This is an old revision of the document!
If any developers have ideas for hardening the distribution, feel free to post them here . Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.
Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.
The binaries should also be executable only by root.
--enable-stack-protector=strong --enable-stackguard-randomization