# How really Hardened Gentoo is more secure than other Linux?

## vasili111

How more secure is Hardened Gentoo against 0-day vulnerabilities in the real world than other Linux distros?

As I understand, Hardened Gentoo has many security oriented enhancements that theoretically can protect from some 0-day vulnerabilities. But how good that actually works in the real world? Here ( https://www.cvedetails.com/vendor/33/Linux.html ) I read that in 2016 there were 218 Linux vulnerabilities. How many times default Gentoo Hardened installation was protected against 0-day vulnerabilities in 2016 and other Linux distros were not protected before security patch for vulnerability came out? What evidence we have that Hardened Gentoo really better protects against 0-day vulnerabilities than other Linux distros?

----------

## NeddySeagoon

vasili111,

Welcome to Gentoo.

That's not how security works.  The idea is to make something harder for an attacker, not impossible, so that they find an easier target to attack.

Further, for an attacker to use your box, they need access, then they need to subvert something.  That's two steps.

Hardened is something that makes both steps more difficult with some attacks - not all.

Even without hardened you can mount /tmp and /home with the noexec option, which denies ordinary users the ability to run arbitrary software, since the have no execute space.

This means that you need to set up your system with /tmp and /home on their own partitions.

Once an attacker has root, its game over - they can do anything.

As always formulate your perceived threat model, then deploy defences against it.

Keep in mind too that there is a trade off between security and usability.

----------

## Syl20

Moreover, that depends on your kernel configuration. The hardened kernel sources package provides lots of security features (selinux, grsec...), but you have to enable and configure them, and then deal with their restrictions.

----------

## vasili111

 *NeddySeagoon wrote:*   

> vasili111,
> 
> Welcome to Gentoo.
> 
> 

 

Thank you   :Very Happy: 

 *NeddySeagoon wrote:*   

> vasili111,
> 
> Welcome to Gentoo.
> 
> That's not how security works.  The idea is to make something harder for an attacker, not impossible, so that they find an easier target to attack.
> ...

 

 *Syl20 wrote:*   

> Moreover, that depends on your kernel configuration. The hardened kernel sources package provides lots of security features (selinux, grsec...), but you have to enable and configure them, and then deal with their restrictions.

 

I understand that. But I am interested if anyone has personal experience that his system was secured against 0-day exploit with default or even well-configured Hardened Gentoo with well-configured features that it provides, but in that time other Linux distributions were vulnerable for same 0-day exploit. Does anyone have such personal experience?

----------

## ct85711

One thing you are not keeping in mind, is that linux is linux; the software is the same for any distribution.  You get the same package on Gentoo as you get on debian, ubuntu, fedora and all of the others; we all share patches between each other (and of course to upstream too).  The only main differences between the distributions is the package manager and graphical customization (i.e. logo, coloration, etc...).  Gentoo has one other difference in that we are a source based distribution, and we try have dependencies separate from the package.  This allows patches get applied to everything.  A good case in point is heartbleed (the big openssl vulnerability).  Openssl is very commonly included in several packages, and the part that made heartbleed so bad is that so many packages included their own copy of openssl (to aid on compiling against an known version).  On Gentoo, we got the patch out for that issue right away, and most of our packages was protected; where as everyone else you have to hope the developers eventually got around to updating the attached copy of openssl.  Now the disadvantages to this, is that Gentoo is NOT friendly when you don't update on a regular basis.  Another disadvantage is that we may encounter breakage due to package updates (the devs are usually pretty good of catching these issues); and lastly the part of having to compile all/most of the packages.

----------

## NeddySeagoon

vasili111,

Its not a distro by distro thing.

There are instances of hardened systems, using the GRE Security kernel patch set and the supporting userland changes being proof against some exploits.

In Gentoo, you get these by starting with the hardened stage3 and hardened-sources.

These features are not unique to Gentoo. All distros can use them. Where distros vary is in the degree of difficulty in deploying these features.

e.g. In Gentoo you have to configure and build everything anyway.  In binary distros, if you need to rebuild everything, its not so easy as binary distros are not made to make building your own packages easy.

The userland changes including building everything with a hardened toolchain.

----------

## The Doctor

Another feature that no one has pointed out yet is that Gentoo is tailored to you by design. You can't pick up malware from flash if you don't have flash, for example. When you design your own Gentoo it is much, much easier to exclude unnecessary bloat. Since some of the bloat is network aware it could be a vector. Note the weasel words.  :Smile: 

The reason for the bloat control is Gentoo's use flag system. It makes it very easy to go *kit-less or other unusual configuration such as static /dev. Binary distros assume a standard base layout and include some pieces you may not need.

My two cents is that any well maintained distro should be about on par for security. Gentoo's advantage is that it is more configurable and more easily configured. On the other hand, Gentoo is very configurable and has a steep learning curve.

----------

