# [SOLVED]-Hardened-hardened server USE flags

## minor_prophets

I decided that a PE2650 I purchased recently needs Gentoo.  Hardened, particularly.  hardened-sources and hardened profile.  I'm still deciding on what USE flags to use.  I am not in front of a Gentoo machine right now, but I found an old list of USE flags that I based an existing home server from which runs hardened-hardened as well.

This machine is not going to be hosting any website or be used as a mail server yet.  Strictly internal server.

These came from an old

```
USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam xml perl python snmp mmx readline"
```

http://dev.gentoo.org/~solar/server-standards.xml

Can anyone share what USE flags they would/are using for a hardened Gentoo server?

(I believe this post has been placed correctly in Gentoo Chat.  If not, please move it where you think it belongs.)

Happy Friday all~Last edited by minor_prophets on Fri Jan 02, 2009 3:29 am; edited 1 time in total

----------

## djinnZ

You only need to swich to the correct profile (via eselect) and the use for hardening will be activated (the dangerous flags will be masked also) and you must start the installation from the proper stage 3 (there ane one specific for hardened, note than the stable gcc is the 3.x, downgrading it fro a standard profile is too easy to fail). Because the base hardened profile is very basilar and thinked more as server than desktop puprose i do not think you need to change the use flags, at least you must add the use flags for samba cups and what you need.

My suggestion is to do an emerge -e system instead of the simple emerge system suggested by the guide after you have modified the make.conf for the cpu optimization.

The only more flags you can think to use are acl but not xattr IMHO.

If you wil use selinux also you not must use the hardened profile but the dedicated one for it.

I have rebuilt the entire system recently and for a file/mail local server all must go directly without any break I think.

I think the post must go on gentoo installation better than in gentoo chat if you are asking only how to set/install the hardened gentoo. Report the post youself if you agree.

----------

## minor_prophets

This is a fresh install and, yes, it is being treated as a server.

djinnZ,

Re: you use flags suggestion, that's the idea.  Keep it simple, base and only add what use flags where necessary(ie-as you said, samba, ldap, or whatever I decide in the future).

I've got to remind myself to 

```
# emerge --oneshot binutils gcc virtual/libc

# emerge -e world
```

after I

```
gcc-config -l
```

 and switch to the hardened gcc.  This is still the proper way for hardened, yes?

----------

## nixnut

Moved from Gentoo Chat to Networking & Security.

Not a chat subject so moved here

----------

## djinnZ

If you have started your installation from a "normal" stage3 is wrong and may cause troubles in the future.

The gcc upgrade require a full rebuild of the system after what you have done, the downgrade, required to switch to hardening, some more steps. But because is complicated, unsure and require more time is better to never do. If the devels providing a dedicated stage 3 there is a reason?!

A server must be stable and affidable but the hardened stable profile mask the more recent gcc and base library.

So first with eselect or with ln you must change the profile, after you must run an emerge -e system and start to install what you need. But i am sure than this way will fail at end.

My suggestion is to untar a new hardened stage3 taked from the mirror, change the -march do and 

```
rm -f /etc/make.profile ; ln -s /usr/portage/profiles/hardened/linux/x86 /etc/make.profile
```

 (if you have an amd64 chost the path is /usr/portage/gentoo/profiles/hardened/linux/amd64 instead) and run an emerge -e system instead of the simple emerge system as for a normal installation of gentoo.

Simply do it as suggested in the official handbook but configure the kernel as described here and here and do a look at those suggestions to ensure the system. For the successive steps as installing samba or nfs or cups refer to the official howtos, there are no difference.

Is the simplest way and will work without problems. Other strange or manual approaches are only a waste of time IMHO.

After you have a running system you can try to add some useflags to add funcions you are need as "samba" or "cups".

by example these are the flags on the system I use now, for the laptop, because I like to have the identical base on all systems

```
CXXFLAGS="-O2 -march=athlon-xp -fforce-addr -fomit-frame-pointer -pipe"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

USE="7zip X X509 a52 aac ace acl acpi ads alisp alsa amr amrnb amrwb aotuv apache2 async audit automount background bash-completion bdf berkdb big-tables binfilter blender-game bluetooth branding bzip2 cairo caps cdda cddb cdio cdparanoia chroot cjk clearcase cli colordiff connectionstatus contactnotes cpudetection cracklib crypt cups custom-cflags custom-cpuopts custom-optimization cvs daemon dbus deprecated device-mapper dga dirac directfb djvu dri dts dv dvb dvd enca encode exif expat extensions extraengine fax faxonly fbcon ffmepg ffmpeg flac fontconfig ftp gd gdbm ggi gif gimp glib glibc-compat20 glibc-omitfp glitz gnutls gpm gs gtk hal hardened hdri highlight history hpn iconv icu id3tag idea idn immqt-bc ipv6 irc isdnlog java java6 javascript jbig jfs jpeg jpeg2k kate kde lcms ldap legacyssl libgcrypt libssh2 live logrotate lzo mailwrapper matroska max-idx-128 mbrola md5sum midi mmx mmxect mmxext mng modplug mono mp2 mp3 mpeg mudflap musepack mysql ncurses nemesi network nfs nis nls none nowlistening nptl nptlonly nsplugin ntfs odbc odk ogg openexr opengl openssl opensslcrypt optimisememory overlays pam paste64 pcre pcsc-lite pda pdf perforce perl pg-intdatetime php pic pkinit plugins png postgres ppds pppd python q32 qt3support qt4 quicktime quotas rar readline reflection reiserfs remote rle rpc rtsp ruby samba scanner sdl sensord server session shout skins slp smartcard smbkrb5passwd sms sockets speex spell spl sql sqlite srt sse sse2 sse3 ssl ssse3 stream subversion svg sysfs syslog tcl tcpd theora threads tiff tk tools translator truetype unicode urandom usb utils v4l v4l2 vcd vda vhost_alias vhosts vidix vim-pager vim-syntax vorbis webpresence wifi win32codecs winbind wmf wxwindows x264 x86 xcb xcomposite xfs xft xinerama xinetd xml xmlreader xmlwriter xorg xscreensaver xulrunner xv xvid xvmc zlib zoran zvbi"
```

on the server i have something as USE="X acl acpi alsa audit caps cups dbus device-mapper fax faxonly glibc-compat20 glibc-omitfp hal kde mbrola mmx mmxect mmxext nfs nis nls openssl opensslcrypt optimisememory pdf ppds -qt3 qt3support qt4 quotas reiserfs remote samba smbkrb5passwd sms sockets speex spell spl sql sqlite srt sse sse2 sse3 ssl ssse3 truetype unicode usb winbind xfs xml xmlreader xmlwriter". But those are the choiches of mine, to fill my necessity (in other words: if you are not an expert of linux stay away from most of these).

The cflags and the ldflags are decent (or better, reasonabily stables and acceptable) and i have this configuration from 4 years running fine more than these are unreasonable. Do not tink to ricering with hardened.

You are asking for a server so the video card is not so important but i warn you to remeber than with hardening the use of the ati/nvidia propietry drivers is unsupported and will make you blaspheme to have someting, not all, working.

Put USE="acl acpi audit caps cups device-mapper glibc-compat20 glibc-omitfp mmx mmxect mmxext nfs nls openssl opensslcrypt optimisememory pdf ppds quotas  remote samba smbkrb5passwd sockets sqlite sse sse2 sse3 ssl ssse3 truetype unicode usb winbind" and the cflags/ldflags i use in the make.conf, with the hardened profile set.

Is a good start. (if you will try in the future RSBAC or selinux I have find the first unstable and dropped from a year and the second slow and incomplete, but is my humble opinion of course)

Use too many use flag is an error on an server configuration so my suggestion is to add every use flag only if is required by anithing you need or will do. At least will take time to rebuild one or two libraries. Is aven better add use flags as remove.

----------

## minor_prophets

 :Shocked:  Wow!  I'm still choking on all those USE flags.  I've been through several of the scenarios which you are talking about.  I'm starting the build hardened.  I must admit, I'm surprised to see X and kde in your USE flags for a hardened server.  Seems rather risky to me and will leave you in the situation of needing to frequently upgrade packages as glsa-check demands.  

Here's what I ended up with:

```
SE="-* -X sse sse2 mmx hardened pic ncurses ssl crypt berkdb tcpd pam xml perl python snmp mmx readline acl kerberos ldap gdbm samba"
```

I could cut some out of that, I suppose.  I just grabbed these off another active 'too server here.  I'm running PaX, and grsec and have had absolutely zero issues on this server.  I know I'll eventually try RSBAC one of these days.

nixnut,

Thanks for the redirection to the correct forum.

----------

## djinnZ

I update every day on a dedicated chroot and the use flags come out from the laptop (and on it i like to have the same library and compiler assect of the server).

On the server I use X because has a scanner connected to send fax and i like to use programs as amule via ssh (if you set -X the gui is not built).

The real security is not an absolute concept but the better compromise between needs and restrictions.

And the better of gentoo is than you can do what you want.

-* on global use flags is reserved only to test or problem solving. Is better use the correct profile and disable/enable only what yo need.

About RSBAC remain my best choiche but is undocumented and I warn you to never try to use on a running server without a good test (it tends to easy crash, more than one version of the patched kernels are instable). Test ever before update.

I have drop it more for the time required to full configure than for the instability but need to be careful.

A little warn if you need p2p applications, libcrypt++ (required by some of them as amule) is masked, to compile it you must switch to the non-hardened gcc profile (due to an excessive direct use of the cpu registers) and if you try to compile with the hardened gcc on an amd cpu the hardware will be locked or forced to reset.

----------

## cazort

I just found this thread.  I have a server that I installed a VERY long time ago, following the recommendations for hardened gentoo to the detail, and back then, a similar setup (with USE="-*" like above) was recommended...so that's what I used.  It's using the original profile.

I've updated a lot of the software...actually the server is very up-to-date overall but I have a few roadblocks I've run into recently.

I want to update glibc; I'm currently using 2.3.5-r2, but the hardened USE flag no longer works...so I have been reluctant to update that.

Do I need to do a clean install on this server in order to get it more up-to-date?  I know that changing profiles can have disasterous effects.  Is there any way for me to (safely) salvage this one?  I do have some websites running on this server.

The server runs beautifully and the only GLSA I can't implement is the glibc upgrade, which seems to be a minor one.  I'm inclined to just leave it as it is as long as I can.

----------

## mauricev

 *Quote:*   

> If you wil use selinux also you not must use the hardened profile but the dedicated one for it.

 

Can you please clarify that? Do you mean the hardened one dedicated for selinux?

```
/usr/portage/profiles/selinux/2007.0/amd64/hardened
```

----------

