There are several possible ways to approach the topic of hardening. I wanted to propose a possible Roadmap that Sabayon could adopt so we'll have a basis for discussion.
There's every possibility that there are significant issues I haven't appreciated with aspects of this Roadmap, and I hope the feedback will improve on the concept. GOALS It's important we establish our objectives and goals for these changes. Hardening means different things to different people, so it's best to be transparent about our goals for hardening Sabayon. At this point, my goals are rather modest. Goal #1: Our hardening changes should have minimal impact on our users. We'll do this by breaking up the implementations into chunks, where possible, to give us an opportunity to evaluate the impact of each chunk. Goal #2: This Roadmap would put in place the infrastructure for Sabayon to build packages with basic hardening, as provided by Gentoo's hardened toolchain. Goal #3: This Roadmap proposes hardening a minor subset of packages (targeting packages that contain suid binaries). At this stage, that's about it. We will have the infrastructure in place to adopt any further hardening we like. These changes aren't going to make Sabayon the "MOST L33T H4RD3NED" Distro. Not even close. But they will provide some basic hardened packages, and put the structure in place for us to implement further hardening. Also, it should make Sabayon an interesting distribution for converting to a hardened system. PRELIMINARY My Roadmap will depart from the standard Gentoo Hardened installation in at least two important ways. First, I propose that Sabayon *NOT* adopt the Hardened profile. This profile will impose some limitations (such as masking ipv6) that will make life tough for us since we package such a wide range of binary packages with Entropy. Second, this roadmap will not include implementing the Gentoo Hardened kernel. The Gentoo Hardened kernel truly does have some neat stuff. But the Gentoo Hardened kernel should be handled as a separate topic after our initial round of hardening due to its scope. We will be relying on the ALSR provided by the standard Linux kernel, and will not be implementing any PaX/NX at this time. That doesn't mean we can't try this later, but it's not in the current scope. ROADMAP After all this lengthy verbage, the Roadmap itself is rather short. But each Roadmap item may have a separate thread to discuss the details. Some items, such as specific discussions concerning Sabayon's internal infrastructure and work practices, will probably be discussed internally on Sabayon staff lists. STEP 1: Build Gentoo's hardened toolchain. (1.1) Unmask the 'hardened' USE flag, and set 'hardened' globally (1.2) Rebuild a hardened GCC. (1.3) Rebuild the remainder of the toolchain with the hardened GCC. There's more to this step than meets the eye, and I'll have follow-up discussions on this step. STEP 2: Rebuild packages with hardening that contain suid binaries *EXCEPT* Xorg. STEP 3 (Optional): Rebuild Xorg with hardening. We may have to skip this step. At a minimum, we will have to proceed extremely carefully. I've successfully done it on three personal systems with no noticeable impact (x86_64/i915, x86_64/nVidia, x86/nVidia legacy). But there's a world of Video Card/Desktop Package combinations that I've barely touched. POSSIBLE FUTURE ACTIONS >From this point, there's a wide range of options we could undertake. * Harden all/(some) network-facing packages * Harden LAMP packages (and other major server packages) * Explore implementing a Gentoo Hardened kernel as an optional kernel. * Explore implementing a subset of Gentoo's Hardened kernel patchset in all kernels. * etc... Thanks in advance for your feedback on this topic.
