# Gentoo security tips for noob. Advice pls

## NeverSloppy

How difficult will maintaining a secure Gentoo install be for a beginner? 

Just recently, I stumbled on this blog post in which the person claims Gentoo is a security hazard: http://coldattic.info/post/105/

I don't believe it as Gentoo removes so much bloat that other Distros ship with. But then again I haven't used it for more than a 

month some years ago. My hardware was too slow back then so I had to switch. 

I've tried Arch, Debian, Fedora, FreeBSD.

I can set up a firewall in Debian and FreeBSD as I occasionally delve into web development.

My goto programming language is Go, but I'm now learning Rust and C. 

My goal, switching to Gentoo, is gaining knowledge of the lower level stuff. Hardware and software. 

I'm sick of the automagic in other Distros. 

Should I just stick with a virtual machine until I'm decent with Gentoo?

----------

## Juippisi

 *NeverSloppy wrote:*   

> 
> 
> Just recently, I stumbled on this blog post in which the person claims Gentoo is a security hazard: http://coldattic.info/post/105/
> 
> 

 

Did you actually read the post before linking it? Let me quote the relevant part: 

"A computer that hasn’t been updated for years, and is open to the network is a security risk."

it has nothing to do with Gentoo itself, but the author neglecting to update their system. 

To answer your question, keeping the above site in mind, it's "easy" if you invest the time to learn to use it.

----------

## Goverp

The blogger was suffering dependency hell in 2017; at a guess the system was a hybrid of stable and leading-edge stuff - my experience is that if you stick to one or the other, you should avoid dependency issues nearly all the time.

One caveat - the blog mentions long compile times; there are some notorious packages that can be hard to avoid; worst are qtwebengine and rust (for the latter, if you need rust, use rust-bin unless you really need the latest versions), then libreoffice (also available as a -bin version).  It's an unfortunate side-effect of Moore's Law; packages expand to consume the leading-edge hardware's capabilities - as cpu power doubles, so does the work needed to compile bloated packages...  Of course, if you have a water-cooled Threadripper with 128GB memory and wall-to-wall NVMe storage, this isn't an issue.

Oh, and plan to "emerge --update --deep --changed-use @world" at least once a month, better every fortnight, best weekly.  The more often, the less work to be done in one big chunk.

----------

## pietinger

You should never get a dependency hell if you update your Gentoo once in a month (better: once a week) with:

```
# emerge -uUDv @world
```

If you think you want update only one or some specific packages with "emerge -u PACKAGE" then you should always do this with parameter "-1"

```
# emerge -1uDv PACKAGE
```

Why ?

If you dont do it with "-1" (--oneshot) this package will be recorded in /var/lib/portage/world ... and this will lead to a dependency hell over time.

See more here: https://forums.gentoo.org/viewtopic-t-1143543-highlight-.html

.

----------

## NeddySeagoon

NeverSloppy,

Gentoo is a toolkit. You use it to design and install your own distro. So, is your distro insecure?

Gentoo only gives you what you ask for and what you must have to support what you have asked for.

The corollary is that if you haven't asked for it, its not installed. 

This keeps things out that you don't use, which is good.

It's a case of the wider you open the window, the more dirt blows in. 

Any neglected install will become insecure with the passage of time. The key here is neglect.

The install has not changed but security problems its always had have become public knowledge. 

You can make your install insecure with the choices you make.

e.g. Disable password logins for ssh from the internet. Then all the bots trying to brute force you get nowhere.

Don't run insecure services, like telnet, ftp.

Do run a paranoid boundary firewall, to stop any evil that gets in from phoning home.  

That's user space.

Then there is the Kernel Self Protection Project

gentoo-sources provides a patch to enable a choice selection of those settings.

Security and usability is a trade off. You could unplug the network cable.

That's secure but not very usable.

Security needs to be taken in context too. 

We have to ask secure against what threats?

----------

## NeverSloppy

OK got it.. Thanks for the tips.

I do want to build the kernel myself and tweak it to harden it against memory corruption stuff.

Will be learning in a VM for the meantime to learn more about how everything works in Gentoo.

----------

## NeddySeagoon

NeverSloppy,

Memory corruption detection, as I know it, depends on hardware support in the form of ECC RAM. 

The extra 8 bits provide single bit Hamming error detection and correction and detection but not correction of two bit errors.

----------

## pa4wdh

The main reason the blogger got a very insecure setup is that he didn't update because he was scared something would break. I remember having the same fear when i just started with gentoo, but also experience that with other distro's.

New versions bring new bugs and they might just bite you. The solution is not to be scared and have faith you can solve the problems you might run in to.

One of the best things in gentoo is that you can mask individual packages and rollback to a previous (know working) version when needed. I've never seen a binary distro giving that level of control.

----------

## NeverSloppy

I was thinking more of using Hardened malloc in my Gentoo build. My PC does not have ECC :/ but that 

seems to only be helpful against natural causes and not malicious programs. Could be wrong as I'm noob  :Very Happy: 

----------

## pietinger

 *NeverSloppy wrote:*   

> I was thinking more of using Hardened malloc in my Gentoo build. [...]

 

=>

 *NeddySeagoon wrote:*   

> Then there is the Kernel Self Protection Project
> 
> gentoo-sources provides a patch to enable a choice selection of those settings.

 

... here is an article for this:

https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP

 :Wink: 

----------

## Hu

Error Correction Code memory is intended to let your RAM return the value that ideal RAM would return, even if less than ideal conditions occur in practice.  Ideal RAM always returns exactly the data that it was previously told to store.  RAM has no way to determine whether the value stored in it is what the ideal software would have stored, so if a logic bug causes logically incorrect data to be stored to RAM, your RAM will remember and later return that incorrect data.  ECC cannot help with the presence of logic bugs in the software, because ECC only seeks to return what data your program put there.  If your program puts garbage data into RAM, ECC will faithfully return that garbage data on request.

Hardened malloc is intended to cause some types of software bugs to fail in a less dangerous way than non-hardened malloc would fail.  As with ECC ram, it is a mitigation for non-ideal operating conditions.  If all your software was free of logic bugs, hardened malloc would be unnecessary.

----------

## NeverSloppy

So if all programs were written in a functional programming language such as Haskell or Lisp 

there would be way way less of all these security bugs? 

Not that I know a functional language. Just curious. This post makes me kinda want to 

learn a functional langauge, but I'm assuming the learning curve is steep. I did want 

to use Haskell as a web server some time back. 

https://crypto.stanford.edu/~blynn/haskell/curry-howard.html

----------

## Hu

Functional programming languages take away the ability to write certain types of data processing bugs, but it's still very possible to write catastrophically bad security bugs in a functional language.  A simple language-independent bug would be failing to validate that the requested action is permitted under the program's security model.  For example, suppose someone patched the Linux kernel such that openat never checked mode bits, so any user could open any file read-write, even if the Linux security model says the caller cannot access the file at all.  That would be a major security bug, but it can be done in any language because the bug is absence of code that should have been present.

----------

## NeverSloppy

So I should just run Gentoo inside of QubesOS because bugs will always exist? 

Or am I insane?

----------

## Hu

This comes back to your threat model.  Are you worried about someone specifically targeting you, or do you just want to avoid the bulk exploits that circulate on the Internet looking for easy prey?  If you are being targeted, how competent is your hypothetical adversary?  Describe what you want to stop, then you can determine how to stop it.

----------

## NeverSloppy

Just wanting to develop a thorough understanding of gentoo security options and procedures as I will soon be installing

it on my hardware. Sad that hardened-sources is no longer an option :/

----------

## alecStewart1

NeverSloppy,

You don't necessarily need the hardened sources if you're on a hardened profile. If you use the sys-devel/gentoo-kernel you can have 

```

sys-kernel/gentoo-kernel hardened

```

in your /etc/portage/package.use. 

You can also have it in your make.conf in the USE variable:

```

USE="hardened"

```

Any package that can compile with hardening options will do so, then.

Gentoo does a decent job of enable some secure hardening options for the kernel. You can add/take away things yourself, but be mindful of what you're adding/taking away in your kernel config.

See here for some other options you might want to enable, but again, but cautious of what who add/take away. 

I can't remember who, but someone on the Gentoo wiki has a guide for further hardening.

----------

## NeddySeagoon

NeverSloppy

The aim of security is to make it difficult for attackers to get in and difficult for them do do anything useful when (not if) they have the determination to break in.

The idea is to convince them to find an easier target before they break into your system, no keep a determined well resourced attacker, like a government out.

A government would just send the boys round anyway. They would not try to break your security.

Determine your threats, then deploy your defences.

e.g. You probably don't need an encrypted file system on a physically secure system.

----------

## pjp

 *NeverSloppy wrote:*   

> So I should just run Gentoo inside of QubesOS because bugs will always exist? 
> 
> Or am I insane?

   *NeverSloppy wrote:*   

> Just wanting to develop a thorough understanding of gentoo security options and procedures as I will soon be installing
> 
> it on my hardware. Sad that hardened-sources is no longer an option :/

  It sounds like you are interested in learning rather than having a "real and present danger," so the upside is you don't have to do everything at once. Pick a starting point with one or a few goals, then go from there.

Have you ever used QubesOS? I haven't, but I'm curious about some of their methods. They have or had templates that might be useful for a Gentoo install (https://www.qubes-os.org/doc/templates/). My "some day" list is long.

----------

## NeverSloppy

My goal is to become a competent Linux user and to learn the ins and outs of hardening a system. 

As a newb I began my journey in Gentoo by learning how to encrypt /root in a VM. This step seems important 

as I will soon install on a laptop and laptops are prone to theft.

I have done this before on a raspberry pi in which I set up dropbear in initramfs to ssh into the pi and

decrypt the files. Next time I want to setup wpa_supplicant in initramfs so that I don't have to connect

the pi to ethernet before ssh'ing. 

I didn't really understand UUID in my pi so I basically swapped one for the other until it booted. But now

that I've done it on Gentoo I do have a better understanding about how this works!

Also I found the Security Handbook . 

https://wiki.gentoo.org/wiki/Security_Handbook/Full

----------

## NeddySeagoon

NeverSloppy,

There are lots of different UUIDs. They all mean something different, so its important to distinguish which UUID you are talking about.

Partitioned whole disks have a Disk identifier. Thats a UUID by another name.

Partitions have a UUID. The kernel calls that PARTUUID.

Filesystems have a UUID. That's normally just UUID.

mdadm raid sets have a UUID. Its common across all members of the set.

Logical Volume Manager Physical Volumes have PV UUID

Logical Volume Manager Logical Volumes have a LV UUID

Some of those I've never used. :)

----------

## pietinger

 *NeverSloppy wrote:*   

> My goal is to become a competent Linux user and to learn the ins and outs of hardening a system.
> 
> [...]
> 
> Also I found the Security Handbook . 
> ...

 

NeverSloppy,

it is sad that our Security Handbook is a little bit outdated ...  :Sad: 

Maybe you want to read my (short) article about security at all: https://forums.gentoo.org/viewtopic-p-8754227.html#8754227

----------

## NeverSloppy

Today, I discovered the distro Alpine Linux. :/

They seem to have what i am trying to implement in Gentoo. Small with only the bare minimum programs.

Hardened kernel. Gaming occasionally. 

I am now torn between using Gentoo's Hardened Stage3 with musl and openrc or learning this other distro.

I do not feel confident that I will be able to edit the kernel with hardened features and have it work

with Steam for the occasional gaming. 

Heck I'm currently struggling with getting wayland/sway up and running in a VM let alone trying this on my laptop. Sigh.

----------

## Spanik

Interesting read, also the links. Keeping your pc updated is a start for security, but I feel that sometimes I'm missing out on a lot of other simple security things because I do know that they exist but I have no clue on how to implement them.

Like you always read "disable telnet". But I have no clue as to how to check if it is active on my pc, even less if it could be activated remotely and wen I find it is there, how to deactivate it.

----------

## Leonardo.b

 *Spanik wrote:*   

> Like you always read "disable telnet". But I have no clue as to how to check if it is active on my pc, even less if it could be activated remotely and wen I find it is there, how to deactivate it.

 

It depends from your init/service-manager.

Same as sshd, syslogd, or anything else.

Probably you don't have telnetd installed at all.

Also, you can check using ps.

----------

## NeddySeagoon

Spanik,

Its unlikely you even have telnet installed.

```
eix telnet

...

[I] net-misc/netkit-telnetd

     Available versions:  0.17-r13{tbz2}

     Installed versions:  0.17-r13{tbz2}(08:53:37 01/03/22)

     Homepage:            https://wiki.linuxfoundation.org/networking/netkit

     Description:         Standard Linux telnet client and server

* net-misc/telnet-bsd

     Available versions:  1.2-r2 1.2-r4 {nls xinetd}

     Homepage:            ftp://ftp.suse.com/pub/people/kukuk/ipv6/

     Description:         Telnet and telnetd ported from OpenBSD with IPv6 support

* net-misc/utelnetd

     Available versions:  (~)0.1.11-r3

     Homepage:            https://wiki.gentoo.org/wiki/No_homepage

     Description:         Small telnet daemon derived from the Axis tools

...
```

Even if its installed. its is two parts. 

1. A client, which is good for testing snmp. It looks like 

```
$ telnet -h

telnet: invalid option -- 'h'

Usage: telnet [-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]

   [-n tracefile] [ -b addr ] [-r] [host-name [port]]
```

The client is harmless but everything is sent in clear text. Usernames ... passwords ... everything.

Then there is the server, telnetd. Runnnig that is a verybadthing.

It usually runs behind sys-apps/xinetd which you probably don't have either.

```
netstat -a
```

stould not list anything listening on the telnet port. That's port 23.

Had you changed the port, you would know.

----------

## NeverSloppy

SO I got tired of the Virtual machine and went ahead and installed Gentoo.

I picked the Stage3-musl-hardened but I'm not exactly sure what it's supposed 

to be doing under the hood. I have some reading to do  :Smile: 

Managed to get wayland/sway working only after adding X, xwayland, qtwayland to

my use flags. Not exactly what I wanted.

----------

## Juippisi

 *NeverSloppy wrote:*   

> 
> 
> I picked the Stage3-musl-hardened but I'm not exactly sure what it's supposed 
> 
> to be doing under the hood. 
> ...

 

if this is your first Gentoo installation, then picking musl is like starting a game with hard difficulty. It's most likely not going to work out-of-the-box like normal glibc profiles, and it's going to require actions from you, the user. Like searching patches from upstream / Gentoo's bugzilla to get things compiling.

----------

## NeverSloppy

Can you tell me if this error I'm getting is a result of picking musl. I'm trying to install laptop mode tools:

```

x86_64-gentoo-linux-musl-gcc -DHAVE_CONFIG_H -I. -I..  -iquote ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64   -Wall -W  -march=znver2 -O2 -pipe -c -o sg_map.o sg_map.c

sg_dd.c: In function 'main':

sg_dd.c:2402:17: error: unknown type name 'uint'; did you mean 'int'?

 2402 |                 uint off;

      |                 ^~~~

      |                 int

make[2]: *** [Makefile:1176: sg_dd.o] Error 1

make[2]: *** Waiting for unfinished jobs....

make[2]: Leaving directory '/var/tmp/portage/sys-apps/sg3_utils-1.47/work/sg3_utils-1.47/src'

make[1]: *** [Makefile:405: all-recursive] Error 1

make[1]: Leaving directory '/var/tmp/portage/sys-apps/sg3_utils-1.47/work/sg3_utils-1.47'

make: *** [Makefile:337: all] Error 2

 * ERROR: sys-apps/sg3_utils-1.47::gentoo failed (compile phase):

 *   emake failed

 * 

 * If you need support, post the output of `emerge --info '=sys-apps/sg3_utils-1.47::gentoo'`,

 * the complete build log and the output of `emerge -pqv '=sys-apps/sg3_utils-1.47::gentoo'`.

 * The complete build log is located at '/var/tmp/portage/sys-apps/sg3_utils-1.47/temp/build.log'.

 * The ebuild environment file is located at '/var/tmp/portage/sys-apps/sg3_utils-1.47/temp/environment'.

 * Working directory: '/var/tmp/portage/sys-apps/sg3_utils-1.47/work/sg3_utils-1.47'

 * S: '/var/tmp/portage/sys-apps/sg3_utils-1.47/work/sg3_utils-1.47'

```

It seems this is a bug that needs patching https://bugs.gentoo.org/828897

Maybe I'm biting off more than I can chew  :Sad: 

----------

## NeddySeagoon

NeverSloppy,

If you don't have a reason to use musl for your libc start over with a more mainstream install.

Once you are comfortable with how Gentoo works and finding patches, play with musl in a VM.

----------

## NeverSloppy

 *Quote:*   

> If you don't have a reason to use musl for your libc

 

Well.. my goal is securing my box and learning new security stuff. 

Am I wrong in thinking musl is safer over glibc? 

I'm fine with a small performance hit as I don't game too often. 

Currently what I am doing to make laptop tools install (not sure if this will fix it):

```

root emerge --ask app-eselect/eselect-repository

root #eselect repository enable musl

root #emerge --sync musl

// and now I am waiting for this command to finish 

emerge -1euDN @world

```

Am I doing things right?

----------

## NeddySeagoon

NeverSloppy,

musl will have different issues to glibc.

----------

## Leonardo.b

 *NeverSloppy wrote:*   

> Maybe I'm biting off more than I can chew

 

It is much more relaxing to work from a comfortable GUI enviroment, maybe with a binary kernel, and a Virtual Machine for tests.

Later, step by step, you can tweak/change everything as you wish.

Otherwise you are forced to fix things from the console. You can do it, but I think it is very stressful. Just that.

Then... well, you know:

"People give good advice, when they aren't busy giving bad example."

----------

