a gradual approach to hardening the kernel
Posted: Thu Jul 17, 2014 12:35 amI prefer making use of Hardened-Gentoo as a Linux OS because the system is well-supported, diverse and the kernel builds easily enough while providing significant security benefits. This combination works for me since I am not an aspiring programmer, though I do certainly appreciate the advantage of a secure OS. I also find myself making frequent use of virtualization because, among other reasons, it helps the learning process to be able to practice and rebuild while working with various scenarios.
There is one virtualization scenario, however, which has me stumped, and I would like to consider a different approach than what I have done so far. Despite my considerable effort to find or work out a solution, I cannot get Virtualbox to run on a properly hardened Gentoo OS. This same problem has vexed many others, based on what I have read while researching it; but if I can believe what I have read, at least a few others did manage to get it working by making some changes to the hardened tool chain while building the program. Be that as it may, when I tried to follow their same approach, it still did not allow me to get it working as it appeared to have done for them.
I have read that by "turning off" the hardened gcc program, using instead a vanilla gcc, while making the build of Virtualbox and its modules, leaving all the rest of the tool-chain hardened, these others have succeded in building a properly functioning program. This did not work for me. I cannot make Virtualbox run at all when I have a hardened-Gentoo kernel, even though I have tried temporarily disabling the hardened gcc program beforehand. However, I can build it just fine while using a regular Gentoo kernel and regular gcc: it starts up and functions properly.
I would like to try to get the program built and functioning within a hardened kernel, as the others claim to have done, even though it may end up being a kernel that is not fully hardened. Therefore, since I have gotten it to run on a totally non-hardened kernel, it occured to me that I might try incrementally using a kernel that was gradually hardened, part by part, starting from a non-hardened state until I reach a point where I can go no further, within the limitations of time I can allow. So, my question is, can someone point to a guide for such an approach, one which would start with a slightly hardened kernel and gradually add more rules to the final result? In other words, how would I go about finding which rules to start with during the procedure using the method of "menuconfig" for building it?
There is one virtualization scenario, however, which has me stumped, and I would like to consider a different approach than what I have done so far. Despite my considerable effort to find or work out a solution, I cannot get Virtualbox to run on a properly hardened Gentoo OS. This same problem has vexed many others, based on what I have read while researching it; but if I can believe what I have read, at least a few others did manage to get it working by making some changes to the hardened tool chain while building the program. Be that as it may, when I tried to follow their same approach, it still did not allow me to get it working as it appeared to have done for them.
I have read that by "turning off" the hardened gcc program, using instead a vanilla gcc, while making the build of Virtualbox and its modules, leaving all the rest of the tool-chain hardened, these others have succeded in building a properly functioning program. This did not work for me. I cannot make Virtualbox run at all when I have a hardened-Gentoo kernel, even though I have tried temporarily disabling the hardened gcc program beforehand. However, I can build it just fine while using a regular Gentoo kernel and regular gcc: it starts up and functions properly.
I would like to try to get the program built and functioning within a hardened kernel, as the others claim to have done, even though it may end up being a kernel that is not fully hardened. Therefore, since I have gotten it to run on a totally non-hardened kernel, it occured to me that I might try incrementally using a kernel that was gradually hardened, part by part, starting from a non-hardened state until I reach a point where I can go no further, within the limitations of time I can allow. So, my question is, can someone point to a guide for such an approach, one which would start with a slightly hardened kernel and gradually add more rules to the final result? In other words, how would I go about finding which rules to start with during the procedure using the method of "menuconfig" for building it?