On Tue, 13 Dec 2011 00:08:51 +
Ed W wrote:
> So I am building in a chroot an x86 system:
>
> CFLAGS="-march=k6-2 -Os -pipe -fomit-frame-pointer"
> CXXFLAGS="${CFLAGS}"
> LDFLAGS="-Wl,-z,relro"
> CHOST="i486-gentoo-linux-uclibc"
>
> And emerge gcc-4.4.6-1 warns:
>
> * Your x86 arch is not
So I am building in a chroot an x86 system:
CFLAGS="-march=k6-2 -Os -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"
LDFLAGS="-Wl,-z,relro"
CHOST="i486-gentoo-linux-uclibc"
And emerge gcc-4.4.6-1 warns:
* Your x86 arch is not supported.
* Hope you know what you are doing. Hardened will not wor
On Mon, 12 Dec 2011 22:04:30 +0100
Javier Juan Martínez Cabezón wrote:
>
> Noexec is not usefull at all I give you the reason it does not
> controls scripts interpretation is a false sense of security. Is
> something like get a not executable stack without pax mprotect, it
> does nothing alone
>
> You know you can. No perl binary, or chmod 750 or rbac as I had said.
> All exploits are bugs and it should be harder to escalate priviledges
> through perl than by introducing your own C.
Clear, making use intensive under openbsd as you said. With 750 even
with 700 root can stills using it, as
Hi!
On Mon, Dec 12, 2011 at 06:54:17PM +, Kevin Chadwick wrote:
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
No, I don't have this one.
> Yeah it's been like that for a while. I think gentoo-hardened
> automatically sets those pax flags. See this link.
Firefox's ebuild set only -m flag, which isn't
huh?
From: "simon.crud...@othermedia.com"
To: gentoo-hardened@lists.gentoo.org
Sent: Monday, December 12, 2011 2:20 PM
Subject: [gentoo-hardened]
--
simon cruddas | systems architect
+44 (0)20 7089 5971 | pgp : 0xC0D7FAD3
--
simon cruddas | systems architect
+44 (0)20 7089 5971 | pgp : 0xC0D7FAD3
signature.asc
Description: OpenPGP digital signature
On Mon, 12 Dec 2011 20:44:37 +0100
Javier Juan Martínez Cabezón wrote:
> ¿What can't you understand that you CAN translate one exploit in C in perl?
>
> Are you joking? any user can write in their home directories their own
> perl exploits. You can't restrict that.
You know you can. No perl bi
On Mon, 12 Dec 2011 18:54:17 +
Kevin Chadwick wrote:
> Do you have the
> following line set to y in your kernel config?
>
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
No need to check that it was just the debugger trying to attach.
¿What can't you understand that you CAN translate one exploit in C in perl?
Are you joking? any user can write in their home directories their own
perl exploits. You can't restrict that. You can only restrict them
under rbac which scripts can be interpreted even for root, removing
execution to per
On 12/12/2011 02:34 PM, Kevin Chadwick wrote:
> Does anyone know of any prebuilt desktop distros based on hardened
> gentoo. I've just found anikos.org but it still looks like early days?
>
Well I have one but it a crazy idea. Tin Hat is a hardened desktop but
it runs purely in ram. You get a fu
Does anyone know of any prebuilt desktop distros based on hardened
gentoo. I've just found anikos.org but it still looks like early days?
--
Kc
On Mon, 12 Dec 2011 02:05:04 +0200
Alex Efros wrote:
> Hi!
>
> I've just updated to opera-11.60.1185 and firefox-bin-8.0.
> Opera work just fine,
Interesting and thanks, I have the same build but as I should have
stated earlier just a GrSec+Pax kernel on arch linux and 11.52 works
fine but 11.
On Mon, 12 Dec 2011 18:38:28 +0100
Javier Juan Martínez Cabezón wrote:
> Now please tell me how under this circunstances could root to make nothing.
What are you asking?
The heart of the OS is the kernel. The OpenBSD kernel is more secure
and always will be full stop because that is their main a
2011/12/12 Kevin Chadwick
>
> On Mon, 12 Dec 2011 16:23:21 +0100
> Javier Juan Martínez Cabezón wrote:
>
>
>
> Actually I was talking about TPE in Linux not being potentially as
> effective as noexec.
>
>
> You still can't execve and I believe noexec on Linux now prevents that?
>
I repeat, you d
On Mon, 12 Dec 2011 16:23:21 +0100
Javier Juan Martínez Cabezón wrote:
> > It's very bad idea to use sudo with scripts, in openbsd and everywhere.
> There are a lot of documentation about this question in the web.
>
Well actually that depends it is usually worse to run a script with sudo
but it
About this*:
> What for after the main install, password changes (I use scripts
> allowed via sudo for that and monitor mounts globally but the monitoring
> could be improved like grsecs offering), some programs require it during
> install but not many, none on my OpenBSD mail and web servers.
*
On Mon, 12 Dec 2011 13:38:00 +
Kevin Chadwick wrote:
> Hard to recall but I'll try to list them
> somewhere as they come to me now.
Here's one example that's just come to me and that I configured but
never put in production. I acquired a free and supposedly good Cisco
router. I configured it
On Mon, 12 Dec 2011 06:56:14 -0500
"Anthony G. Basile" wrote:
> Do you have this documented anywhere. It would be a good addition to
> any system wide hardening docs we already have.
I'm afraid not, maybe sparsed among config file comments. I haven't
created a blog yet or any papers if that's wh
On Sun, 11 Dec 2011 18:00:19 -0500
Matthew Finkel wrote:
> > Another thing that I try to do as a better method of TPE which is a
> > breeze on OpenBSD and sometimes I find myself working against Linux
> > developers¹ is to make it so that any writeable area of the filesystem
> > is mounted noexec
On Mon, 12 Dec 2011 06:59:30 -0500
"Anthony G. Basile" wrote:
> How would you handle /etc/ ? You can't separate it from / which needs
> to be exec and yet /etc/ needs to be writeable.
What for after the main install, password changes (I use scripts
allowed via sudo for that and monitor mounts g
On 12/11/2011 03:30 PM, Kevin Chadwick wrote:
> On Sun, 11 Dec 2011 10:18:51 +
> Sven Vermeulen wrote:
>
>> Also consider hardening your system settings-wise. I would appreciate if you
>> take a look at
>> http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
>> With the ins
On 12/11/2011 03:08 PM, Kevin Chadwick wrote:
> On Sun, 11 Dec 2011 16:53:02 +0200
> Alex Efros wrote:
>
>> Hi!
>>
>> On Sun, Dec 11, 2011 at 02:25:19PM +, Sven Vermeulen wrote:
1) How can
4.2.4.1. Root Logon Through SSH Is Not Allowed
increase security, if we're already
23 matches
Mail list logo
