Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardening #6

Open
AgentD opened this issue Oct 8, 2018 · 2 comments
Open

Hardening #6

AgentD opened this issue Oct 8, 2018 · 2 comments

Comments

@AgentD
Copy link
Collaborator

AgentD commented Oct 8, 2018

  • Turn on all the fancy binutils and gcc configure options for stack protection and code fortification
  • Pass additional flags to build systems to use available gcc and ld flags
  • Finish cleaning up filesystem permissions
  • Configure services (the ones that don't already do this) to run as unprivileged users in chroot chails
@AgentD
Copy link
Collaborator Author

AgentD commented Nov 13, 2018

Most of this is done as of now. As commented on the init project, adding SELinux policies may prove interesting for some services.

What I would still like to do in addition: Reduce number of setuid binaries (e.g. replace passwd and frieds with openwall alternatives, musl supports shadow.d)

@AgentD
Copy link
Collaborator Author

AgentD commented Jun 10, 2019

mksquashfs has been replaced with our own tool by now which supports SELinux labeling through a file contexts files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant