This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
devdocs:hardening_ideas [2018/07/12 13:58] |
devdocs:hardening_ideas [2018/08/30 20:04] 127.0.0.1 external edit |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | If any developers have ideas for hardening the distribution, feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing. | ||
+ | |||
+ | ====== Rescue Environment ====== | ||
+ | |||
+ | Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality. | ||
+ | |||
+ | ====== Userspace Hardening ====== | ||
+ | |||
+ | ==== Toolchain ==== | ||
+ | * Look into better memory randomization. | ||
+ | * Look into the following glibc configure flags: | ||
+ | <code> | ||
+ | --enable-stack-protector=strong | ||
+ | --enable-stackguard-randomization | ||
+ | </code> | ||
+ | |||
+ | ==== Xorg ==== | ||
+ | * Make Xorg-server run as an unprivileged user. | ||
+ | * See [[https://wiki.gentoo.org/wiki/Non_root_Xorg]] | ||
+ | |||
+ | ==== Package Management ==== | ||
+ | * Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/. | ||
+ | * Add attr/xattr support. | ||
+ | |||
+ | ==== General Stuff ==== | ||
+ | * Check executables installed as SUID/SGID and make sure those permissions are really necessary. | ||
+ | * /usr/bin/xscreensaver does not need to be SUID. | ||
+ | * Make sane default firewall rules. | ||
+ | * Add a security utility like what OpenBSD has (see [[https://man.openbsd.org/security]]) | ||
+ | * Chattr log file to make them append only. | ||
+ | * This will also require us to add xattr support to pkgtools. | ||
+ | * Add a securelevel implementation. | ||
+ | * Make more daemons run as privsep users. The following daemons are good candidates: | ||
+ | * cups | ||
+ | * xorg-server | ||
+ | * <del>Implement Mandatory Access Control?</del> | ||
+ | * <del>Individual containers for daemons?</del> | ||
+ | |||