RSS 
Preliminary googling seems to indicate that there aren't any main stream distos compiling all their binaries with even basic SSP enabled, let alone easy to use Grsecurity/PaX enabled kernels. The best I can find are instructions on how to enable some of these features in a system and then recompile the system or critical service binaries.
So really, Gentoo Hardened is ahead of the game. I was looking for a binary distro for a small system to be a firewall, but if I want to go the ultra secure route, it looks like no matter what I'll be (re)compiling binaries from source so I might as well use hardened Gentoo which makes it easiest by far to integrate with Grsecurity, PaX, and SSP.
If you're wondering at my other criteria, I've ruled out the obvious choice of OpenBSD because it only has a 6 month 1 year support cycle, and that's limited to patches that you apply and the use a old school build system to rebuild the binaries. Kludgy, still involves compiling, and short support cycle. So I looked for a Linux distro that had a longer and binary support cycle, but none seem to have SSP and Grsecurity.
On the other hand, Hardened Gentoo gives me native out of the box support for Grsecurity, PaX, SSP, and other fun things, and an infinite support cycle. The only cost is compiling everything, which only sucks a bit on small embedded-ish systems, but if compiling is the only way to go any ways, might as well do it right with Gentoo as no one else has nearly as good system tools for compiling software.
Also, although I wasn't looking for it, Gentoo Hardened has support for SELinux as well.
August 9th, 2007 at 1:40 pm
Unfortunately, all SSP does is make certain legitimate C++ programs crash when given legitimate input, thus exposing you to new DoS attacks. It does not make your system any more secure, and it does not make security holes disappear.
August 9th, 2007 at 2:59 pm
No, OpenBSD has a one year support cycle, every six months a new release is made available and the release before that stays supported, while the release that is now two releases behind the current release, ends it’s support. So while 4.3 comes out, 4.1 ends it’s support, one year after it’s release. This isn’t that hard to find out, why didn’t you?
August 9th, 2007 at 10:41 pm
Sorry, I was lazy. It still doesn’t change the fact that the security updates are patches to source only or updated CVS so recompiling is required. And I’d like a longer support cycle than a year. I have systems with uptimes longer than a year, kind of a waste to turn them off just to reinstall an OS. Better to avoid that kind of pointless downtime if it can be done.
August 10th, 2007 at 5:52 am
Every security update does not require you to compile the entire src tree. You can simple recompile the specific program inside the source tree that needs updating. For example
cd /usr/src/usr.bin/file
make obj
make cleandir
make depend
make
make install
No need to recompile your entire tree and reboot. If it was a issue with the kernel then yes there would be a lot more compiling and a reboot. That’s not something that happens often though.
August 10th, 2007 at 10:27 am
True, but if I’m still recompiling why not use Gentoo. Quick research at least indicates they do update ports with patches as well as core, so thats good, but again, it looks like recompiling, no binary updates.
I was mostly just wishing for a distro with the security of OpenBSD or maybe Gentoo Hardened, but that was binary and had binary security updates, to ease old or small machines.