User Tools

Site Tools


devdocs:hardening_ideas

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
devdocs:hardening_ideas [2018/04/16 14:17]
z5t1 [Toolchain]
devdocs:hardening_ideas [2018/07/12 09:58] (current)
z5t1 [General Stuff]
Line 1: Line 1:
 +If any developers have ideas for hardening the distribution,​ feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.
 +
 +====== Rescue Environment ======
 +
 +Create a rescue environment in /​opt/​rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.
 +
 ====== Userspace Hardening ====== ====== Userspace Hardening ======
  
Line 11: Line 17:
 ==== Xorg ==== ==== Xorg ====
   * Make Xorg-server run as an unprivileged user.   * Make Xorg-server run as an unprivileged user.
 +    * See [[https://​wiki.gentoo.org/​wiki/​Non_root_Xorg]]
 +
 +==== Package Management ====
 +  * Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
 +  * Add attr/xattr support.
  
 ==== General Stuff ==== ==== General Stuff ====
-  * Implement Mandatory Access Control.+  * Check executables installed as SUID/SGID and make sure those permissions are really necessary. 
 +    * /​usr/​bin/​xscreensaver does not need to be SUID.
   * Make sane default firewall rules.   * Make sane default firewall rules.
-  * Individual containers for daemons.+  * Add a security utility like what OpenBSD has (see [[https://​man.openbsd.org/​security]]) 
 +  * Chattr log file to make them append only. 
 +    * This will also require us to add xattr support to pkgtools. 
 +  * Add a securelevel implementation. 
 +  * Make more daemons run as privsep users. The following daemons are good candidates:​ 
 +    * cups 
 +    * xorg-server 
 +  * <​del>​Implement Mandatory Access Control?</​del>​ 
 +  * <del>Individual containers for daemons?</​del>​
  
  
devdocs/hardening_ideas.1523902648.txt.gz · Last modified: 2018/04/16 14:17 by z5t1