# What hardened USE flag does and when use it? [solved]

## Kosa

Hi,

i'am now upgrading to gcc-4.1.1 but it fails to compile on gcc-3.4.6 compiled with "hardened" USE flag. I founded here that recompile 3.4.6 without hardened and than compile 4.1.1 solves the problem. Beside that i founded notices that hardened should be used only with hardened profile.

Please could somebody briefly explain this? Or is it worth to switch to hardened profile? I'm using Gentoo (and Linux at all) for only a year, so i don't want to make me troubles  :Smile: Last edited by Kosa on Sat Sep 02, 2006 12:35 pm; edited 1 time in total

----------

## jstead1

Hardened is adds additional security.  I don't know the details, but I do know it comes at the cost of some functionality.  Usually this level of security is only apporopriate for a server with some sensitive information.  I wouldn't run hardened on a desktop.  If you are running a server, and have sensitive information, hardened may be appropriate.  Then again, if you are running a server with sensitive info, why the need to upgrade gcc?

----------

## Kosa

It's new and fresh install, we're placing it to telehouse within few days. First server wasn't using hardened profile because i have to keep everything as simple as possible and it was also something like "proof of concept" without big need of security.

----------

## Sachankara

 *jstead1 wrote:*   

> I wouldn't run hardened on a desktop.

 Why not? Is your personal data less sensitive just because you have a desktop computer and not a server?  :Wink: 

----------

## thehailo

I've been running the hardened project on every system of mine at various levels for a few years now. The big caveats are SELinux which is a real hassle to get working with X.org, so that's really only for Xless systems. On systems where you use binary video drivers (ATI/Nvidia) PaX isn't usable as well as SELinux. So for my gaming desktop I use the hardened profile but really only use Bastille and GRSecurity on Low (Medium and High activate PaX). On other systems such as my Laptop I use everything except SELinux, and on my servers without X I use everything. It usually falls a little bit behind the mainstream kernel, usually at most 1-2 versions (2.6.14 vs 2.6.16 for example) at most so it's never really outdated but it does fall behind a bit.

Overall you need to look everything over to understand the jobs. Basically: Bastille is a hardening script that makes it easy to lock a system down to good security minded defaults, GRSecurity randomizes many things (more than I could go into here) along with all sorts of other changes, PaX randomizes things in memory helping defeat buffer overflow exploits, and SELinux enforces privileges in such a way that compromising a daemon doesn't mean compromising your box. For example if they broke into the Apache daemon the may gain access to a single file versus full privileges of the user the daemon is running under.

Overall it's very worth it. If you use the hardened profile properly and run through the Gentoo Security Guide you're in probably the best shape anyone could hope for.

----------

## Kosa

Thanks a lot, it sounds very interesting. It should be the server install only, so i don't have to take care about x.org or binary kernel drivers. Btw. do those things like Bastille, GRSecurity or PaX have noticable slowdown against plain gentoo-sources kernel?

----------

## kill

 *Kosa wrote:*   

> do those things like Bastille, GRSecurity or PaX have noticable slowdown against plain gentoo-sources kernel?

 

You will not see a slowdown vs the gentoo-sources kernel. But you will notice a slowdown using SELinux (estimates are currently around 7% slower).

----------

## thehailo

I always say allot for 10%, but really expect 1-2% on average. It is there but not something you'd really notice outside of benchmarks and heavy duty usage like databases etc. But the way I look at it is there are plenty of fast insecure boxes out there as is, a bit of a hit on speed to make sure you're not one of them is worth while.

----------

## Kosa

Yes my point of view is same and 10% isn't much. Ok and hopefully last question - i look into the portage for SELinux policies but i didn't find policy for some deamons which i use - noticable powerdns, dovecot and zabbix.

Does it mean that i won't be able to run them, or they will run insecure (like on normal kernel). I think i'll be able to make them with some help from Gentoo SELinux team, but it will took time to learn everything and test them.

----------

## thehailo

Once you start reading into SELinux more you'll start reading about all sorts of modes and such like targeted policies. In effect you do have the flexibility to run unsecured daemons if you wish. The better option is to kick SELinux into permissive mode which simply logs what it WOULD have blocked if it was in enforcing mode. This is a quick and easy way to get what you need to write a SELinux policy for the unsupported daemon. I'm sure any work you did in this area to further the Gentoo Hardened project would be most appreciated by the developers.

The other parts of the Hardened system, mainly Bastille, GRSecurity, and PaX, will help harden any application transparently usually without issue. The Hardened guide will get into how to handle issues with PaX for example if problems do occur.

----------

## .:chrome:.

if you want to use a "hardened" compiler, you must to switch "hardened" profile

hardened USE flag cannot be set because it needs other USE flags and specific CFLAGS to work properly

----------

## pent0z

don't use hardened profile if you have a desktop, or you'll have many troubles... if you really need extra security, use a separate machine with a full hardened gentoo (kernel + hardened toolchain) and leave it on the external interface, and set up iptables for routing/dnat on a second nic interface

----------

