Attachment #18086 for bug #29278




<chapter>
<title>Tightening the security after/during installation</title>
<section>
<title>USE flags</title>
<body>

<p>
The <path>make.conf</path> file contains user defined USE flags and <path>/etc/make.profile/make.defaults</path> contains the default USE flags for Gentoo Linux. For this guide the important flags are pam (Pluggable Authentication Modules), tcp (TCP wrappers) and ssl (Secure Socket Layer). These are all in the default USE flags.
</p>

<p>
So add something like this:
</p>

<pre caption="USE settings to be added">
USE="tcpd pam ssl"
</pre>

</body>
</section>


</pre>

<p>
Here we set the default settings and a specific setting for the user <e>kn</e>. Limits are part of the shadow package and only applies for the shadow login program. It is not necessary to set any limitations in this file, if you have did not disable pam in your <path>make.conf</path> and configured PAM properly.
</p>

</body>

<p>
PAM is a suite of shared libraries that provide an alternative way of making authentication in programs. The PAM settings of Gentoo Linux is pretty reasonable, but there is always room for improvement.
</p>
<note>This chapter will have no effect if you did not include the PAM in your USE option in <path>/etc/make.conf</path></note>

<p>Install cracklib</p>


<p>
Is a way of controlling access to services normally run by inetd (which Gentoo does not have) but it can also be used by xinetd and other services.
</p>
<note>The service should be executing tcpd in its server argument (in xinetd). See the chapter on xinetd for more information</note>

<pre caption="/etc/hosts.deny">
ALL:PARANOID

</p>

<p>
If you did not disable ssl in your <path>/etc/make.conf</path> before installing apache, you should have access to a ssl enabled server. Just add the following line to enable it.
</p>

<pre caption="/etc/conf.d/apache">

Return to bug 29278

Lines 365-385 Link Here

(-)gentoo-security-1.16.xml (-14 / +5 lines)
365	<chapter>	365	<chapter>
366	<title>Tightening the security after/during installation</title>	366	<title>Tightening the security after/during installation</title>
367	<section>	367	<section>
368	<title>/etc/make.conf</title>	368	<title>USE flags</title>
369	<body>	369	<body>
370		370
371	<p>	371	<p>
372	The make.conf file contains all the options and extra libraries that you want to have support for when building ebuilds. In this file you must make sure that if the ebuild supports any security library like PAM (Pluggable Authentication Modules), tcp wrappers or SSL (Secure Socket Layer) it will add support for it. Your global USE variable should contain pam, tcpd and ssl.	372	The <path>make.conf</path> file contains user defined USE flags and <path>/etc/make.profile/make.defaults</path> contains the default USE flags for Gentoo Linux. For this guide the important flags are pam (Pluggable Authentication Modules), tcp (TCP wrappers) and ssl (Secure Socket Layer). These are all in the default USE flags.
373	</p>	373	</p>
374		374
375	<p>
376	So add something like this:
377	</p>
378
379	<pre caption="USE settings to be added">
380	USE="tcpd pam ssl"
381	</pre>
382
383	</body>	375	</body>
384	</section>	376	</section>
385		377
Lines 854-860 Link Here
854	</pre>	846	</pre>
855		847
856	<p>	848	<p>
857	Here we set the default settings and a specific setting for the user <e>kn</e>. Limits are part of the shadow package and only applies for the shadow login program. It is not necessary to set any limitations in this file, if you have set the PAM setting in your make.conf and configured PAM properly.	849	Here we set the default settings and a specific setting for the user <e>kn</e>. Limits are part of the shadow package and only applies for the shadow login program. It is not necessary to set any limitations in this file, if you have did not disable pam in your <path>make.conf</path> and configured PAM properly.
858	</p>	850	</p>
859		851
860	</body>	852	</body>
Lines 1095-1101 Link Here
1095	<p>	1087	<p>
1096	PAM is a suite of shared libraries that provide an alternative way of making authentication in programs. The PAM settings of Gentoo Linux is pretty reasonable, but there is always room for improvement.	1088	PAM is a suite of shared libraries that provide an alternative way of making authentication in programs. The PAM settings of Gentoo Linux is pretty reasonable, but there is always room for improvement.
1097	</p>	1089	</p>
1098	<note>This chapter will have no effect if you did not include the PAM in your USE option in <path>/etc/make.conf</path></note>
1099		1090
1100	<p>Install cracklib</p>	1091	<p>Install cracklib</p>
1101		1092
Lines 1152-1158 Link Here
1152	<p>	1143	<p>
1153	Is a way of controlling access to services normally run by inetd (which Gentoo does not have) but it can also be used by xinetd and other services.	1144	Is a way of controlling access to services normally run by inetd (which Gentoo does not have) but it can also be used by xinetd and other services.
1154	</p>	1145	</p>
1155	<note>The use in make.conf should contain tcpd and the service should be executing tcpd in its server argument (in xinetd). See the chapter on xinetd for more information</note>	1146	<note>The service should be executing tcpd in its server argument (in xinetd). See the chapter on xinetd for more information</note>
1156		1147
1157	<pre caption="/etc/hosts.deny">	1148	<pre caption="/etc/hosts.deny">
1158	ALL:PARANOID	1149	ALL:PARANOID
Lines 1819-1825 Link Here
1819	</p>	1810	</p>
1820		1811
1821	<p>	1812	<p>
1822	If you have added ssl to your <path>/etc/make.conf</path> before installing apache, you should have access to a ssl enabled server. Just add the following line to enable it.	1813	If you did not disable ssl in your <path>/etc/make.conf</path> before installing apache, you should have access to a ssl enabled server. Just add the following line to enable it.
1823	</p>	1814	</p>
1824		1815
1825	<pre caption="/etc/conf.d/apache">	1816	<pre caption="/etc/conf.d/apache">