devdocs:hardening_ideas
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
devdocs:hardening_ideas [2018/08/30 20:04] 127.0.0.1 external edit |
devdocs:hardening_ideas [2018/10/18 22:21] (current) z5t1 [Rescue Environment] |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality. | Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality. | ||
| + | |||
| + | The Busybox binaries will be executable only by root. | ||
| ====== Userspace Hardening ====== | ====== Userspace Hardening ====== | ||
| Line 26: | Line 28: | ||
| * Check executables installed as SUID/SGID and make sure those permissions are really necessary. | * Check executables installed as SUID/SGID and make sure those permissions are really necessary. | ||
| * /usr/bin/xscreensaver does not need to be SUID. | * /usr/bin/xscreensaver does not need to be SUID. | ||
| + | * Try to SUID to less privileged user when possible. | ||
| + | * Try to use setcap instead of SUID. | ||
| * Make sane default firewall rules. | * Make sane default firewall rules. | ||
| * Add a security utility like what OpenBSD has (see [[https://man.openbsd.org/security]]) | * Add a security utility like what OpenBSD has (see [[https://man.openbsd.org/security]]) | ||
| Line 34: | Line 38: | ||
| * cups | * cups | ||
| * xorg-server | * xorg-server | ||
| + | * Make system utilities like pickle and portmake use privsep users. | ||
| + | * Especially for downloading files. | ||
| * <del>Implement Mandatory Access Control?</del> | * <del>Implement Mandatory Access Control?</del> | ||
| * <del>Individual containers for daemons?</del> | * <del>Individual containers for daemons?</del> | ||
devdocs/hardening_ideas.1535659495.txt.gz ยท Last modified: 2018/08/30 20:04 by 127.0.0.1
Page Tools
