# Newbie and I have some questions on Gentoo Security (Solved)

## Amputaatio

Quick questions I have: 

Does compiling things from source make your system have more security than for instance installing binary packages like in Arch Linux? 

Also does getting rid of certain use flags when installing a package radically improve security or it is such a small difference which does not matter much?Last edited by Amputaatio on Thu Mar 09, 2017 11:55 am; edited 3 times in total

----------

## ct85711

 *Quote:*   

> Does compiling things from source make your system have more security than for instance installing binary packages like in Arch Linux? 

 

Well, for this it helps in that the package's dependencies get updated, reducing potential security vulnerability.  While binary packages may have some of the dependencies included with the package (often old versions, for simplicity reasons).  An good example of this problem is heartbleed in openssl.  Numerous packages use openssl, and it's been an ongoing battle in that some packages haven't updated the included copy of openssl that may be vulnerable to it.

 *Quote:*   

> Also does getting rid of certain use flags when installing a package radically improve security or it is such a small difference which does not matter much?

 

Removing unnecessary USE flags has the potential of reducing the chance for vulnerability.  This is done by only included the necessary dependencies.  What I am meaning is that some USE flags toggle some optional dependencies depending on if it is on or not (this is not always the case, it depends on the package).  The one thing you need to keep in mind is that USE flags also restricts some possible capabilities in the program.

----------

## Amputaatio

Thanks for the response. That makes a lot of sense. I accidently left some information out on my second question.  I deleted it and rewrote it below. My bad silly me   :Laughing: 

What I meant to say is if I am running the Hardened profile with GRsec is it really worth it or is just running the regular profile with GRsec basically the same thing.

----------

## NeddySeagoon

Amputaatio,

The hardened profile won't get you much hardening on its own.  You need the hardened kernel too.

Is it worth it?

That all depends on the threats you want to defend against.

Security starts with looking at your threats, then deploying measures to defend against those threats.

e.g. You are worried about the NSA getting your secrets.  They will bypass any and all defences and take you and your PC away and beat your secrets out of you.

You want to defend against leaving your laptop on a train. Encrypt your hard drive. This is only useful while the system is powered off.

Not running things you don't need to reduces your attack surface. Not running optional parts of packages you do need reduces your attack surface too.

You need to build your own for that. Gentoo helps.

Security is like the layers of an onion. It make it hard but never say impossible for an attacker.

The more you have, the more intrusive it becomes to your use of the system.

e.g. Not connecting to the internet is good for security but its unlikely you would tolerate that.

Choose the right defences to match your perceived threat and only deploy those defences you are willing to tolerate interfering or changing your workflow.

----------

## khayyam

 *Amputaatio wrote:*   

> What I meant to say is if I am running the Hardened profile with GRsec is it really worth it or is just running the regular profile with GRsec basically the same thing.

 

Amputaatio ... they are not the same thing, a hardened profile will restrict things/useflags like JIT (jit, luajit, etc) which either won't function under grsec, or can be considered requiring disabling as part of 'hardening'. Other useflags, like urandom, are also enabled with the hardened profile, and some config files (like syslog-ng.conf) are different when USE="hardened" is set. These could of course be enabled with a non-hardended profile, but a profile is the general mechanism for getting these features enabled/disabled.

best ... khay

----------

## Amputaatio

Thanks for the responses Got the information I needed. Edited the title to "solved"

----------

