Quote:
Originally Posted by osor
My knowledge of openSUSE is limited, so I’ll answer only one of your questions.
Hardened Gentoo. You mentioned the non-desire of recompilation, yet it’s the best way to take advantage of kernel-level disability of relocations (by compiling everything—not just libs—as position-independent).
|
Hello osor,
thank you for your reply.
On some other forum, I was recommended Hardened Gentoo, too. I am currently looking into it and what I have read/seen by now, it looks *very* promising.
I am not against (re)compilation per se, doing it quite frequently, but not if I do not have to. I meant digging deep into Kernel-internals/structures just to apply the security-patches, manually resolve/merge Suse- and grsecurity-patches, which is currently too much overhead.
The portage system with its ebuilds are a clever way IMO, reverse dependencies are not resolved AFAIK, is this still true and have you experienced problems with this?
If recompilation is relatively easy, it's more than welcome. The GCC nested functions trampoline is not broken anymore, I can build for all architectures specifically, the 'genkernel' is also a good way to find out which modules each server/PC needs to later build a monilithic kernel...
The module-based approach, using SSP,PaX and either grsecurity or RSBAC or SELinux brings freedom-of-choice, unlike Suse's current approach with AppArmor.
I need to aquaint myself more with Hardened Gentoo, but so far:
The more I see, the more I like it :-)