----------------------------------------------------------
### #### # # # # # ###
### # ## # # # # ## ###
### # # # # # # # # # ###
# # # # ##### #
### ### ## # # # # # ### ###
### ### # # # # # # ### ###
### ### #### # # # ##### ### ###
---------------------------------------------------------
.:Security Network:.
---------------------------------------------------------
Hardened Gentoo Install Guide
by syrrus
=================================
Introduction
=================================
Gentoo is a GNU/Linux distribution based around the concept of
optimization,control,and stability. If gentoo can be summerized
into one word it's speed. Gentoo is a fast, flexible and highly
expandable linux distribution for admins and hobbiests.
This guide is based around the concept of designing a highly secure
environment for servers and workstations alike. We will attempt to
describe the best possible means of installing and configuring an
extreamly high secure environment along with tweaked settings for
optimization of speed and stability.
Lets begin.
Logically we first need to boot into a gentoo livecd to start the
install. In this guide we'll assume you have a copy of the latest
gentoo livecd, minimal or universal either way doesn't really matter.
++++++++++++++++++++++++++++++++++++++++++++
Boot the CD
++++++++++++++++++++++++++++++++++++++++++++
After a few seconds you will see the
livecd's loader prompt you with a
boot:
prompt from there you have the following options
gentoo - Default 2.6 kernel with framebuffer support
gentoo-nofb - Default 2.6 kernel without framebuffer support
memtest86 - test the ram for errors
If your using some SATA controllers you'll need to append the -noapic
arguement to the kernel. So the line will be:
boot:gentoo -noapic
If your not running SATA devices just boot with the default configuration
boot:
2.6.x kernel boots.....
after a few seconds of the system loading the kernel, and configuring
the hardware we get our much loved # root prompt.
livecd root #
Linux livecd 2.6.7-gentoo-r11 #1 SMP Wed Jul 21 17:33:45 UTC 2004 i686
Pentium III (Katmai) GenuineIntel GNU/Linux
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Introduction to Stage 1 Installs
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Stage 1 installs are the longest, and most intense of the installation methods.
Stage 1 provides the installer with the most control over the packages that are
built on the system and how they're optimized to fit your wants and needs.
For someone wanting to build a very reliable, optimized and secure gentoo linux
server or workstation this is the best choice. However stage 1 installs take a
long time to complete on most all hardware. They require alot of attention and
work to get them to the point that they're in usable condition. Make no joke
about it, we're not in mandrake any more. I want to stress this early on. If your
running under any sort of deadlines I suggest that you go with a stage 3 install
or go with an entirely different distribution.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Optimize the disks
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks to Mark Lord the developer of a great little utility by the name of
hdparm we can fully optimize our cdrom and harddrive hardware to take
full advantage of its provided power. Hdparm allows us to manually set
the harddrive performance parameters by allowing you to manually set the
udma transfer modes.
Lets examine how most default setups are configured
For those of you who might think that optimizing disk access wouldn't really
do much of a difference, let me tell you a story. During the setup of an
extreamly experimental gentoo system attempting to use reiser4 and a SATA
RAID-0 setup we were in need of a system to place the bootloader on. A little
350Mb harddrive from the early 90's proved to be an adaquite device for the task.
After getting the bootloader loaded onto the device and things (semi-working) we
wished for a faster way to speed along the boot process, so we turned to hdparm.
With the flags that I list here we were able to bring that ancient hardware to life
by effectively doubling the data transfer rate on our little drive.
------------------------------
NOTE: That harddrive died hours later not due to disk failure, but to the fact
that while trying to take the molex connector out, my friend ripped the physical
molex female interface out of the drive. That was double plus unhappy.
------------------------------
# If using SATA/SCSI devices, skip the hdparm hard disk section.
Default
------------------
#hdparm /dev/hda
/dev/hda:
multcount = 0 (off)
IO_support = 0 (default 16-bit)
unmaskirq = 0 (off)
using_dma = 0 (off)
keepsettings = 0 (off)
readonly = 0 (off)
readahead = 256 (on)
I don't know about you, but I'd rather get everything that I paid for.
Optimized
-------------------
#hdparm -d1c3u1m16 /dev/hda
/dev/hda:
setting 32-bit IO_support flag to 1
setting multcount to 16
setting unmaskirq to 1 (on)
setting using_dma to 1 (on)
multcount = 16 (on)
IO_support = 1 (32-bit)
unmaskirq = 1 (on)
using_dma = 1 (on)
Flags
---------------------------------------------------------------------------------------------------------
-d1
________________
-d disables/enables the using_dma flag for the drive. This is always a good
idea when dealing with PCI IDE controllers. Using DMA always gives you better
disk performance with low CPU usage. However if your running on legacy hardware
this may or may not be supported.
-c3
________________
-c enables EIDE 32-bit I/O support.
0 default 16-bit
1 32-bit
2 16-bit
3 32-bit w/sync
-u1
________________
-u sets interrupt-umask flag for the drive. This allows you the ability to umask
other interrupts during processing of a disk interrupt. This generally greatly
improves overall disk performance.
-m16
________________
-m will allow us to set the sector count for I/O on the drive. Allowing us the
ability to set how many sectors are transferred for every one interrupt.
(Default is 1)
-X
________________
-X sets the EIDE transfer mode for your harddisk. Increasing
this value will greatly increase your drives transfer speed.
To discover the best option to set follow the follwing steps
#hdparm -i /dev/hda
/dev/hda:
Model=TOSHIBA MK4025GAS, FwRev=KA101A, SerialNo=34MA8053S
Config={ Fixed }
RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=48
BuffType=unknown, BuffSize=0kB, MaxMultSect=16, MultSect=16
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=78140160
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5
AdvancedPM=yes: unknown setting WriteCache=enabled
Drive conforms to: device does not report version:
* signifies the current active mode
You notice on the following lines
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5
That the * symbol symbolizes what is active on your drive.
Many modern harddrives have the highest set by default. However
in many cases this is not the standard. So it would be required to
enter the following flag to tell hdparm what to set.
# hdparm -X udma5
Or the equivilant which is demonstrated in the following chart.
0 1 2 3 4 5 6
PIO 08 09 10 11 12
SDMA 16 17 18
MDMA 32 33 34
UDMA 64 65 66 67 68 69 70
So, -X66 is equal to -X udma5
Well rock on, we've got an optimized harddrive! This simple
little tweak will best be shown by how quick compile times
will be versus previous gentoo installs you might have
setup.
Now we should setup the cdrom/dvd/cd-rw or what ever you
might have to take advantage of the same as the harddrive
------------------------------------------------------------------------------------------------------------
Default
--------------
/dev/cdroms/cdrom0:
IO_support = 0 (default 16-bit)
unmaskirq = 0 (off)
using_dma = 0 (off)
keepsettings = 0 (off)
readonly = 1 (on)
readahead = 256 (on)
Optimized
---------------
#hdparm -d1c1u1 /dev/cdroms/cdrom0
/dev/cdroms/cdrom0:
setting 32-bit IO_support flag to 1
setting unmaskirq to 1 (on)
setting using_dma to 1 (on)
IO_support = 1 (32-bit)
unmaskirq = 1 (on)
using_dma = 1 (on)
Hardcore! We've now got a good base to start
the install from.
========================================
Network Configuration
========================================
Gentoo is pretty good about automatically setting up networking
via dhcp. However depending on the environment we should set the
networking information manually.
Just follow these simple steps to setup networking.
1. Check if networking is already setup and configured.
# ifconfig -a
2. If none of the ethernet adapters were configured but exsist
all we need to do is manually set the network parameters using
gentoo's net-setup utility.
#net-setup eth0
3.However in some instances we need to manually load the correct
drivers into the kernel to get the ethernet interfaces up.
#modprobe
this should setup your eth0 interface but not configure your networking,
if this is the case go back to step 2 to do so.
Hopefully now you have a fully working and configured network ready install medium.
If your are in need of more documentation refer to Chapter 4 of the Gentoo Install Guide
_________________________
NOTE: The configuration information is located in /etc/conf.d/net
_________________________
===========================================
DISK PARTITIONING
===========================================
Partitions are the the logical devision of a single physical drive into many seperate logical drives.
The partitions boundries (where they start and where they stop) are managed by the partition table,
sometimes called the TOC (Table of Contents). This is a very fundemental concept of computing so I
will not spend much time going over what partitions are and how they work. However I will dive straight
into the concepts of partitioning and designing secure and efficient partition schemes.
Reasons behind designing secure and fault tolerant partition schemes.
Speed: Harddisk platters are circular disks that are spun by a motor in the center. Therefore
the data in the center of the disk can be accessed at a much faster pace than the data on the
outside of the disk. This is due to the fact that the center of the disk has less space to travel.
A good pratical example of this is the gears on a bicycle. The smaller gear attached to the pedels
goes at a much faster pace than the large gear attached to the spokes of the bicycle. With this
fact in mind we must design our partition scheme to adapt of the physical limitations of the
hardware it's self. When more frequently requested data is placed at the beginning of the disk
that data can be retrived and loaded into ram at a much faster rate than the data placed on the
outside of the disk. This design implementation is often overlooked by much of the GNU/Linux distro
developers. Sadly, in many "commercial" GNU/Linux distributions such as SuSE, Mandrake, Red Hat,
and the like, partitioning is deemphasized and leads to a speed impact and the vulnerability
of massive data corruption.
Security: Most seasoned GNU operating system administrators are well aware of the security that can
be implemented by spanning the *nix directory tree accross most partitions or physical disks.
However I personally am always suprised how many systems that I have had access to and been an administrator of in years
past that do not use these very simple yet effective security measures. In later chapters I will talk about
these features in great detail. For now Im going to give a quick primer of the various security enhancements
that a good partition scheme can implement.
Mounting rules: The GNU/Linux system allows for certain rules to be enforced on mounted partitions
these rules can prevent a certain partition to be mounted read only, a useful feature for sensative
data.
nosuid: This perticular rule prevents binaries exsisting on the partition to execute as root
using the setuid privlege escalation feature.
noexec: This flag prevents the execution of executable binaries on a specific partition. This
is very useful, for /tmp, /var, and in some cases, /home. However don't come crying to me when
your team of software developers jump you in the company parking lot because they can't test
their code. Before using this flag, make sure you know the implications of what your doing.
nodev: This flag prevents the existance of device nodes in the partition in question. Generally
a good idea for all partitions except the root partition (/).
Other less known techniques that's important in secure partitioning, is the concept of encrypted partitions.
Where all data on the partition is obfuscated by secure encryption implementations. We will go over this
particular subject indepth in later chapters, but here's a quick and dirty of how it works.
[*INCOMPLETE*]
Fault Tolerance:
One of the greatest follies of only designating a single / partion is the concept of fault tolerance.
One of the fundemental concepts of server adminstration is, if it can fail it will, It's just a matter
of time. Things happen, filesystems become corrupted and disks go bad. However if you as the adminstrator
implement a partitioning scheme with this concept in mind, you are more likely to lose little.
Physcial Disk Quotas:
A common security and server management pratice is the use of disk quotas. This is especially common, in
multiuser environments such as webhosting, file servers, mail servers, and backup servers. This normally
being implemented at the software level, the logical division of the harddisk that is partitioning adds
an even greater layer to this paradigm.
The overgrowth of a file or mailbomb against your technical support account can hinder your systems operation
greatly.
One of the best examples that I personally have come accross is the following disaster. The main server
of a friends company was a Red Hat Linux system with a single / partition. Due to the increase
of traffic on the network a full time crew of server adminstrators were hired, mainly consisting of young
male interns. Late at night one of the new interns decided to take his 200+ gigabyte collection of pirated
music and movies and put it in his home directory. This quickly filled up the low end server to the point
that the system could no longer transport email, files, or process new orders. This particular event cost
the company countless hours of downtime and subsequently hundreds to thousands of dollors.
A good partion scheme coupled together with software disk quotas can prevent many similar disasters.
It is recommended that when designing your partition scheme you take this concept into account.
Disk space Efficency:
One of the greatest features of linux is the ability to specify how big the individual blocks are
on the invividual partition. For instance if you have a partition that holds many small files such
as /tmp, the block size can be decresed to 1 kilobyte which makes more efficent use of the space
provided.
Backups:
Backing up files is a critical part of any server deployment. Most servers use either CD/DVD-RW
drives to make daily, weekly, or monthly backups of the data that is stored on them. Tape, remote,
and NAS backups are also popular ways for doing server backups. Having a well partitioned system
can help in the rapid deployment of lost data.
Designing The Scheme
Alright now that we've talked the reasoning behind spanning the directory tree
accross multiple partitions and disks lets talk about how we're going to do it.
Well there is no real nice way to say this, so I will just say it. It all depends!
I cannot stress enough how important it is to develop a rock solid and adaptive
partitioning scheme. Your going to have to live with this scheme for as long as
this installation is deployed so make sure your happy with it.
Well you might be wondering how to figure out what the best scheme is for your
purposes. This is one of those universal questions that we all face. It was this
challenge that I developed the following methods of identifying the best method
of deployment. So pay attention, this is important.
1. What will the server or workstation be doing 99.9% of the time?
2. How much data access will be done on the system and how often?
3. What is the most important set of files on the system?
4. How will you recover when the system fails?
Now lets take these 4 questions and put them in a real world example.
Answer: This server will be serving websites for a hosting company?
Answer: Processing requests and placing data in mysql databases
Answer: Client files and databases
Answer: Run crying in a corner.
Well no need to cry, but this is a very common and practical example for us to
base our theoradical partition scheme on.
Webhosts are subject to constant access because of the fact that they can be hosting
hundreds of sites per server. Naturally the data access is very frequent and fairly
heavy. Most mere IDE disks would die in a couple of weeks after this kind of constant
attack. With this in mind it's important that you choose the best hardware for the task.
Ok, so your running a 300 gigabyte scsi raid 5 array on a server that gets 130 requests
a minute.
[*INCOMPLETE*]
Now many users do not have SCSI devices yet settle for the now
cheapter IDE devices. At the time of this writing 300Gb IDE harddrives
are avaliable for 100-200 dollers from some online dealers. The principles
behind partitioning on IDE hardware is slighly different but the fundamental
concepts are still the same. With IDE hardware we are limited to 4 primary
partitions and 5 logical partitions. In many cases this is perfect for many
servers and most workstations. Partition sizes mainly relies on what the job
of the server will be. If this is an IT workstation that is used to test software
before it's implemented on production level systems, larger paritions might be
needed for the system rather than the IT home directory. Lets take my own personal
laptop, I constantly use it to test kernel variants and implementations. When I
first built gentoo on it, I expected the standard 50Mb partition to be perfect
for my needs, I sadly was very mistaken and my /boot partition filled up
with copies of kernel images faster than I believed possible. This is a rare case
but /boot should be around 50-150 Megabytes.
Recomendation /boot 50-150
The / (root) partition doesn't need to be very large because it's mainly holding
the system libraries, configuration files, device nodes, and core system binaries.
A user can normally get away with 700 megabytes to a gigabyte.
Recomendation / 700-1024
The size of the swap partition is the subject of much debate in the Linux community.
Many adminstrators argue that the swap partition should be double the size of your ram.
Effectively increaseing the space avaliable to processes for temporary data storage 200%.
Other administrators argue that the swap partition should be equal to the size of the
physical ram. However a solution cannot be drawn in this tireless war of partition sizing,
it's safe to say that it should be large. I normally agree with the paradigm of increasing
the swap space by 200% just for good measure. If your server has a gigabyte or more of ram
it is entirely possible to do away with the swap space entirely, however this practice is
not suggested.
Recomendation Physical RAM x 2
[*INCOMPLETE*]
__________________________________________________________________________
/dev/hda1 /boot 50 Mb (primary)
/dev/hda2 / 700M (primary)
/dev/hda3 2x sizeof ram (primary)
/dev/hda5 /usr (logical)
/dev/hda6 /opt 500Mb-1Gb (logical)
/dev/hda7 /var 2.0 Gb (logical)
/dev/hda8 /tmp 100 Mb (logical)
/dev/hda9 /home (logical)
Now it is usually pretty universally accepted that a user should
only be able to write to /tmp and their directory in /home so we
design the scheme and the permissions around this basic theory.
NOTE: Make sure you set hda3 as a linux swap partition
Using Fdisk
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In our example environment we're running a stock maxtor 40 gig IDE harddrive.
livecd root # fdisk -l
Disk /dev/hda: 40.0 GB, 40020664320 bytes
255 heads, 63 sectors/track, 4865 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
fdisk is one of those must know utilities when dealing with most all x86 based
operating systems. Lets take a few minutes to get familiure with it.
livecd root # fdisk /dev/hda
The number of cylinders for this disk is set to 4865.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help):
fdisk is a fairly easy to use utility when you completely understand all the terminology.
For those that havn't been in the computer hobbiest or administration scene for long im
going to breifly discribe all the functions of the fdisk utility and how to fully take
advantage of it.
a - toggle a bootable flag - When the POST process is finished the BIOS will probe
initilized storage devices for a bootable partition. If
no partition is found that is marked bootable than an
error is returned. However if one is found it will load
the bootloader from the devices Master Boot Record.
b - edit bsd disklabel - In BSD harddrive partitioning and filesystem interaction
is slightly different. On top of doing standard partitioning
BSD imprents a disk label to signifiy mount points.
c - toggle the dos compadibility flag - sets LFN for DOS Long file names
d - delete a partition - deletes partition from partition table, NOTE: if you delete
a partition from an already exsisting partition table make
sure you write the partition table out before you exit.
l - lists all known partition types:
Command (m for help): l
0 Empty 1c Hidden W95 FAT3 70 DiskSecure Mult bb Boot Wizard hid
1 FAT12 1e Hidden W95 FAT1 75 PC/IX be Solaris boot
2 XENIX root 24 NEC DOS 80 Old Minix c1 DRDOS/sec (FAT-
3 XENIX usr 39 Plan 9 81 Minix / old Lin c4 DRDOS/sec (FAT-
4 FAT16 <32M 3c PartitionMagic 82 Linux swap c6 DRDOS/sec (FAT-
5 Extended 40 Venix 80286 83 Linux c7 Syrinx
6 FAT16 41 PPC PReP Boot 84 OS/2 hidden C: da Non-FS data
7 HPFS/NTFS 42 SFS 85 Linux extended db CP/M / CTOS / .
8 AIX 4d QNX4.x 86 NTFS volume set de Dell Utility
9 AIX bootable 4e QNX4.x 2nd part 87 NTFS volume set df BootIt
a OS/2 Boot Manag 4f QNX4.x 3rd part 8e Linux LVM e1 DOS access
b W95 FAT32 50 OnTrack DM 93 Amoeba e3 DOS R/O
c W95 FAT32 (LBA) 51 OnTrack DM6 Aux 94 Amoeba BBT e4 SpeedStor
e W95 FAT16 (LBA) 52 CP/M 9f BSD/OS eb BeOS fs
f W95 Ext'd (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi ee EFI GPT
10 OPUS 54 OnTrackDM6 a5 FreeBSD ef EFI (FAT-12/16/
11 Hidden FAT12 55 EZ-Drive a6 OpenBSD f0 Linux/PA-RISC b
12 Compaq diagnost 56 Golden Bow a7 NeXTSTEP f1 SpeedStor
14 Hidden FAT16 <3 5c Priam Edisk a8 Darwin UFS f4 SpeedStor
16 Hidden FAT16 61 SpeedStor a9 NetBSD f2 DOS secondary
17 Hidden HPFS/NTF 63 GNU HURD or Sys ab Darwin boot fd Linux raid auto
18 AST SmartSleep 64 Novell Netware b7 BSDI fs fe LANstep
1b Hidden W95 FAT3 65 Novell Netware b8 BSDI swap ff BBT
Command (m for help):
m - just prints the help menu
n - creates a new partition on the partition table.
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-4865, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-4865, default 4865): 100M
o - zero's out all partitions in virtual table. Basically it's just a quick delete
p - shows the partition table
Command (m for help): p
Disk /dev/hda: 40.0 GB, 40020664320 bytes
255 heads, 63 sectors/track, 4865 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 1 100 803218+ 83 Linux
s - creates disklabels for Sun Microsystems Solaris systems
t - changes paritions system id (also known as type)
u - changes display units from cylinders to blocks or vise versa
w - writes partition table to disk NOTE: very important that you use
this command once your finished with the table.
Now that we fully understand the functions of fdisk lets move on into setting
up our partitions.
livecd root # fdisk /dev/hda
The number of cylinders for this disk is set to 4865.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-4865, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-4865, default 4865): +50M
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (8-4865, default 8):
Using default value 8
Last cylinder or +size or +sizeM or +sizeK (8-4865, default 4865): +700M
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (94-4865, default 94):
Using default value 94
Last cylinder or +size or +sizeM or +sizeK (94-4865, default 4865): +512M
Command (m for help): n
Command action
e extended
p primary partition (1-4)
e
Selected partition 4
First cylinder (157-4865, default 157):
Using default value 157
Last cylinder or +size or +sizeM or +sizeK (157-4865, default 4865):
Using default value 4865
Command (m for help): n
First cylinder (157-4865, default 157):
Using default value 157
Last cylinder or +size or +sizeM or +sizeK (157-4865, default 4865): +6G
Command (m for help): n
First cylinder (887-4865, default 887):
Using default value 887
Last cylinder or +size or +sizeM or +sizeK (887-4865, default 4865): +1G
Command (m for help): n
First cylinder (1010-4865, default 1010):
Using default value 1010
Last cylinder or +size or +sizeM or +sizeK (1010-4865, default 4865): +7G
Command (m for help): n
First cylinder (1862-4865, default 1862):
Using default value 1862
Last cylinder or +size or +sizeM or +sizeK (1862-4865, default 4865): +600M
Command (m for help): n
First cylinder (1936-4865, default 1936):
Using default value 1936
Last cylinder or +size or +sizeM or +sizeK (1936-4865, default 4865):
Using default value 4865
Command (m for help): p
Disk /dev/hda: 40.0 GB, 40020664320 bytes
255 heads, 63 sectors/track, 4865 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 1 7 56196 83 Linux
/dev/hda2 8 93 690795 83 Linux
/dev/hda3 94 156 506047+ 83 Linux
/dev/hda4 157 4865 37825042+ 5 Extended
/dev/hda5 157 886 5863693+ 83 Linux
/dev/hda6 887 1009 987966 83 Linux
/dev/hda7 1010 1861 6843658+ 83 Linux
/dev/hda8 1862 1935 594373+ 83 Linux
/dev/hda9 1936 4865 23535193+ 83 Linux
Command (m for help): a
Partition number (1-9): 1
Command (m for help): t
Partition number (1-9): 3
Hex code (type L to list codes): 82
Changed system type of partition 3 to 82 (Linux swap)
Command (m for help): p
Disk /dev/hda: 40.0 GB, 40020664320 bytes
255 heads, 63 sectors/track, 4865 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 * 1 7 56196 83 Linux
/dev/hda2 8 93 690795 83 Linux
/dev/hda3 94 156 506047+ 82 Linux swap
/dev/hda4 157 4865 37825042+ 5 Extended
/dev/hda5 157 886 5863693+ 83 Linux
/dev/hda6 887 1009 987966 83 Linux
/dev/hda7 1010 1861 6843658+ 83 Linux
/dev/hda8 1862 1935 594373+ 83 Linux
/dev/hda9 1936 4865 23535193+ 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
File Systems
---------------------------------------------------------------------------
As most of you know a filesystem is a ordered set of instructions
for the operating system to read and write data to the hard disk.
As file system technology becomes more complex added security
features have become very important in every high security environment.
Common Linux File Systems
-------------------------
ext2 - One of the early linux filesystems based off the original UNIX filesystems.
ext3 - An improved version of ext2 which adds journaling support to the filesystem.
xfs - Journaling Filesystem by SGI originally for IRIX yet seamlessly ported to Linux.
reiserfs - Fast and reliable Journaling filesystem.
When choosing a file system you have to keep in mind the security,speed and disaster
recovery requirements for the system. As the administrator one also has to
keep in mind the compromises that entail your choice.
Notes on POSIX Access Control Lists
-------------------------------------------------
The POSIX ACL patches were first introduced into the main stream kernel in november
of 2002. These new and very important patches added a new layer of security to the
main stream filesystems. POSIX ACL support is avaible for ext2,ext3,JFS,ReiserFS,and
XFS.
POSIX ACL's work by adding new permission lables to the standard POSIX object
permission model. For example the standard POSIX object permission model
is r/w/x, read,write,and execute. POSIX ACL's add 2 other classes
----------------------------------------------------
Now lets examine the choices a little more closely.
ext2
-------------------------------------------------
ext2fs is a direct improvement on the first extended file system,
mainly focusing on bug fixes and functionality improvements
(ex. support for up to 4tb). ext2fs also improves the administrators
control of how files are read and written to in the file system.
Direct Advantages of ext2
- Speed improvements over the original extended file system
- Takes advantage of buffer cache management
- Allocation optimizations
- Transparent compression
[+] Posix ACL Patches for ext2
ext3
---------------------------------------------------
ext3 is a more recent extention of the ext2 file system which adds in
journaling support to the filesystem. This filesystem is still fairly
new and is constantly being updated and improved.
- All the features mentioned previously with ext2
- Added Journaling support for disaster recovery
[+] Posix ACL Patches for ext3
XFS
---------------------------------------------------
XFS is a filesystem originally designed by SGI for their IRIX operating
system. However, SGI maintains a port of XFS for Linux and provides many
positive oppertunities for stability and security.
Direct Advantages of XFS
- Journaling
- Fast
- Fully 64-bit file system
- Near raw I/O performance
- Supports Disk Quotas
- Strong backup/restore ability
[+] Posix ACL Patches for xfs
ReiserFS 3
----------------------------------------------------
ReiserFS is a journaling filesystem from www.namesys.com. It's a
very stable and strong filesystem for high load environments and workstations
alike. Unlike any other linux file system Reiser uses it's object-oriented
blaenced tree algorithm to increase speed and reliablity in the filesystem.
- Journaling
- Optmized Algorithms
- Disk Quotas
- Disaster Recovery with very little data loss
[+] Posix ACL Patches for ReiserFS3
ReiserFS 4
----------------------------------------------------
Reiser4 is the fastest filesystem to date from namesys.com,
take a look at the benchmarks at http://www.namesys.com/benchmarks.html.
Reiser4 is an atomic filesystem, which means that your filesystem
operations either entirely occur, or they entirely don't, and they
don't corrupt due to half occuring. this is done without significant
performance losses, because namesys invented algorithms to do it without
copying the data twice. Reiser4 uses dancing trees, which obsolete
the balanced tree algorithms used in databases. This makes Reiser4
more space efficient than other filesystems because it squishes small
files together rather than wasting space due to block alignment like
they do. It also means that Reiser4 scales better than any other filesystem.
Do you want a million files in a directory, and want to create them fast?
No problem. Reiser4 is based on plugins, if you like to code, you'll really
like plugins. Reiser4 is architected for military grade security. You'll find
it is easy to audit the code, and that assertions guard the entrance to every
function.
Because ReiserFS 4 is still considered experimental in many circles, this guide
will wait until a later time for the adoption of the file system. Here we will
go with ReiserFS 3.6 a very stable and reliable filesystem.
-----------------------------------------------------------------------------------
Ultimately it is up to you as the user to choose the file system.
---------------------
ext2 - mke2fs /dev/hdxx
ext3 - mke2fs -j /dev/hdxx
reiser3 - mkreiserfs /dev/hdxx
reiser4 - mkfs.reiser4 /dev/hdxx
For this guide we will stick with reiser3 for it's added security features
and speed.
mkreiserfs /dev/hda1
mkreiserfs /dev/hda2
mkreiserfs /dev/hda5
mkreiserfs /dev/hda6
mkreiserfs /dev/hda7
mkreiserfs /dev/hda8
mkreiserfs /dev/hda9
Creating the swap partition....
mkswap /dev/hda3
swapon /dev/hda3
First we've got to mount the root directory first so we accually write the new dirs
on the installed volume
mount /dev/hda2 /mnt/gentoo
However,if using an older version of the livecd and using reiser4 you will need to add -t
reiser4 like so:
_______________________________________
mount -t reiser4 /dev/hda2 /mnt/gentoo
---------------------------------------
as older versions of mount do not recognize this filesystem automatically, however
after you've mounted /mnt/gentoo you needn't add the '-t reiser4' and just mount
normally)
Now to create the corresponding directories
mkdir /mnt/gentoo/boot
mkdir /mnt/gentoo/usr
mkdir /mnt/gentoo/var
mkdir /mnt/gentoo/tmp
mkdir /mnt/gentoo/opt
mkdir /mnt/gentoo/home
Time to mount...here we go.
mount /dev/hda1 /mnt/gentoo/boot
mount /dev/hda5 /mnt/gentoo/usr
mount /dev/hda6 /mnt/gentoo/opt
mount /dev/hda7 /mnt/gentoo/var
mount /dev/hda8 /mnt/gentoo/tmp
mount /dev/hda9 /mnt/gentoo/home
Congradulations.....it's really starting to come together.....
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Setting the Clock
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
It's generally a good idea to set the time and date before you start
extracting files to your harddrive as a misconfigured clock can cause
problems in the future, or in the least annoying warnings about files
from the future.
livecd # date MMDDhhmm
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Grabbing the gentoo stage 3 file from your local gentoo mirror
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Well at this time we start the installation of the application end of
the operating system and starting building our compilers and associated
tools.
cd /mnt/gentoo
wget gentoo.mirrors.tds.net/gentoo/releases/x86/2005.0/stages/hardened/2.6/stage1-x86-2005.0.tar.bz2
This will take a few minutes.....
tar -xjpvf stage1-*.tar.bz2
We choose the gentoo hardened stage files because of the added security features
introduced at compile time of which we will discuss later.
Also in this step we'll grab the gem of gentoo, portage. Portage is a similar system
to the BSD ports but with added functionality.
wget /portage-.tar.bz2
tar -xjpvf portage-.tar.bz2 -C /mnt/gentoo/usr/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
OPTIMIZATIONS IN /etc/make.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This section will be the longest and most intensive section of the entire guide.
The configuration and setup of the make.conf file is the most important aspect
of the gentoo installation. This file is where the compile time optimizations are set.
In other words we setup how the gnu compiler collection (gcc) builds the binaries
that comprise this system.
The first step in the design of our server's make.conf file is an analysis
of the hardware that comprises the system it's self.
# cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 12
model name : AMD Sempron(tm) Processor 3100+
stepping : 0
cpu MHz : 1808.927
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
pat pse36 clflush mmx fxsr sse sse2 pni syscall nx mmxext 3dnowext 3dnow
bogomips : 3579.90
#
From here we can observe the abilities of our processor.
In this example we're running an AMD Sempron 3100+ (the ia32 model) as shown by the 'model name' line.
Now straight to setting compile time flags for the system build.
The make.conf file contains variables used by portage to dictate how it operates on the host system.
Here, as we said before, we set compile time options, and various other options that govern
how the portage system handles files.
ACCEPT_KEYWORDS=<~arch> This variable enables the testing of unstable packages.
When a package is masked because it has been deemed unstable you can bypass this
masking by setting the ACCEPT_KEYWORDS variable.
KEYWORDS are used by ebuilds to mask or unmask certain packages.
AUTOCLEAN= The AUTOCLEAN variable tells portage to automatically
clean the system of outdated packages.
BUILD_PREFIX= BUILD_PREFIX defines portages working directory,
the default is ${PORTAGE_TMPDIR}/portage
CBUILD Variable passed to configure during
an ebuild process as --build=${CBUILD} only if defined.
CCACHE_SIZE='size' Controls space used by ccache, define with 'G',M',or 'K' (default is 2G)
CFLAGS='cflags' Defines compile time flags passed to gcc during it's operation.
This variable is where gentoo draws it's true power. Here we can add all the
gcc arguments that we want to control how binaries are built on our system.
Here is a quick guide on how to determine which are the best options for your CFLAGS
variable.
++++++++++++CFLAGS+++++++++++
The first argument that we're going to discuss is the -march arguement.
The march argument lets us specifify the machine architecture that gcc will
specifically build for. To determine this we take a look at our /proc/cpuinfo again.
In the 5th line from the top, we see our cpu model name. From here we can determine
what arguement to pass to to march. For example if our server had a sempron processor
made by American Micro Devices (AMD). We would specify -march=athlon-xp as the sempron
processor is apart of the athlon-xp family of processors.
--march=
The possible choices are as follows.
i386
i486
i586
i686
pentium
pentium-mmx
pentiumpro
pentium2
pentium3
pentium4
prescott
nocona
k6
k6-2
k6-3
athlon
athlon-tbird
athlon-4
athlon-xp
athlon-mp
winchip-c6
winchip2
c3
All supported x86 processors will fall under these catagories.
The next argument will be -pipe. The -pipe option enables the use of pipes
instead of temporary files during various compilation stages.
-pipe
From the beginning of the portage system it has been a practical standard to enable
-fomit-frame-pointer as a compile time option. The -fomit-frame-pointer prevents a
binary to save a frame pointer to a register for functions that don't need it at all.
This flag free's up an extra register and prevents the execution of instructions that
setup and save frame pointers needlessly.
-fomit-frame-pointer
Optimization in code is a very important practice. This fact is realized by the
integration of the -O series of gcc arguements. The -O series governs what group
of optmization flags will be enabled during compile time to increase binary
performance. In this guide we recommend that you use the 2nd level of optimization.
This level enables the following arguments.
-fforce-mem
-foptimize-sibling-calls
-fstrength-reduce
-fcse-follow-jumps
-fcse-skip-blocks
-frerun-cse-after-loop
-frerun-loop-opt
-fgcse
-fgcse-lm
-fgcse-sm
-fdelete-null-pointer-checks
-fexpensive-optimizations
-fregmove
-fschedule-insns
-fschedule-insns2
-fsched-interblock
-fsched-spec
-fcaller-saves
-fpeephole2
-freorder-blocks
-freorder-functions
-fstrict-aliasing
-falign-functions
-falign-jumps
-falign-loops
-falign-labels
These options greatly increase the performance of the compiled binary.
If you want to learn more about the functions that are enabled by the -O2
option. Go to http://gcc.gnu.org/onlinedocs/ and read for your self.
-O2
-fforce-addr is next in our cflags additions. The -fforce-addr arguement tells gcc
to build the binary to copy the memory address constants to registers before doing
arithmetic on them.
-ffast-math is a compiler arguement that implies the following 5 math related
optimizations.
-fno-math-errno
-funsafe-math-optimizations
-fno-trapping-math
-ffinite-math-only
-fno-signaling-nans
The use of -ffast-math can increase the performance of the resulting binaries by a
noticable measure.
As a vast majority servers are compromised as a result of programming mistakes that
result in the vulnerability of certain programs to buffer overflow attacks and the like.
The GNU Compiler Collection provides us with a few means to protect our binaries from
attacks such as buffer overflows easily being carried out. The following are a few
compile time options that will aide us in the development of a stable yet secure gentoo
linux server.
-fPIC
This option allows the generation of position independent code.
-fstack-protector-all
The gcc stack smashing protector is an extention for the gnu compiler collection
that protects vulnerable functions from the execution of a buffer overflow. This
protection system reorders the location of local variables to place buffer spaces
after the location of pointers. Thus protecting these pointers from corruption by
a buffer overflow attack. Setting this flag is one of the main points of security
in our system.
If your processor supports SSE,SSE2,and/or SSE3 then it would be a good idea to enables
these features with the following flags.
-msse -msse2
The same can go for the 3dnow technology.
-m3dnow
Note the use of these processor techonologies can greatly improve performance, however
if your not careful it can break a systems binaries. So make sure you check your /proc/cpuinfo
before applying the previous 2 and following compile time options.
Some processors support the use of speciilized floating point routines. Such floating point routines
are utilized with the -mfpmath being floating point math compile time option. To use sse technology
set the first arguement of -mfpmath to sse. To attempt to use both the i387 and sse instruction sets
at once. You can use the sse and 387 arguements in unison to effectively double the amount of registers.
-mfpmath=sse,387
From this point it is up to you to choose the extra compile time options that you wish to enable.
CXXFLAGS="${CFLAGS}" Same as CFLAGS
CHOST='chost' Variable that is used by ebuild to force configure to force the build-host to a defined variable
CLEAN_DELAY= 'delay time' Sets the time the countdown delay will be after running "emerge clean" (Default 5 seconds)
CONFIG_PROTECT='dir dir2' Directories defined are set to 'config file protection' i.e. files in this dir will not be overwritten
DEBUGBUILD If defined libraries and binaries arn't stripped of debugging symbols before merge
DISTDIR= Defines directory wehre all tarballs will be placed. The sourcecode is maintained
in this directory until you delete it. Default is ${PORTDIR}/distfiles
FEATURES=' features' Defines portage default actions.
autoaddcvs
Causes portage to automatically try
to add files to cvs that will have to be added later.
Done at generation times and only works when cvs is also in FEATURES.
buildpkg
Binary packages will be created for all packages that are merged.
candy
Changes the default spinner indicator to a little more interesting eye candy.
ccache
Enable portage support for the ccache package. If the ccache dir
is not present in the user's environment, then portage will default to
${PORTAGE_TMPDIR}/ccache (with userpriv) and to /root/.ccache otherwise.
cvs
A feature for developers that causes portage to enable all USE flags in SRC_URI when creating digests.
digest
Autogenerate a digest for packages.
distcc
Enable portage support for the distcc package.
fixpackages
Runs the script that will fix the dependencies in all binary
packages. This is run whenever packages are moved around in
the portage tree. Please note that this can take a lot of time.
keeptemp
Do not delete the ${T} directory after the merge process.
keepwork
Do not delete the ${WORKDIR} directory after the merge process.
mirror
This will cause FETCHCOMMAND to always be run even if the file already exists in DISTDIR.
noauto
When utilizing ebuild, only run the function requested.
noclean
Do not delete the the source and temporary files after the merge process.
nostrip
Prevents the stripping of binaries that are merged to the live filesystem.
notitles
Disables xterm titlebar updates (which contains status info).
sandbox
Enable sandbox-ing when running emerge and ebuild.
strict
Have portage react strongly to conditions that have the potential
to be dangerous (like missing or incorrect Manifests).
userpriv
Allow portage to drop root privledges and compile packages as portage:portage
without a sandbox (unless usersandbox is also used).
usersandbox
Enable the sandbox in the compile phase, when running without root privs (userpriv).
FETCHCOMMAND="command" This variable sets the command and arguments used by portage to
download tarballs from portage mirrors. For example all web traffic
on your network requires you go through a webproxy then we set the
appropriate arguments here.
By default portage uses the wget utility for remote downloads.
FETCHCOMMAND="/usr/bin/wget -t 5 --passive-ftp \${URI} -P \${DISTDIR}"
is the default command. If for some reason you've been limited as to
how much bandwidth you can use on a certain connection you can add rate
limiting.
FETCHCOMMAND="/usr/bin/wget -t 5 --passive-ftp --limit-rate=200k \${URI} -P \${DISTDIR}"
RESUMECOMMAND="command" Command used to resume interrupted downloads
RESUMECOMMAND="/usr/bin/wget -c -t 5 --passive-ftp \${URI} -P \${DISTDIR}"
PORTAGE_BINHOST="server" Portage uses PORTAGE_BINHOST to specify the mirrors used for the downloading
of prebuilt binary packages.
SYNC="server" This variable dictates what server to sync the local portage tree with.
RSYNC_RETRIES="integer" How man times will portage try to retrieve a current portage tree?
RSYNC_TIMEOUT="integer" How long will portage wait until rsync times out on a connection.
MAKEOPTS="-j#" MAKEOPTS provides us with the ability to set extra options passed to make
when an ebuild is built. Here we can set how many parallel makes that
are used during an ebuild. We suggest using the number of processing elements
present in the system + 1.
DISTCC_DIR= Sets the temporary space used by ditcc during compile time.
RSYNC_EXCLUDEFROM= File that portage will pass over when it syncs the portage tree.
Be very careful with this option as it can cause dependency failures.
GENTOO_MIRRORS="server server2" Defines gentoo mirrors for portage to use.
USE Flags
-------------------------------------------------------------------
Use flags are a very important part of the gentoo package management
system. They are used to control how the ebuilds build specific packages.
The declaration of a use flags will tell the ebuild to either include or
not include a certain extention to a package.
There are close to a hundred use flags that remain undocumented but
the following is a list of most of the documented and widely used
USE flags.
computer_languages:
atlas Adds support for atlas instead of blas in dev-lang/R
guile Adds support for dev-util/guile (interpreter for Scheme)
java Adds support for Java
perl Adds support/bindings for the Perl language.
python Adds support/bindings for the Python language
ruby Adds support/bindings for the Ruby language
xml Check/Support flag for XML library (version 1)
xml2 Check/Support flag for XML library (version 2)
core_cpu_type:
x86 indicates that architecture is x86
ppc indicates that architecture is PowerPC
ppc64 indicates that architecture is PowerPC64
sparc indicates that architecture is (32-bit) Sparc
alpha indicates that architecture is 64-bit Alpha
mips indicates that architecture is MIPS based
hppa indicates that architecture is HP PA-Risc
arm indicates that architecture is ARM
amd64 indicates that architecture is AMD64
databases:
berkdb Adds support for sys-libs/db (Berkeley DB for MySQL)
firebird Adds support for the Firebird relational database
freetds Adds support for the TDS protocol to connect to MSSQL/Sybase databases
gdbm Adds support for sys-libs/gdbm (GNU database libraries)
informix Adds support for Informix database
innodb Adds innodb support for mySQL (transaction support)
libg++ Adds C++ modules in dev-db/postgresql (libpq++)
mysql Adds mySQL support
oci8 Adds Oracle Support
odbc Adds ODBC Support (Open DataBase Connectivity)
postgres Adds support for the postgresql database
sqlite Adds support for sqlite - embedded sql database
desktop_environments:
gnome Adds GNOME support
kde Adds support for kde-base/kde (K Desktop Enviroment)
displays:
dga Adds DGA Support (Xfree86) (DGA=Direct Graphic Access)
directfb Adds support for DirectFB layer (library for FB devices)
fbcon Adds framebuffer support for the console, via the kernel
ggi Adds support for media-libs/libggi (non-X video api/drivers)
gpm Adds support for sys-libs/gpm (Console-based mouse driver)
ncurses Adds ncurses support (console display library)
opengl Adds support for OpenGL
slang Adds support for the slang text display library (it's like ncurses, but different)
svga Adds support for SVGAlib (graphics library)
truetype Adds support for FreeType and/or FreeType2 fonts
X Adds support for XFree86
xosd Sends display using the X On Screen Display library
distributed_computing:
afs Adds OpenAFS support (distributed file system)
mpi Adds MPI (Message Passing Interface) layer to the apps that support it.
extra_hardware:
acpi Adds support for Advanced Configuration and Power Interface
apm Adds APM (Advanced Power Management) support
cdr Adds support for CD writer hardware (e.g. compile the koncd app in kdemultimedia)
cups Add support for CUPS (Common Unix Printing System)
dvd Adds support for DVDs
dvdr Adds support for DVD writer hardware (e.g. in xcdroast)
foomaticdb Adds support for the foomatic printing driver database
gphoto2 Adds digital camera support
gps Adds support for Global Positioning System
joystick Add support for joysticks in all packages
lirc Adds support for lirc (Linux's Infra-Red Remote Control)
nocardbus Disables cardbus support in pcmcia-cs
pcmcia Adds support for PCMCIA slots/devices found on laptop computers
pda Adds support for portable devices.
pnp Adds support for PNP in pcmcia-cs (Plug-N-Play)
ppds Adds support for automatically generated ppd (printing driver) files
scanner Adds support for scanner hardware (e.g. build the sane frontend in kdegraphics)
slp Adds Service Locator Protocol support to CUPS
usb Adds USB support to applications that have optional USB support (e.g. cups)
wavelan Tells pcmcia-cs that you want to use the built-in wvlan drivers instead of the Orinoco drivers
xinerama Add support for XFree86's xinerama extension, which allows you to stretch your display across multiple
monitors
human_languages:
bidi Enables bidirectional language support
canna Adds support for the Canna kana to kanji conversion engine
cjk Adds support for Multi-byte character languages (Chinese, Japanese, Korean)
freewnn Adds support for FreeWnn kana to kanji conversion engine
mule Adds multi-language support to XEmacs
nls Adds Native Language Support (using gettext - GNU locale utilities)
unicode Adds support for Unicode
instant_messaging:
aim Enable AIM IM protocol support
icq Enable ICQ IM protocol support
jabber Enable jabber IM protocol support
msn Enable MSN Messenger IM protocol support
oscar Enable Oscar (AIM/ICQ) IM protocol support
yahoo Enable Yahoo Messenger IM protocol support
mail:
evo Adds support for evolution in gnumeric and multisync
imap Adds support for IMAP
ldap Adds LDAP support (Lightweight Directory Access Protocol)
maildir Adds support for maildir (~/.maildir) style mail spools
mbox Adds support for mbox (/var/spool/mail) style mail spools
xface Adds xface support -- only in use for sylpheed and sylpheed-claws
multimedia_audio:
audiofile Adds support for libaudiofile where applicable
encode Adds support for MEncoder or LaME encoder, wherever applicable
flac Adds support for the flac audio codec
mad Adds support for mad (high-quality mp3 decoder library and cli frontend)
mikmod Adds libmikmod support to allow playing of SoundTracker-style music files
oggvorbis Adds support for the OggVorbis audio encoding
speex Adds support for the speex audio codec
multimedia_images:
aalib Adds support for media-libs/aalib (ASCII-Graphics Library)
gif Adds GIF image support
imlib Adds support for media-libs/imlib (Image loading and rendering library)
imagemagick Enables support for Imagemagick (image converter)
jpeg Adds JPEG image support
lcms Adds lcms support to media-gfx/imagemagick (Color management)
png Adds support for libpng (PNG images)
tiff Adds support for the tiff image format
wmf Adds support for the wmf vector image format
multimedia_video:
avi Adds Win32 AVI support and also adds avifile (Library for avi) support
dvb Adds support for DVB (Digital Video Broadcasting)
theora Adds support for the Theora Video Compression Codec
xv Adds in optional support for the Xvideo extension (an X API for video playback)
multimedia_other:
flash Adds support for creating flash files using Ming
gd Adds support for media-libs/libgd (to generate graphics on the fly)
gd-external Use the external version of libgd rather than the bundled one (possibly dangerous)
gstreamer Adds support for media-libs/gstreamer (Streaming media)
matrox Adds Matrox MGA support to mplayer
mpeg Adds libmpeg3 support to various packages.
quicktime Adds support for OpenQuickTime
xmms Check/Support for XMMS (X MultiMedia System) player.
networking:
apache2 Chooses Apache2 support when a package supports both Apache1 and Apache2
adns Adds support for the adns DNS client library
curl Adds support for client-side URL transfer library
dedicated Adds support for dedicated game servers
ethereal Adds support for ethereal wiretap log support in kismet
ipv6 Adds support for IP version 6
kerberos Adds kerberos support
krb4 Adds optional kerberos 4 compatibility support
samba Adds support for SAMBA
sasl Adds support for the Simple Authentication and Security Layer
snmp Adds support for the Simple Network Management Protocol if available
socks5 Adds support for the socks5 proxy
ssl Adds support for Secure Socket Layer connections
tcpd Adds support for TCP wrappers
vhosts Adds support for installing web-based applications into a virtual-hosting environment
yaz Adds in optional support for the Z39.50 Protocol for Information Retrieval (YAZ)
office_like_stuff:
bonobo Adds support for gnome-base/bonobo (Gnome CORBA interfaces)
cscope Enables cscope interface -- in vim for example
emacs Adds support for GNU Emacs
gb Adds support for Gnome Basic to gnumeric
junit Adds junit awareness -- useful for developers.
leim Adds input methods support to Emacs
libgda Adds GNU Data Access (CORBA wrapper) support for gnumeric
mcal Adds support for MCAL calender system
pdflib Adds support for PDF (Portable Document Format)
plotutils Adds plotutils support to gnuplot (library for 2-D vector graphics)
spell Adds dictionary support
tetex Adds support for teTeX
processor_instruction_sets:
3dnow Adds support for 3dnow multimedia processor instructions
altivec Adds support for optimizations for G4 and G5/ppc970 processors
ev6 Assume Alpha processor is EV6 or better
mmx Adds support for optimizations for Pentium MMX and Athlon class processors
sse fast floating point optimisation for Pentium class chips
scientific:
fftw Use FFTW library for computing Fourier transforms
ginac Adds app-sci/ginac (symbolic math) support
gmp Adds support for dev-libs/gmp (GNU MP library)
netcdf Enable NetCDF data format support
security:
acl Adds support for Access Control Lists
caps Use Linux capabilities library to control privileges.
crypt Add support for encryption -- using mcrypt or gpg where applicable
hardened activate the default security implementation of specific Gentoo Hardened patches (kernel, gcc, glibc,
binutils)
pam Adds support PAM (Pluggable Authentication Modules)
prelude Adds support/bindings for the Prelude Intrusion Detection System
trusted used by pcmcia-cs to see if a regular user can add and remove pcmcia cards
server_only_stuff:
fastcgi Add support for the FastCGI interface
fdftk Add supports for Adobe's FDF toolkit.
zeo Adds support for Zope Enterprise Objects
sound:
alsa Adds support for media-libs/alsa-lib (Advanced Linux Sound Architecture)
arts Adds support for aRts: the KDE sound daemon
esd Adds support for media-sound/esound (Enlightened Sound Daemon)
jack Adds support for the JACK Audio Connection Kit
ladcca Adds Linux Audio Developer's Configuration and Connection API support (LADCCA)
nas Adds support for network audio sound
oss Adds support for OSS (Open Sound System)
system:
accessibility Adds support for accessibility (eg 'at-spi' library)
bindist Flag to enable or disable options for prebuilt (GRP) packages (eg. due to licensing issues)
debug Tells configure and the makefiles to build for debugging. Effects vary acrosss packages, but generally it will
at least add -g to CFLAGS. Remember to set FEATURES+=nostrip too.
doc Adds extra documentation (API, Javadoc, etc)
fam Enable FAM support (File Alteration Monitor)
icc Add support for the Intel C++ Compiler (does _not_ set $CC)
icc-pgo Enable PGO data generation or use when use icc.
jikes Compile Java source code with jikes (faster)
memlimit Adds memory usage limiting in supporting programs
nhc98 Use the nhc98 Haskell compiler instead of GHC if the package supports it
nocd Tells emerge to install all files required to run the application without a CD mounted
offensive Enables potentially offensive items in packages
readline enables support for libreadline, a GNU line-editing library that most everyone wants.
sdl Adds support for Simple Direct Layer (media library)
videos Tells portage to install optional video files (used in some games)
zlib Adds support for zlib (de)compression
video_cards:
3dfx Adds support for 3dfx video cards to XFree86. See: voodoo3
voodoo3 Adds support for 3Dfx's Voodoo3 video chipset, else defaults to Voodoo4/5 support if not in USE.
web_browsing:
emacs-w3 Add support for Emacs/W3 where applicable
libwww Adds libwww support (General purpose WEB API)
mozilla Adds mozilla support
widgets:
gtk Adds support for x11-libs/gtk+ (The GIMP Toolkit)
gtk2 Use gtk+-2.0.0 over gtk+-1.2 in cases where a program supports both.
gtkhtml Adds support for gnome-extra/gtkhtml
lesstif Use lesstif over openmotif in cases where a program supports both
motif Adds motif support (x11-libs/openmotif x11-libs/lesstif)
qt Adds support for the Qt library.
tcltk Support for Tcl and/or Tk
Xaw3d Adds support of the 3d athena widget set
wxwindows Adds support for wxWindows/wxGTK
[Thanks to http://forums.gentoo.org/viewtopic-t-157851.html for the organized list]
For the purposes of this guide we will go with the following use flags.
USE="nptl ithreads pthreads -java X kde -gnome qt mozilla gtk2"
__________________
/Example make.conf \
------------------------------------------------------------------------
CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -msse -msse2 -mmmx \
-fforce-addr -ffast-math -fstack-protector-all -mfpmath=sse,387"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
USE="acpi locales ithreads pthreads nls nptl pam ssl x86 mysql directfb ncruses opengl svga \
apache2 curl vhosts tcpd kerberos 3dnow sse mmx zlib readline"
ACCEPT_KEYWORDS="x86"
PORTAGE_TMPDIR="/var/tmp"
PORT_LOGDIR="/var/log/portage"
PORTDIR_OVERLAY="/var/local/portage"
MAKEOPTS="-j2"
AUTO_CLEAN="yes"
FEATURES="sandbox ccache distlocks userpriv usersandbox candy"
CCACHE_SIZE="512"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Final Step!
Optimize the Mirrors
# mirrorselect -D -a -s4 -o |grep 'GENTOO_MIRRORS=' >> /mnt/gentoo/etc/make.conf
---------------------------------------------------------------------
Building our base system
----------------------------------------------------------------------
Well now that we've got all our optimizations and portage specifics squared away
we can get into the building of our system.
Doing some final touches....
mount -t proc none /mnt/gentoo/proc
This allows you to view the kernel provided information within the chroot
environment
cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
Copying our DNS information we set/recived when we first setup networking
to the chroot environment.
Lets chroot into our new system
chroot /mnt/gentoo /bin/bash
env-update
source /etc/profile
Alright! can you feel it the beauty of the # prompt. Righteous...lets get
busy, what do you say?
emerge --sync
cd /usr/portage
scripts/bootstrap.sh
This step will start the bootstrapping process which will build your toolchain.
The toolchain consists of gcc,binutils,glibc and various other packages. These
tools built during this step will allow us to continue to expand and build the
rest of the gentoo system.
At this time you might be wondering...."How long is this going to take....?"
The answer....A while! So get confortable, pacman is always a good choice.
At the time of this writing the 3.3 series gcc variant has been in use in
Gentoo for well over a year. The 3.4 series has long been stable and 4.0
has been released as stable but is still widely untested. In this portion
of the guide I will walk you through upgrading your gcc to the 3.4 branch
and further adjust your CFLAGS variable in the make.conf.
Alright lets get started.
#nano /etc/portage/portage.keywords
_______________________________
_/ /etc/portage/portage.keywords \____________________________
sys-devel/gcc ~x86
sys-devel/gcc-config ~x86
sys-libs/libstdc++-v3 ~x86
sys-libs/glibc ~x86
--------------------------------------------------------------
#nano /etc/portage/portage.use
__________________________
_/ /etc/portage/portage.use \_________________________________
sys-libs/glibc userlocales
sys-devel/libperl ithreads
dev-lang/perl ithreads
______________________________________________________________
By default glibc builds all locales, even though normally only two are used.
Using nano edit the /etc/locales.build file to resemble this.
____________________
_/ /etc/locales.build \_______________________________________
en_US/ISO-8859-1
en_US.UTF-8/UTF-8
______________________________________________________________
At this point we need to rebuild our toolchain to upgrade to the latest version
of gcc.
#env-update && source /etc/profile && emerge gcc glibc gcc-config libstdc++-v3
After this process completes which will take sometime we need to switch compiler
profiles to make use of the newly build compiler. Complete the following steps
to switch to the new compiler profile.
gcc-config -l
[1] i686-pc-linux-gnu-3.3.5 *
[2] i686-pc-linux-gnu-3.3.5-hardened
[3] i686-pc-linux-gnu-3.3.5-hardenednopie
[4] i686-pc-linux-gnu-3.3.5-hardenednossp
[5] i686-pc-linux-gnu-3.4.3-20050110
[6] i686-pc-linux-gnu-3.4.3-20050110-hardened
[7] i686-pc-linux-gnu-3.4.3-20050110-hardenednopie
[8] i686-pc-linux-gnu-3.4.3-20050110-hardenednossp
gcc-config 6
Or adapt to a different compiler profile of your choosing.
Now to repeat the manual bootstrap.
#env-update && source /etc/profile && emerge glibc gcc gcc-config libstdc++-v3
Well what do we have here.....? Could it be...a completed bootstraping process?
I surely hope so after all that time. However if you ran into problems
make sure you check your CFLAGS and are positive that they are the right
flags for your hardware. If you still are having issues refer to the
gentoo forums or their irc channels.
At this point we're ready to install the rest of the base
system.
emerge -e system
Im sorry to say friend...your going to have to wait a little bit longer.
Oh! wicked....at this time you should have a completely finished system install.
Feel good eh? Well lets get the kernel,bootloader and everything else configured,
what do you say?
=======================================
Kernel Config
=======================================
Lets first set the timezone like good little boys and girls.
ln -s /usr/share/zoneinfo/ /etc/localtime
Alright, now to choose the kernel to install.
development-sources Virgin 2.6 kernel tree
gentoo-sources 2.6 kernel series with gentoo patches
grsec-sources GRSecurity patches against a vanilla kernel
hardened-dev-sources Hardened sources for the 2.6 series
hardened-sources Hardened sources for the 2.4 series
hppa-dev-sources HPPA Linux kernel patch set 2.6
hppa-sources HPPA Linux kernel patch set
mips-sources MIPS Linux kernel patch set
openmosix-sources Gentoo openMosix Kernel
pegasos-dev-sources Pegasos PPC based kernel 2.6
pegasos-sources Pegasos PPC based kernel 2.4
rsbac-dev-sources RSBAC hardened 2.6 sources
rsbac-sources RSBAC hardened 2.4 sources
sparc-sources Gentoo Kernel for the SPARC
uclinux-sources uCLinux Kernel patches for systems without MMUs
usermode-sources Usermode Linux Patches
vanilla-sources Virgin Sources
win4lin-sources Patched to support the win4lin tools
wolk-sources Working Overloaded Linux Kernel
xbox-sources Patched best to run on the xbox
Now it's up to you the user to choose the best setup for your system.
However in this guide we suggest that you use the hardened-dev-sources,
for its added security features.
Hardened Kernel Config
----------------------------------------
Alright lets get to it!
cd /usr/src/linux
make menuconfig
At this time you'll be faced with a number of options
Im going to go through them one by one with the most
generic install. If you require a different type of
kernel follow the guide provided with that kernel.
Code maturity level options --->
[*] Prompt for development and/or incomplete code/drivers
This is always a near essential feature to enable, as many drivers
wont show up.
General setup --->
[*] Support for paging of anonymous memory (swap)
[*] System V IPC
[*] POSIX Message Qeues
[*] BSD Precess Accounting
[*] Sysctl support
[*] Support for hot-pluggable devices
Most of these options are always good ideas to have and some are essential.
However it's up to you as the administrator to enable hot-pluggable devices
or not.
Note: If your going to setup SELinux also enable [ ] Auditing support
Loadable Module support --->
[ ] Enable loadable module support
It is best in a high security environment to build a monolithic kernel and
completely remove the ability to load malicious code into kernel memory space.
Processor type and features --->
Subarchitecture Type (PC-compadible) --->
Processor family (Pentium-4/Celeron(P4-based)/Pentium 4 M/Xeon)
[*] Generic x86 support
[ ] Symetric multi-processing support
[*] Preemptible kernel
[*] Local APIC support on uniprocessors
[*] IO-APIC support on uniprocessors
[*] Machine Check Exception
[*] MTRR (Memory Type Range Register) support
For uniprocessor machines this would be your best bet. However for those
of you lucky enough to run SMP (Symetric multi-processing) machines your section
will look something like the following.
_______________________________________________________
NOTE: Some SATA controllers require that you do not enable local APIC
-------------------------------------------------------
Processor type and features --->
Subarchitecture Type (PC-compadible) --->
Processor family (Pentium-4/Celeron(P4-based)/Pentium 4 M/Xeon)
[*] Generic x86 support
[*] Symetric multi-processing support
[*] Preemptible kernel
[ ] Local APIC support on uniprocessors
[*] Machine Check Exception
[*] MTRR (Memory Type Range Register) support
<*> /dev/cpu/*/msr - Model - specific register support
Power management options (ACPI, APM) --->
[*] Power Management support
[ ] Software Suspend (EXPERIMENTAL)
[ ] Suspend-to-Disk Support
ACPI (Advanced Configureation and Power Interface) Support --->
APM (Advanced Power Management) BIOS Support --->
CPU Frequency scaling --->
This section is more your choice, set it up to suit your needs.
Bus options (PCI, PCMCIA, EISA, MCA, ISA) --->
[*] PCI support
PCI access mode (Any) --->
[*] Legacy /proc/pci interface
[*] PCI device name database
The rest of the options must suite your hardware configuration.
Executable File Formats --->
[*] Kernel support for ELF binaries
<*> Kernel support for a.out and ECOFF binaries
<*> Kernel support for MISC binaries
Always a good idea to be able to accually run executables...
Device Drivers --->
This section is definately up to the user to specify. Here
all you need to do is go through the sections and select
which drivers bets suit your hardware. Now, USB thumbdrive
support might seem like a good idea. Yet in an extreamly
high security environment the risk of data entering/leaving
the environment is too great. I suggest that you disable
this feature in
USB support --->
< > USB Mass Storage support
Now for the Networking....
Networking support --->
Networking options --->
Network packet filtering (replaces ipchains) --->
[*] IP: TCP syncookie support (disabled per default)
[*] IP: TCP stealth options (enabled per default)
IP: Netfilter Configuration --->
[*] Iptables support (required for
filtering/masq/NAT)
This section's further selections will rely
on your choices for the included features
in the firewall.
As I said before most of the Device Drivers section
will be up to you but becareful what you enable
and disable.
File systems --->
[*] Reiserfs support
[*] Stats in /proc/fs/reiserfs
[*] ReiserFS extended attributes
[*] ReiserFS POSIX Access Control List
[*] ReiserFS Security Labels
[*] Quota support
[*] Kernel automounter support
Pseudo filesystems --->
[*] proc file system support
[*] /dev/pts Extended attributes
[*] /dev/pts Security Labels
Beyond those selections, select what ever fits your system
the best.
Now for the really interesting part, security. The gentoo hardened kernel
includes many patches that enable different forms of security. One such
patch is called the GRSecurity patch-set. GRSecurity is a specific patchset
from www.grsecurity.net, aimed at providing advanced kernel level security
additions to the system. We use this along with PaX to help prevent many
forms of attacks. It's not fool proof, this patch won't protect you from
your self, but it will protect against many basic and advanced forms of attack.
Security options --->
Grsecurity --->
Security Level (Custom) --->
Address Space Protection --->
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port
[*] Disable privileged I/O
[*] Remove addresses from /proc//[maps/stat]
[*] Hide kernel symbols
----------------------------------------------------
NOTE: If you plan on running X enable privileged I/O
the X server needs to reference video memory via /dev/mem
-----------------------------------------------------
Role Based Access Control Options --->
[*] Hide kernel processes
(3) Maximum tries before password lockout
(60) Time to wait after max password tries, in seconds
Filesystem Protections --->
[*] Proc restrictions
[*] Restrict /proc to user only
[*] Additional restrictions
[*] Linking restrictions
[*] FIFP restrictions
[ ] Chroot jail restrictions
--------------------------------------
NOTE: Chroot jails are up to you
--------------------------------------
Kernel Auditing --->
[ ] Single group for auditing
[ ] Exec logging
[*] Resource logging
[*] Log execs within chroot
[ ] Chdir logging
[*] (Un)Mount logging
[ ] IPC logging
[*] Signal logging
[*] Fork failure logging
[ ] Time change logging
[*] /proc //ipaddr support
Executable Protections --->
[*] Enforce RLIMIT_NPROC on execs
[*] Dmesg(8) restriction
[*] Randomized PIDs
[ ] Trusted Path Execution (TPE)
------------------------------
NOTE: TPE is up to you
------------------------------
Network Protections --->
[*] Larger entropy pools
[*] Truly random TCP ISN selection
[*] Randomized IP IDs
[*] Randomized TCP source ports
[*] Randmized RPC XIDs
[*] Socket Restrictions
-----------------------------
NOTE: Socket Restrictions are very useful
in high security environments. I suggest you
employ them.
PaX --->
PaX Control --->
[ ] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
Mac system intratation (hook) --->
Non-executable pages --->
[*] Enforce non-executable pages
[*] Segmentation based on non-executable pages
Default non-executable page method (SEGMEXEC) --->
[*] Emulate trampolines
[*] Restrict mprotect()
[*] Enforce non-executable kernel pages
Address Space Layout Randominzation --->
[*] Address Space Layout Randomization
[*] Randomize kernel stack base
[*] Randomize user stack base
[*] Randomize mmap() base
[*] Randomize ET_EXEC base
[*] Enable different security models
[*] Socket and Networking Security Hooks
[*] Default Linux Capabilities
[ ] Root Plug Support
[ ] NSA SELinux Support
-----------------------------
NOTE: SELinux loading is up to you
-----------------------------
-----------------------------------
NOTE: These are just some suggestions for your kernel configuration
I suggest that you go through a few times checking features out and
making sure you have it the way you like it.
-----------------------------------
Alright now lets exit out of the kernel configuration utility and start the build.
make
Now let's install the kernel image to /boot, note: if you don't do this /boot will boot the old bzimage instead of the newly compiled one.
cp arch/i386/boot/bzImage /boot
Ok, now that we have the system kernel all setup and installed, just some more
simple final touches before we can boot the first time.
emerge hotplug
rc-update add hotplug default
Setting up udev
--------------------
Because the legacy devfsd has gone the way of the dinosaur and xor based crypto algs, we're left
with a need for a new /dev filesystem manager. The job has been happily given to udev, and advanced
rule based file system used to control device naming. The writing of the udev rules isn't required
but in this guide I will give some basic suggestions on what you should do with the power that udev
gives to you as an administrator. Alright lets dive straight into setting up udevd.
emerge udev
From here we need to configure rc.conf to use udev at boot. We do this by editing the rc.conf file
in the following manor.
______________
/ /etc/rc.conf \
---------------------------------------------------------------------------------------------
RC_NET_STRICT_CHECKING="no"
RC_DEVICES="udev"
RC_DEVICE_TARBALL="no"
---------------------------------------------------------------------------------------------
RC_DEVICE_TARBALL is notable to mention here because there is an element to udev
that allows it to save all of the device nodes to a backup tarball and then restore
it upon reboot. This can be useful if you have alot of custom nodes or are testing out
certain configurations.
On boot when udev builds the device files in the dev filesystem and decides what to
name the device nodes based off of a certain set of rules that are dictated by a
udev configuration file.
________
INCOMPLETE
--------
Creating /etc/fstab
----------------------
Your fstab file should look something like this....
noauto - do not mount automatically on boot
noatime - turns off atimes for increased performance
notail - increases performance on reiserfs
nosuid - Ignores the SUID bit on files from specified partition
nodev - Ignores devices
____________
/ /etc/fstab \
-----------------------------------------------------------------------------------------------
/dev/hda1 /boot reiserfs noauto,noatime 1 1
/dev/hda2 /home reiserfs notail,noatime,nodev,nosuid 0 0
/dev/hda3 none swap sw 0 0
/dev/hda5 / reiserfs notail,noatime 0 0
/dev/hda6 /usr reiserfs notail,noatime,nodev 0 0
/dev/hda7 /opt reiserfs notail,noatime,nodev 0 0
/dev/hda8 /var reiserfs notail,noatime,nodev 0 0
/dev/hda9 /home reiserfs notail,noatime,nodev,nosuid,noexec 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
proc /proc proc defaults 0 0
------------------------------------------------------------------------------------------------
Networking Setup
----------------------------------------------------
Setting the hostname
echo hardened > /etc/hostname
Setting the domain name
echo 0x41.com > /etc/dnsdomainname
Add the domainname script to the rc-process
rc-update add domainname default
_________________
/ /etc/conf.d/net \
--------------------------------------------------------------------------------------------
# /etc/conf.d/net:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/net,v 1.7 2002/11/18 19:39:22 azarah Exp $
# Global config file for net.* rc-scripts
# This is basically the ifconfig argument without the ifconfig $iface
#
iface_eth0="192.168.0.101 broadcast 192.168.255.255 netmask 255.255.255.0"
#iface_eth1="207.170.82.202 broadcast 207.0.255.255 netmask 255.255.0.0"
# For DHCP set iface_eth? to "dhcp"
# For passing options to dhcpcd use dhcpcd_eth?
#iface_eth0="dhcp"
#dhcpcd_eth0="..."
# For adding aliases to a interface
#
#alias_eth0="192.168.0.3 192.168.0.4"
# NB: The next is only used for aliases.
#
# To add a custom netmask/broadcast address to created aliases,
# uncomment and change accordingly. Leave commented to assign
# defaults for that interface.
#
#broadcast_eth0="192.168.0.255 192.168.0.255"
#netmask_eth0="255.255.255.0 255.255.255.0"
# For setting the default gateway
#
gateway="eth0/192.168.0.1"
---------------------------------------------------------------------------------------------
A simple setup like so should be sufficent for most, however if your
running off a network designed for DHCP all you have to do is set
iface_eth0="dhcp"
and comment everything else out.
rc-update add net.eth0 default
Now if you have multiple interfaces....
cd /etc/init.d
ln -s /etc/net.eth0 net.eth1
rc-update add net.eth1 default
However, remember to set up the interface in /etc/conf.d/net as well
or the iface will not work.
Basic system setup
----------------------------------------------------
Lets set to all mighty root pass
passwd
Installing logger
emerge syslog-ng
rc-update syslog-ng default
ReiserFS tools are very useful when unexpected things happend to your system.
emerge reiserfsprogs
The final step!
------------------------------------------------------
Installing the bootloader.
In this guide we suggest that you use the all time favorite bootloader
grub.
emerge grub
nano /boot/grub/grub.conf
----------------------------------------------------------------
default 0
timeout 20
splashimage=(hd0,0)/grub/splash.xpm.gz
title=Hera
root (hd0,0)
kernel /bzImage root=/dev/hda3 video=vesafb:ywrap,mtrr vga=773
----------------------------------------------------------------
Lets install, shall we?
grub-install --root-directory=/boot /dev/hda
grub
grub> root (hd0,0)
grub> setup (hd0)
quit
Finished
----------------------------------------------------------------
w00tar to the max friend! You are done! reboot, eject the cd
and watch your new strong gentoo system scream past your hopes
and dreams!