On 12/23/2017 09:09 AM, Peter Humphrey wrote: > Hello list, > > Now that grsecurity is off-limits, I'm left wondering how to go about > hardening a no-multilib box that will be exposed to the Big Bad World.
You can still use grsec/pax if you're willing to stick with an older (LTS) kernel: https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec > To start with, it's not obvious which profile to use: > > $ eselect profile list | grep no-multi | grep hardened > [23] default/linux/amd64/17.0/no-multilib/hardened > [24] default/linux/amd64/17.0/no-multilib/hardened/selinux One of those two, depending on whether or not you use SELinux.