# Setup Hardened/SE-Linux

## Spargeltarzan

Hello dear community,

I want to setup hardened and selinux and I planned to follow this Hardened Guide

I use profile 17 with gnome/systemd.

Will I need to change to default/linux/amd64/17.0/hardened/selinux? (how can I ensure gnome/systemd still works?) Or should I stay on gnome/systemd and add somehow hardened features (since PIE is already enabled)?

As I understand the Wiki right, I miss PaX, SELinux and Integrity. However, for PaX and Integrity it seams the kernel needs to be rebuild, is this done automatically when I choose the right profile?

ADD: What is the role of AppArmor for hardened? 

"AppArmor is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules)." --> sounds like I should want it (I thought AppArmor is only for Ubuntu)

What is the best way to change my Notebook to a fully hardened system with selinux enabled?

ADD: Is hardened indeed a dead project now, will we not be able to use it with recent kernels?

----------

## littletux

As I know both ways are possible, and both ways need a lot of changes to do so all your USEFLAG related things can be resolved after.

If you change to the hardened profile, you will have to add a lot of USEFLAGS  related to gnome, because the hardened profile is only a standard profile with all security related flags added.

If you rest on your actual profile, you have to find out yourself which USEFLAGS are set on  the hardened profile.

So in my opinion, it will be easier to change to hardened, and then find out the now missing USEFLAGS for gnome. But be aware if you do a 

```
emerge -uDN world
```

after changing the profile, your system will give you first tons of messages like *Quote:*   

> package bla needs USEFLAG foo

 

If you would decide to use the hardened/selinux profile it would be also a lot more complicated. because then you have to find out which additional packages are needed if you not decide to install all packages that have a selinux in packagename. So if you want have the hardened/selinux profile maybe it would be easier to do a fresh install to prevent you from installing a lot of unnecessary packages.

----------

## Spargeltarzan

 *littletux wrote:*   

> 
> 
> So in my opinion, it will be easier to change to hardened, and then find out the now missing USEFLAGS for gnome. But be aware if you do a 
> 
> ```
> ...

 

not sure if I fully understand this - Is it not possible, when I change to hardened/selinux profile, that my existing packages become compiled with selinux? All additional packages necessary for selinux can of course be installed, simply "all packages that have selinux in packagename" would for me mean all packages in tree of hardened/selinux, so many what I would not need (and do not want)

Why does a profile change pull in unnecessary packages?

Question for the hardened kernel, due to the crsecurity maintenance stop, currently only kernel 4.9 is marked as stable, so I will need to downgrade the kernel?

The Gentoo hardened project has now a "stopped" on project-site too, does it than even make sense to start using it since my system might be depreciated soon?

Selinux support is still in maintenance?

I actually really want to avoid a full reinstall, but I also do not want a wasted system

----------

## littletux

 *Quote:*   

> Why does a profile change pull in unnecessary packages? 

 

 It doesn't , but for example you have had before change to the hardened/selinux profile a standard profile so the nessessary packages are not installed, and the profile change has the consequence, that you now have to install some packages that are a dependency now. This dependencies unfortunately will not be resolved by itselfs, so you either have to find out all really needed packages by yourself, or installing all and maybe some ( or a lot)=  are not needed

I have done a while ago a test myself to change from standart profile to hardened/selinux, and after change i had done a 

```
emerge -pvuDN world --with-bdeps=y
```

The result was that it says me for a lot packages that not are installed and they should be. So I have decided thats the easier way  for me , only change to hardened and not to hardened/selinux.

 *Quote:*   

> 
> 
> Question for the hardened kernel, due to the crsecurity maintenance stop, currently only kernel 4.9 is marked as stable, so I will need to downgrade the kernel?
> 
> The Gentoo hardened project has now a "stopped" on project-site too, does it than even make sense to start using it since my system might be depreciated soon?
> ...

 

After I have studied about that, my opinion in this time:

"It would be better to wait before you make a decision, what you wanna do." indeed would it be nessessary  to downgrade to the last hardened-source if you would like to use grsec

----------

## Spargeltarzan

Thank you for your support!

I will wait until we have got a documented approach. Does somebody have insights in Gentoo-Hardened and knows what they plan? Did someone change to hardened/selinux these days?

Following NeddySeagoons advice to identify threats firstly, I have collected:

-) Firewall Protection against attacks, especially because I am in untrusted networks regularily. (university, hotels, coffee shops, ...)

-) Using a VPN when I am in these networks to protect my traffic

-) encryption of my system for protection agains thiefs (I have got ext4 currently. Would consider changing to ZFS, but I do not rely to use it as a root pool - for my data pool it is excellent, Btrfs is too unmature for me)

-) Protection against malicious code on my system

-) isolation of activities (e.g. banking I want to do in a fully trusted zone/virtual machine)

----------

## Shoaloak

I am currently running a Gentoo system with Systemd, Gnome and some Hardening.

What I did was combine two profiles, I named it hardened/linux/amd64/13.0/desktop/gnome/systemd.

It's only to get the basic compiler added protection, since SELinux requires quite some config. (still have to add it when i have the time   :Laughing:  )

Also, grsecurity and/or PaX are now a paid, GPL infringing service and their devs are jerkoffs, so unless you want to stick to an older kernel, I wouldn't recommend it.

Also, sticking to an older kernel isn't probably the best idea with the Spectre and Meltdown attacks going on.

Anywho, after succesfully creating a new profile (from combining two others), recompile to get moar security:

```
emerge -1av sys-devel/binutils sys-devel/gcc sys-libs/glibc
```

add pax markings:

```
PAX_MARKINGS="none"

# or XT, if you decided for PaX/grsecurity

#PAX_MARKINGS="XT"
```

Make sure correct GCC profile is selected:

```
gcc-config -l # make sure hardened (already selected in this example)

 [1] x86_64-pc-linux-gnu-5.4.0 *

 [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie

 [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp

 [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp

 [5] x86_64-pc-linux-gnu-5.4.0-vanilla
```

recompile everything (is gonna take some time)

```
emerge -ev @system

emerge -ev @world
```

and now you have the basic hardening, add a MAC like SELinux to hearts content.

 *Spargeltarzan wrote:*   

> What is the role of AppArmor for hardened?

 

AppArmor is a MAC implementation, just like SELinux is.

iirc, SELinux is more complex but has more control/features. AppArmor is more straightforward but lacks control/features.

Hope this helps you.

EDIT

I just read (hadn't updated my system in a while)

2017-11-30-new-17-profiles

  Title                     New 17.0 profiles in the Gentoo repository

It seems that the hardened profile is being merged into the 17.0 profile.

----------

## Spargeltarzan

Shoaloak,

Thank you for your detailed help! Yes, I am already on profile 17.0 with PIE enabled.

When I consult the Hardened Project Page, the following would be possible:

1) Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks.

2) Enabling PaX extensions in the Linux kernel, which offer additional protection measures like address space layout randomization and non-executable memory.

3) Enabling grSecurity extensions in the Linux kernel, including additional chroot restrictions, additional auditing, process restrictions, etc..

4) Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.

5) Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering

In 1) we have got PIE with profile 17.0, but what's about "stack smashing protection" and "compile-time buffer checks"?

2) 3) is dead in the moment unless using the old 4.9 kernel; yes, I want to stay on a newer one like you also recommend

4) Same for me, when I have got the time for it I will play around and consider it

Finally, what's about 5) in profile 17.0?

To protect against Spectre and Meltdown I have found a Gentoo User Mail recommending to activate a kernel option, but this will also mean a performance hit. On 9th of January Ubuntu will provide a patch to fix this issue, probably without a performance hit. We will see if the patch will be in Gentoo repos soon too.

Additionally, I am working on mount options and a firewall.

----------

## Hu

I think you may have misparsed some ambiguous phrasing in that mail.  The advice is to "Remove the kernel mapping in user mode".  The implementation of that advice is to enable (not deactivate, as you said above) CONFIG_PAGE_TABLE_ISOLATION.

----------

## Spargeltarzan

Hu,

Thank you!!!

----------

