User Tools

Site Tools


This is an old revision of the document!

If any developers have ideas for hardening the distribution, feel free to post them here :-). Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.

Rescue Environment

Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.

Userspace Hardening


  • Look into better memory randomization.
  • Look into the following glibc configure flags:


Package Management

  • Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
  • Add attr/xattr support.

General Stuff

  • Check executables installed as SUID/SGID and make sure those permissions are really necessary.
    • /usr/bin/xscreensaver does not need to be SUID.
    • Try to SUID to less privileged user when possible.
    • Try to use setcap instead of SUID.
  • Make sane default firewall rules.
  • Add a security utility like what OpenBSD has (see
  • Chattr log file to make them append only.
    • This will also require us to add xattr support to pkgtools.
  • Add a securelevel implementation.
  • Make more daemons run as privsep users. The following daemons are good candidates:
    • cups
    • xorg-server
  • Implement Mandatory Access Control?
  • Individual containers for daemons?
devdocs/hardening_ideas.1539900998.txt.gz · Last modified: 2018/10/18 22:16 by z5t1