# What do I get with hardened-sources ?

## dj_farid

What benefits/features do I get with the hardened-sources compared with for example gentoo-sources, if I do not go the whole hardened way?

All info that I find points to the gentoo hardened project. I don't want to harden my whole system (recompile with the whole system).

Also I have understood that the kernel offers support for PaX and PIE/SSP. But does the kernel give any benefits alone?

----------

## arpunk

From the hardened project website:

 *Quote:*   

> A kernel which provides patches for hardened subprojects, and stability/security oriented patches. Includes Grsecurity or SELinux depending on USE flags.

 

Read the documentation of grsec and SELinux for the bloody details.

----------

## dj_farid

Yes but what are these:

 *Quote:*   

> and stability/security oriented patches.

 

I haven't found any documentation about the rest of the patches.

I am not interested in these two projects, but there might be some other patches that I am missing out on.

----------

## Suicidal

From what I can see compared to other kernels is the support for PAX and grsec, hardened sources is more about what is _not_ in the kernel compared to what is in the kernel. In regards to PAX it really wont help you unless you have a hardened userland.

here is a short list of the current stable kernel patches:

```

4000_deprecate-sk98lin.patch  4450_grsec-2.1.9-2.6.17-200608231940.patch

4105_dm-bbr.patch             4452_alpha-sysctl-uac-jm.patch

4135_promise-pdc2037x.patch   4453_selinux-avc_audit-log-curr_ip-grsec.patch

4300_squashfs-3.0.patch       4454_pax_curr_ip-fixes.patch

```

----------

## dj_farid

Thanks!

Now I know that the hardened-sources is not for me. I will stick to the gentoo-sources   :Smile: 

----------

## Sachankara

 *Suicidal wrote:*   

> In regards to PAX it really wont help you unless you have a hardened userland.

 Wrong. It can protect the kernel from various attack forms, and it can also sanitize the previously allocated memory.

Sure, you don't get all features without recompiling the entire system, but PaX+grsecurity have so many advantages that I wouldn't run a system without it.

If I weren't using Gentoo I'd surely be using Fedora Core with all its security features such as SELinux support. Security is important, don't take it lightly.  :Wink: 

----------

## Paapaa

 *Sachankara wrote:*   

> Sure, you don't get all features without recompiling the entire system, but PaX+grsecurity have so many advantages that I wouldn't run a system without it.

 

But is that extra security really needed in desktop single-user usage? Even normal Linux is so secure that we need no antivir or firewalls - unless the system is totally misconfigured and open for outside access. Security is important but in normal cases even the default Linux provides very robust security features when needed.

----------

## Sachankara

 *Paapaa wrote:*   

>  *Sachankara wrote:*   Sure, you don't get all features without recompiling the entire system, but PaX+grsecurity have so many advantages that I wouldn't run a system without it. 
> 
> But is that extra security really needed in desktop single-user usage? Even normal Linux is so secure that we need no antivir or firewalls - unless the system is totally misconfigured and open for outside access. Security is important but in normal cases even the default Linux provides very robust security features when needed.

 Well, last time I tried the default Gentoo system, it couldn't handle a simple fork bomb. That might have changed, but I still think a couple of extra things (excluding thread restrictions) should be added. Mounting /usr + /opt as read only and /tmp + /home as noexec should be standard if one wants it to be reasonably secure without extra kernel patches.

----------

## kill

 *Paapaa wrote:*   

> But is that extra security really needed in desktop single-user usage? Even normal Linux is so secure that we need no antivir or firewalls - unless the system is totally misconfigured and open for outside access. Security is important but in normal cases even the default Linux provides very robust security features when needed.

 

Security works best when layered. A hardened kernel would add another layer of protection.  Just because you don't let people in doesn't mean a vulnerability in your network driver (think about those using Broadcom with Ndiswrapper and the recent ssid exploit) can't be found that can compromise your system. 

However, it is a toss up of security vs usability. Mono and Java both have issues with some of the restrictions imposed by Pax. They can be made to work with Pax without any problem (I think the sun-jdk ebuild takes care of this for you) but it involves extra work. Even if you only use some of the features you're better of then you were before.

 *Sachankara wrote:*   

> Well, last time I tried the default Gentoo system, it couldn't handle a simple fork bomb.

 

It still can't.

Gentoo gives you the tools to make your system how you need it for your situation It gives you the security tools and lets you use them as you see fit. If you want a fully secure system you need to make it that way. It won't be done for you.

----------

