This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devdocs:hardening_ideas [2018/10/18 22:16] z5t1 [General Stuff] |
devdocs:hardening_ideas [2018/10/18 22:21] z5t1 [Rescue Environment] |
||
---|---|---|---|
Line 4: | Line 4: | ||
Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality. | Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality. | ||
+ | |||
+ | The Busybox binaries will be executable only by root. | ||
====== Userspace Hardening ====== | ====== Userspace Hardening ====== | ||
Line 36: | Line 38: | ||
* cups | * cups | ||
* xorg-server | * xorg-server | ||
+ | * Make system utilities like pickle and portmake use privsep users. | ||
+ | * Especially for downloading files. | ||
* <del>Implement Mandatory Access Control?</del> | * <del>Implement Mandatory Access Control?</del> | ||
* <del>Individual containers for daemons?</del> | * <del>Individual containers for daemons?</del> | ||