Now is a good time to try to implement some hardened features in Sabayon. Since hardening has the potential to break some applications, Sabayon will want to approach the issue incrementally. Some of the first steps may just be to lay the groundwork, and not really provide any significant security enhancements.
"Hardening" is a very broad topic, with many overlapping subtopics. Right now, there are a handful of show-stoppers that would probably prevent Sabayon from implementing across-the-board hardening (not the least of which is a lack of consensus as to what would constitute a fully hardened Desktop system). But, over time, I expect the blockers to gradually support hardening. Linux server applications are much further along in supporting hardening than the Linux Desktop world. So since Sabayon is heavily invested in the Desktop area of Linux, we'll need to be careful how we proceed. It would be counter-productive for me to provide a tutorial on hardening. But, here's a few links I've found helpful. http://www.gentoo.org/proj/en/hardened/ http://blog.flameeyes.eu/2009/11/02/the-pie-is-not-exactly-a-lie I found flameeye's blog very enlightening for someone who is just trying to get their head around hardening. Sabayon will probably wait on implementing the hardened patches in Gentoo's hardened kernel. But, there are some really interesting capabilities bundled into the Gentoo hardened kernel, and we will certainly want to evaluate what can be implemented (or perhaps when). Our initial focus will probably be on building a subset of applications with PIE. This is a topic that has recently been active. And the ASLR that is already in the kernel should work "well-enough" with binaries built with PIE. Supporting PaX/NX will probably take longer. Since there are several sub-topics to discuss, I'm going to cut this post off here, and try to keep the messages to being only slightly long. I'll get into some of the sub-topics in separate posts.