.4.5 toolkit.. 
> ...

 

Are you sure emerging -e system _twice_ is right?

----------

## dbasetrinity

Yep i am sure and i wouldnt advise anything but, It makes for a far more stable system.

I would say in running just emerge -e system once your going to find alot more issues with broken packages.

There for thats why i went back to twice after some testing, I found that the little extra wait is worth it in the long run.

----------

## webmaxx

Ok, thanks for your investigation  :Smile:  Will try it, once my hardware is repaired ...     :Crying or Very sad: 

----------

## webmaxx

Got all installed. My new Gentoo server is up'n running now   :Very Happy: 

One thing to notice:

I only could grub be installed by inserting

```
sys-boot/grub -netboot
```

 in /etc/portage/package.use

Otherwise it failed to compile. There are already some topics about that issue arround here.

----------

## gentoology

Yes that does seem to be a case, but this installation by default does not include netboot as a USE flag which is probably why we haven't run into this problem when we have done testing. This doesn't seem to be a hardened related issue but this still will help a lot of people out in the future. Thank you for providing your input.

This also seems to be similar to  this bug  filed already.

----------

## Odoital

Don't forget to re-emerge anything that has multiple version.

For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case.

----------

## dbasetrinity

 *Odoital wrote:*   

> Don't forget to re-emerge anything that has multiple version.
> 
> For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case.

 

What does that have to do with this guide?

----------

## Odoital

 *dbasetrinity wrote:*   

>  *Odoital wrote:*   Don't forget to re-emerge anything that has multiple version.
> 
> For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case. 
> 
> What does that have to do with this guide?

 

Because your guide assumes the lastest portage tree, which defaults to python-2.4.

----------

## dbasetrinity

 *Odoital wrote:*   

>  *dbasetrinity wrote:*    *Odoital wrote:*   Don't forget to re-emerge anything that has multiple version.
> 
> For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case. 
> 
> What does that have to do with this guide? 
> ...

 

My Guide assume that your using what ever portage that is stable. Since if you look over the guide it is based on an x86 install.

Second this would be an issue with an application you so choose to use, and is not listed in the contects of this guide.

Third you refernce that this is to avoid a i386-pclinux-gnu-gcc error explain to me why you would recieve this error?  if following my guide. since its based on a i686 install. 

Any installation you so choice to take you are still going to have the same issue as what you stated all because you choose zope which seems to need the older version of python.

I just think A more proper location for you post would be maybe under unsupported applications maybe i dont know however i do not believe its relevent here.

****THIS IS NOT THE ZOPE GUIDE****

----------

## Bob P

nice Guide.  insofar as many of the text paragraphs and code sections are copied verbatim without any changes from a copyrighted work (you've even copied the format of the Guide), i would like to request that you consider honoring the terms of the Creative Commons Attribution-ShareAlike License version 2.0 and give appropriate attribution to the author.

----------

## dbasetrinity

Glad yea like it bob

Tell you what if you want to copyright this guide you go right ahead because i havent. What are you trying to claim as your's a few commands a few words in a guide that are similar to your own.

Personally i dont think you can take credit for the 1/3 guide yourself since you used someone elses install method and called it your own. But o well

are you sure your pro open source bob it just seems as though its all about the money with you that's all i really hear is you complaining about what you didnt recieve. How google has screwed you over and no one donates to your jackass or hopper projects. I wrote this guide to give others a good process of installing with Hardened system and grsecurity and Pax. Thats all nothing more nothing less. What others do with it is of little concern to me.

But if you want you props look on the first guide it does mention your guide. But if you want to look through all the so said code snippits in this guide they really refer to your guide since all the code snippits say athon-xp rather then i686 or whatever yours did.

I know this probably seems as though im angry about your reply. But honestly ive expected it to come for some time. Anyways I'm not going to add your name to this guide. However if you want to say this guide it yours go right ahead. Its a free country. 

Bob is the word "emerge" copyrighted i would like to use it in another guide here soon. Ok let me know...Bye Bye for now Bobby

----------

## Master One

dbasetrinity, I am curious, you used hardened for a desktop installation? I thought, hardened was not doing well with quite some (mostly desktop/gui) apps, it even should be not that simple to get X going on a hardened system.

I am just starting to read on the hardened project, and it would indeed be interesting, not only for server use, but also for a desktop / notebook installation, if I can get all my usual software to work properly.

----------

## dbasetrinity

Yep works great, Running kde3.5 

The only aplication i have any issues with is beep-media-player and it doesnt have anything to do with hardened its a Pax permissions issues other then that i havent found any software i cant install and use just like before. So Desktop or server i think you'll be happy with it

Only thing to be aware of is use-flags with hardened. They are not defined by default like on a normal install. So it would be wise to get a list of all those use-flags which i have listed in this guide.

The one use-flag that is important when it comes to X is dlloader you will need that which should be selected by default when using the hardened stage or hardened profile.

Well hope that helped

----------

## Master One

Nice, I am already pretty convinced to go for hardened on my upcoming laptop reinstall...   :Smile: 

So could you fix the beep-media-player issue using chpax? I don't think there could be any show-stopper, if being able to change the PaX flags as needed. The USE flags should be no problem, I'll go with the hardened profile, and go along with this famous installation method.

----------

## dbasetrinity

Yep there is a way to get beep-media-player to work but i couldnt tell you exactly how i've honestly never tried. I've heard that its just a matter of changing the permissions for it chpax automatically does most of the applications like java mplayer xorg but the ones the dont then you will need to use paxctl 

I'll try to figure it out myself on how to get it working when i get some time

Worse comes to worse you can always disable pax or maybe certain options and theres always another kernel image also. i actually have it that way

i have just a normally hardened-source kernel without grsecurity and pax and then one with it all.

Which i do remember that Catalyst was giving me troubles with the grsecurity and pax kernel.

Well good luck with the install.

----------

