User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
devdocs:hardening_ideas [2018/07/12 13:58]
devdocs:hardening_ideas [2018/10/18 22:21] (current)
z5t1 [Rescue Environment]
Line 1: Line 1:
 +If any developers have ideas for hardening the distribution,​ feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.
 +====== Rescue Environment ======
 +Create a rescue environment in /​opt/​rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.
 +The Busybox binaries will be executable only by root.
 +====== Userspace Hardening ======
 +==== Toolchain ====
 +  * Look into better memory randomization.
 +  * Look into the following glibc configure flags:
 +  --enable-stack-protector=strong
 +  --enable-stackguard-randomization
 +==== Xorg ====
 +  * Make Xorg-server run as an unprivileged user.
 +    * See [[https://​​wiki/​Non_root_Xorg]]
 +==== Package Management ====
 +  * Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
 +  * Add attr/xattr support.
 +==== General Stuff ====
 +  * Check executables installed as SUID/SGID and make sure those permissions are really necessary.
 +    * /​usr/​bin/​xscreensaver does not need to be SUID.
 +    * Try to SUID to less privileged user when possible.
 +    * Try to use setcap instead of SUID.
 +  * Make sane default firewall rules.
 +  * Add a security utility like what OpenBSD has (see [[https://​​security]])
 +  * Chattr log file to make them append only.
 +    * This will also require us to add xattr support to pkgtools.
 +  * Add a securelevel implementation.
 +  * Make more daemons run as privsep users. The following daemons are good candidates:
 +    * cups
 +    * xorg-server
 +  * Make system utilities like pickle and portmake use privsep users.
 +    * Especially for downloading files.
 +  * <​del>​Implement Mandatory Access Control?</​del>​
 +  * <​del>​Individual containers for daemons?</​del>​