diff options
| author |   klondike <klondike@xiscosoft.es> | 2010-11-12 17:04:17 +0100 |
|---|---|---|
| committer | klondike <klondike@xiscosoft.es> | 2010-11-12 17:04:17 +0100 |
| commit | d5a3c26b5a8598e1fc4947ba99296bec41b1d7a2 (patch) | |
| tree | 4733a7d9d68f5c23d5df0854b1ff68512801c8ff | |
| parent | Added some metadata to the guide (diff) | |
| download | hardened-docs-d5a3c26b5a8598e1fc4947ba99296bec41b1d7a2.tar.gz hardened-docs-d5a3c26b5a8598e1fc4947ba99296bec41b1d7a2.tar.bz2 hardened-docs-d5a3c26b5a8598e1fc4947ba99296bec41b1d7a2.zip | |
Deleted RSBAC references as the project is dead, fixed grsecurity to Grsecuity and used Grsecurity's RBAC when apropriate
| -rw-r--r-- | hardenedfaq.xml | 102 |
1 files changed, 26 insertions, 76 deletions
diff --git a/hardenedfaq.xml b/hardenedfaq.xml index 327cb4e..69bb8dd 100644 --- a/hardenedfaq.xml +++ b/hardenedfaq.xml @@ -19,14 +19,20 @@ <author title="Contributor"> <mail link="klondike@xiscosoft.es">klondike</mail> </author> +<author title="Contributor"> + <mail link="zorry@gentoo.org"></mail> +</author> +<author title="Contributor"> + <mail link="blueness@gentoo.org"></mail> +</author> <abstract> Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and the gentoo-hardened mailing list. </abstract> -<version>1.10</version> -<date>2010-10-24</date> +<version>1.11</version> +<date>2010-11-12</date> <faqindex> <title>Questions</title> @@ -44,12 +50,6 @@ Hardened Project page and that on the projects' home pages in order to get a better insight. </p> -<note> -Due to the lack of a package maintainer the RSBAC ebuilds have been deprecated -and removed from the tree, the references to RSBAC in this guide are left for -historical reasons. -</note> - </body> </section> </faqindex> @@ -71,7 +71,7 @@ Collection (GCC), binutils, and the GNU C library (glibc). </section> <section id="whichisbetter"> -<title>What should I use: grsecurity, RSBAC or SELinux?</title> +<title>What should I use: Grsecurity or SELinux?</title> <body> <p> @@ -88,14 +88,14 @@ developer in our IRC channel or on the mailing list. </section> <section id="aclall"> -<title>Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same +<title>Is it possible to use Grsecurity, SELinux and PaX all at the same time?</title> <body> <p> -Yes, this combination is quite possible as PaX works with grsecurity, RSBAC -and SELinux. The only conflict that arises is you can only use one access -control system. +Yes, this combination is quite possible as PaX works with Grsecurity's RBAC and +SELinux. The only conflict that arises is you can only use one access control +system. </p> </body> @@ -138,7 +138,7 @@ off and on of the toolchain. To access the specs as the end user you can use the <p> You can use <c>gcc-config</c> to accomplish this: </p> - +<!--TODO: Multiarch--> <pre caption="Example gcc-config output"> # gcc-config -l [1] x86_64-pc-linux-gnu-4.4.4 * @@ -213,7 +213,7 @@ member named `curr_ip'", how do I fix that?</title> <p> This has been fixed since, at least, 2.6.32 kernels so you should try updating to a newer version as older versions also have a lot of open security holes. -Anyway, if you keep hitting this bug try enabling grsecurity also. +Anyway, if you keep hitting this bug try enabling Grsecurity also. </p> </body> @@ -265,6 +265,10 @@ place, bootstrap-cascade.sh has been renamed to bootstrap.sh. <section id="hardenedprofile"> <title>How do I switch to the hardened profile?</title> <body> +<!--TODO: this should be arch related--> +<p> +Read the handbook for how to change profile. 6. Installing the Gentoo Base System +</p> <pre caption="Set make.profile"> # <i>eselect profile list</i> @@ -450,44 +454,38 @@ set the PAX flags on the binaries. <note> If you are running PaX in conjunction with an additional security implementation -such as RSBAC, grsecurity, or SELinux you should manage PaX using the kernel +such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel hooks provided for each implementation. </note> <p> The other way is using your security implementation to do this using the kernel hooks. -On RSBAC, you can label all Java files with the following command. </p> -<pre caption="Java PaX options with RSBAC"> -# <i>for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir FILE $i -pax_flags pmerxs;done</i> -</pre> - </body> </section> </chapter> <chapter> -<title>grsecurity Questions</title> +<title>Grsecurity Questions</title> <section id="grsecinformation"> -<title>What is the homepage for grsecurity?</title> +<title>What is the homepage for Grsecurity?</title> <body> <p> -The homepage for grsecurity is located at <uri>http://www.grsecurity.net</uri>. +The homepage for Grsecurity is located at <uri>http://www.grsecurity.net</uri>. </p> </body> </section> <section id="grsecgentoodoc"> -<title>What Gentoo documentation exists about grsecurity?</title> +<title>What Gentoo documentation exists about Grsecurity?</title> <body> <p> -The most current documentation for grsecurity is a Grsecurity2 quickstart guide +The most current documentation for Grsecurity is a Grsecurity2 quickstart guide located at <uri>http://www.gentoo.org/proj/en/hardened/grsecurity.xml</uri>. </p> @@ -495,7 +493,7 @@ located at <uri>http://www.gentoo.org/proj/en/hardened/grsecurity.xml</uri>. </section> <section id="grsecnew"> -<title>Can I use grsecurity with a recent kernel not on the tree?</title> +<title>Can I use Grsecurity with a recent kernel not on the tree?</title> <body> <p> @@ -508,54 +506,6 @@ Yes, but you may have to patch it by yourself. You can download the patches from </chapter> <chapter> -<title>RSBAC Questions</title> -<section id="rsbacinformation"> -<title>What is the homepage for RSBAC?</title> -<body> - -<p> -The homepage for RSBAC is located at <uri>http://www.rsbac.org</uri>. -</p> - -</body> -</section> - -<section id="rsbacgentoodoc"> -<title>What Gentoo documentation exists about RSBAC?</title> -<body> - -<p> -All Gentoo RSBAC documentation is located at the RSBAC subproject page found at: -<uri>http://www.gentoo.org/proj/en/hardened/rsbac/index.xml</uri> -</p> - -<p> -Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handbook, -found at: <uri>http://www.rsbac.org/documentation/rsbac_handbook</uri> -</p> - -</body> -</section> - -<section id="rsbacinitrd"> -<title>How do I use an initial ramdisk with a RSBAC enabled kernel?</title> -<body> - -<p> -To use an initial ramdisk with a RSBAC enabled kernel, a special kernel option -must be enabled or else RSBAC will treat the initrd as the root device: -</p> - -<pre caption="Menuconfig Options"> -General RSBAC options ---> - [*] Delayed init for initial ramdisk -</pre> - -</body> -</section> -</chapter> - -<chapter> <title>SELinux Questions</title> <section id="selinuxfaq"> <title>Where can I find SELinux related frequently asked questions?</title> |