This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
devdocs:hardening_ideas [2018/08/30 20:04] 127.0.0.1 external edit |
devdocs:hardening_ideas [2018/10/18 22:18] z5t1 [General Stuff] |
||
---|---|---|---|
Line 26: | Line 26: | ||
* Check executables installed as SUID/SGID and make sure those permissions are really necessary. | * Check executables installed as SUID/SGID and make sure those permissions are really necessary. | ||
* /usr/bin/xscreensaver does not need to be SUID. | * /usr/bin/xscreensaver does not need to be SUID. | ||
+ | * Try to SUID to less privileged user when possible. | ||
+ | * Try to use setcap instead of SUID. | ||
* Make sane default firewall rules. | * Make sane default firewall rules. | ||
* Add a security utility like what OpenBSD has (see [[https://man.openbsd.org/security]]) | * Add a security utility like what OpenBSD has (see [[https://man.openbsd.org/security]]) | ||
Line 34: | Line 36: | ||
* cups | * cups | ||
* xorg-server | * xorg-server | ||
+ | * Make system utilities like pickle and portmake use privsep users. | ||
+ | * Especially for downloading files. | ||
* <del>Implement Mandatory Access Control?</del> | * <del>Implement Mandatory Access Control?</del> | ||
* <del>Individual containers for daemons?</del> | * <del>Individual containers for daemons?</del> | ||