I am thinking of installing Hardened Gentoo, but the learning curve has me wondering if it is TRULY worth it. Not to mention the long updates once I have everything setup.
I am running Mint and linux is linux, so I should be able to install all of the security options used on Hardened Gentoo on linux mint.
Would I be better off doing this? Installing PAX/grsecurity, etc. I would still be learning things and I am really just after security knowledge, not how to compile hundreds of packages.
you wont even be able to turn on PaX/Grsecurity if you don't know anything about kernel compilation
if you think you can secure something that comes preloaded with malware codecs you're just chasing a meme
why even bother with linux, just go to openbsd if you really want to drink from a hose
Thomas Wood
I am looking for Pax/Grsecurity install tutorials right now. Custom kernels is what I DO want to learn.
Codecs can be uninstalled, right?
huh?
Adrian Peterson
install openbsd
Nicholas Watson
Let me put it another way.
Would installing hardened gentoo be easier than modifying linux mint to be as secure as hardened gentoo?
Doesnt run the apps I need.
Brayden Gomez
Mint should be able to run the Debian pre-compiled grsec kernel. Manjaro OpenRC has no SystemD and can run a pre-compiled grsec arch kernel.
Angel Rodriguez
Yes. Especially since what you ask isn't possible (example: using libressl in Ubuntu/Mint).
Asher Mitchell
That would mean basically replacing all the mint parts with gentoo parts. Just install and set up gentoo in chroot from your current install, if you're worried about breaking stuff.
Thomas Hughes
Basicaly, install one of these (most to least difficult to use): -Gentoo -Hardened BSD -OpenBSD -Alpine I suggest you check if the packages you want/need are here before even choosing.
Cameron Nelson
This, I love manjaro and it just werks.
Brayden Bell
If my packages arent there, I could just compile them myself, correct?
Ryan Lee
That's not the proper way of doing it. If your package is not here, you make a build script compatible with your distro (Gentoo: ebuild, Alpine: apkbuild, etc...). That's generally not a good idea (I do it for gzdoom, though).
Lucas Moore
I always thought HardenedBSD was just a meme, but upon closer inspection, it looks legit. I loved FreeBSD when I used it, wouldn't mind returning to a fork of it with some additional security patches. How big of a performance hit is there compared to vanilla FBSD?
Juan Rogers
PaX/Grsecurity testing patches will soon be private only. You can follow 4.9 LTS with current patch set for 2 years but there won't probably be bugfixes for grsecurity or new things.
Jayden Davis
I would go with hardened Debian actually. It is tested to work well simply due to how many Debian vs. Mint users attempt this and the fact that Debian project tries to officially support such setups whereas on Mint it's only unofficial. On Mint you might also more easily break something that wasn't written or configured with hardening in mind while if you do a minimal Debian Cinnamon install on your own it will be easier to harden. There are lots of guides out there specifically for Debian as well.
Colton Robinson
Source?
Kayden Wright
It's been discussed in the #grsecurity channel on OFTC for the last week. Official announcement will follow somewhere. Basically KSPP is ripping off grsecurity code and introducing more bugs by changing things and making blog posts how they introduced "new" security features into Linux ( meanwhile those have existed for 10 years+ already ).
heres hoping that some disgruntled customer leaks their stuff :^)
Tyler Gomez
I knew about the stable patches, but them doing the same to the testing ones is news to me.
I might as well change to selinux or tomoyo now to replace RBAC. Anyone have experience with them?
Dominic Rodriguez
News to me too. Hope it doesn't happen, I just worked out all the bugs in my RBAC profile a couple months ago.
Cameron Baker
SELinux is a bear, if you plan to switch to it you had better start learning now. I've been dreading this but it seems like there's hardly a reasonable alternative.
It's happening. They've always been fags and it was just a matter of time after the stable patches went away.
Aaron Foster
You pretty much can follow 4.9 LTS with current patchset for 2 years if they stop. After that either use OpenBSD or HardenedBSD or use it after testing patches stop. The latter wants to implement RBAC github.com/HardenedBSD/hardenedBSD/issues/235