Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.

• Look into better memory randomization.
• Look into the following glibc configure flags:

  --enable-stack-protector=strong
  --enable-stackguard-randomization

• Make Xorg-server run as an unprivileged user.
  • See https://wiki.gentoo.org/wiki/Non_root_Xorg

• Make pkgtools calculate the checksums for all the binaries and libraries it installs and save them somewhere in /var/log/.
• Add attr/xattr support.

• Check executables installed as SUID/SGID and make sure those permissions are really necessary.
  • /usr/bin/xscreensaver does not need to be SUID.
  • Try to SUID to less privileged user when possible.
  • Try to use setcap instead of SUID.
• Make sane default firewall rules.
• Add a security utility like what OpenBSD has (see https://man.openbsd.org/security)
• Chattr log file to make them append only.
  • This will also require us to add xattr support to pkgtools.
• Add a securelevel implementation.
• Make more daemons run as privsep users. The following daemons are good candidates:
  • cups
  • xorg-server
• Make system utilities like pickle and portmake use privsep users.
  • Especially for downloading files.
• Implement Mandatory Access Control?
• Individual containers for daemons?