Hardened Gentoo - USE Flags

I just finished setting up a hardened gentoo install. I am now trying to configure xorg and xfce4 but I am having some issues. As I have no GUI yet I find all the text rolls off the screen and I can't copy paste. What is the easiest way to get the list of needed USE flags into the make.conf file? When I do:

Code:

emerge xorg-drivers

I get a huge list of missing USE flags that goes off the screen. I tried piping to 'less' but that's a pain since I can't copy and past as I have no mouse support yet. Is there a tool to auto-add USE flags to the file? Does some one have a good list of what's needed for xorg and XFCE to be installed? I notice some people have their make.conf with USE=* but that isn't good from what I have read. Comming from Fedora this is a pain lol

 

Gentoo is the biggest pain ~ Snipped as per TOS ~. Wish I could help but when I used it I ended up spending 3 days working on it just to reformat my system.

I suggest you stick to Fedora and just compile a grsecurity/pax kernel.

You don't get the awesome secure toolchain... but Fedora's still pretty good - I think it ships 64bit PIE enabled binaries by default and its got those SELinux profiles.

 

I'm in the same boat. I've been going for 3 days and thinking about giving up. Any tips for GRSecurity? It was my understanding that the only distro that has user-land support (out of the box) is gentoo. I believe you compiled for Ubuntu right? Was it difficult to do? I was reading that most distros are harder to bring up to the same level as hardened gentoo but I guess it is relative to the user. I am going to try it in my VM and see how it goes.

P.S: does the PAE kernel give the same security benifits of the x64 kernel? As in more entropy for ASLR? I assume so because it can access more addresses in memory but I haven't found any good articles on it.

 

Well... yes, due to weak userland hardening something like Ubuntu won't be as secure as something like Gentoo. One prime example of this is that Ubuntu ships with a ton of binaries without PIE enabled. One such binary is PulseAudio... that specific program being SUID. You can see the issue there.

But you can also benefit from something like mprotect restrictions, which aren't super powerful but can harden weaker userland applications. And, of course, far more effective ASLR through bruteforce prevention and increased entropy.

No, it shouldn't benefit at all. You don't get any extra registers with PAE and the only thing it changes is the ability to address more memory at once.

The only thing you *might* benefit from is a larger address space. This isn't clear because the way it works is that applications still maintain a ~4GB address space but the OS then manages it in such a way that it can use more than that.

That's all fine but entropy really is key.

The thing about grsecurity is that it also prevents bruteforcing ASLR in two separate ways so you're more secure anyways.

 

Thanks I will take a look at it. I am running Ubuntu in a VM right now because the last Fedora update broke guest-additions and the won't work properly. So I will wait till that is fixed.

Well I missunderstood what PAE was doing than lol. The only reason my host is using it is because I have ONE application that is 32 bit only. I will reinstall Fedora here as 64 bit in my VM and try GrSecurity. Mainly I want my "web browser" VM to be as secure as posible as the majority of attacks are via the web anyways. If GrSecurity works with the VM I may compile for my host as well.

 

There's some grsecurity feature that doesn't work with VMs by the way.