Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.

The Busybox binaries will be executable only by root.

• Look into better memory randomization.
• Look into the following glibc configure flags:

  --enable-stack-protector=strong
  --enable-stackguard-randomization

• Make Xorg-server run as an unprivileged user.
  • See https://wiki.gentoo.org/wiki/Non_root_Xorg

• Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
• Add attr/xattr support.

• Check executables installed as SUID/SGID and make sure those permissions are really necessary.
  • /usr/bin/xscreensaver does not need to be SUID.
  • Try to SUID to less privileged user when possible.
  • Try to use setcap instead of SUID.
• Make sane default firewall rules.
• Add a security utility like what OpenBSD has (see https://man.openbsd.org/security)
• Chattr log file to make them append only.
  • This will also require us to add xattr support to pkgtools.
• Add a securelevel implementation.
• Make more daemons run as privsep users. The following daemons are good candidates:
  • cups
  • xorg-server
• Make system utilities like pickle and portmake use privsep users.
  • Especially for downloading files.
• Implement Mandatory Access Control?
• Individual containers for daemons?