User Tools

Site Tools


devdocs:hardening_ideas

If any developers have ideas for hardening the distribution, feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.

Rescue Environment

Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.

Userspace Hardening

Toolchain

  • Look into better memory randomization.
  • Look into the following glibc configure flags:
  --enable-stack-protector=strong
  --enable-stackguard-randomization

Xorg

Package Management

  • Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
  • Add attr/xattr support.

General Stuff

  • Check executables installed as SUID/SGID and make sure those permissions are really necessary.
    • /usr/bin/xscreensaver does not need to be SUID.
  • Make sane default firewall rules.
  • Add a security utility like what OpenBSD has (see https://man.openbsd.org/security)
  • Chattr log file to make them append only.
    • This will also require us to add xattr support to pkgtools.
  • Add a securelevel implementation.
  • Make more daemons run as privsep users. The following daemons are good candidates:
    • cups
    • xorg-server
  • Implement Mandatory Access Control?
  • Individual containers for daemons?
devdocs/hardening_ideas.txt · Last modified: 2018/08/30 20:04 (external edit)