devdocs:hardening_ideas
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Previous revision | ||
|
devdocs:hardening_ideas [2018/07/12 13:58] |
devdocs:hardening_ideas [2018/10/18 22:21] (current) z5t1 [Rescue Environment] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | If any developers have ideas for hardening the distribution, feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing. | ||
| + | |||
| + | ====== Rescue Environment ====== | ||
| + | |||
| + | Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality. | ||
| + | |||
| + | The Busybox binaries will be executable only by root. | ||
| + | |||
| + | ====== Userspace Hardening ====== | ||
| + | |||
| + | ==== Toolchain ==== | ||
| + | * Look into better memory randomization. | ||
| + | * Look into the following glibc configure flags: | ||
| + | <code> | ||
| + | --enable-stack-protector=strong | ||
| + | --enable-stackguard-randomization | ||
| + | </code> | ||
| + | |||
| + | ==== Xorg ==== | ||
| + | * Make Xorg-server run as an unprivileged user. | ||
| + | * See [[https://wiki.gentoo.org/wiki/Non_root_Xorg]] | ||
| + | |||
| + | ==== Package Management ==== | ||
| + | * Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/. | ||
| + | * Add attr/xattr support. | ||
| + | |||
| + | ==== General Stuff ==== | ||
| + | * Check executables installed as SUID/SGID and make sure those permissions are really necessary. | ||
| + | * /usr/bin/xscreensaver does not need to be SUID. | ||
| + | * Try to SUID to less privileged user when possible. | ||
| + | * Try to use setcap instead of SUID. | ||
| + | * Make sane default firewall rules. | ||
| + | * Add a security utility like what OpenBSD has (see [[https://man.openbsd.org/security]]) | ||
| + | * Chattr log file to make them append only. | ||
| + | * This will also require us to add xattr support to pkgtools. | ||
| + | * Add a securelevel implementation. | ||
| + | * Make more daemons run as privsep users. The following daemons are good candidates: | ||
| + | * cups | ||
| + | * xorg-server | ||
| + | * Make system utilities like pickle and portmake use privsep users. | ||
| + | * Especially for downloading files. | ||
| + | * <del>Implement Mandatory Access Control?</del> | ||
| + | * <del>Individual containers for daemons?</del> | ||
| + | |||
Page Tools
