User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
devdocs:hardening_ideas [2018/04/16 14:17]
z5t1 [Toolchain]
devdocs:hardening_ideas [2018/07/12 09:58] (current)
z5t1 [General Stuff]
Line 1: Line 1:
 +If any developers have ideas for hardening the distribution,​ feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.
 +====== Rescue Environment ======
 +Create a rescue environment in /​opt/​rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.
 ====== Userspace Hardening ====== ====== Userspace Hardening ======
Line 11: Line 17:
 ==== Xorg ==== ==== Xorg ====
   * Make Xorg-server run as an unprivileged user.   * Make Xorg-server run as an unprivileged user.
 +    * See [[https://​​wiki/​Non_root_Xorg]]
 +==== Package Management ====
 +  * Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
 +  * Add attr/xattr support.
 ==== General Stuff ==== ==== General Stuff ====
-  * Implement Mandatory Access Control.+  * Check executables installed as SUID/SGID and make sure those permissions are really necessary. 
 +    * /​usr/​bin/​xscreensaver does not need to be SUID.
   * Make sane default firewall rules.   * Make sane default firewall rules.
-  * Individual containers for daemons.+  * Add a security utility like what OpenBSD has (see [[https://​​security]]) 
 +  * Chattr log file to make them append only. 
 +    * This will also require us to add xattr support to pkgtools. 
 +  * Add a securelevel implementation. 
 +  * Make more daemons run as privsep users. The following daemons are good candidates:​ 
 +    * cups 
 +    * xorg-server 
 +  * <​del>​Implement Mandatory Access Control?</​del>​ 
 +  * <del>Individual containers for daemons?</​del>​
devdocs/hardening_ideas.1523902648.txt.gz · Last modified: 2018/04/16 14:17 by z5t1