User Tools

Site Tools


devdocs:hardening_ideas

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

devdocs:hardening_ideas [2018/07/12 13:58]
devdocs:hardening_ideas [2018/08/30 20:04] (current)
Line 1: Line 1:
 +If any developers have ideas for hardening the distribution,​ feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.
 +
 +====== Rescue Environment ======
 +
 +Create a rescue environment in /​opt/​rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.
 +
 +====== Userspace Hardening ======
 +
 +==== Toolchain ====
 +  * Look into better memory randomization.
 +  * Look into the following glibc configure flags:
 +<​code>​
 +  --enable-stack-protector=strong
 +  --enable-stackguard-randomization
 +</​code>​
 +
 +==== Xorg ====
 +  * Make Xorg-server run as an unprivileged user.
 +    * See [[https://​wiki.gentoo.org/​wiki/​Non_root_Xorg]]
 +
 +==== Package Management ====
 +  * Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
 +  * Add attr/xattr support.
 +
 +==== General Stuff ====
 +  * Check executables installed as SUID/SGID and make sure those permissions are really necessary.
 +    * /​usr/​bin/​xscreensaver does not need to be SUID.
 +  * Make sane default firewall rules.
 +  * Add a security utility like what OpenBSD has (see [[https://​man.openbsd.org/​security]])
 +  * Chattr log file to make them append only.
 +    * This will also require us to add xattr support to pkgtools.
 +  * Add a securelevel implementation.
 +  * Make more daemons run as privsep users. The following daemons are good candidates:
 +    * cups
 +    * xorg-server
 +  * <​del>​Implement Mandatory Access Control?</​del>​
 +  * <​del>​Individual containers for daemons?</​del>​
 +