Hi. I added LFS-6.7 to the HLFS svn trunk. It can be found on the web site(s) too. The subversion commit was 1.8mb, so it didn't show up on hlfs-b...@.
I'm trying not to change stuff just for fun. This was a big problem before, like adding optimizations and whatever. It was off focus and complicate things. So now I'm trying to keep things the way LFS does unless it's actually for hardening. The Binutils pt_pax patch may not be actually needed. The markings are used to disable protection on some programs, like Java and Wine. Grub2 uses an executable stack. The paxctl program might be able to mark grub, without the Binutils patch, so that it works on 32 bit systems. If not then the Binutils patch needs to be added, or use a different boot loader. Tasks: Add SSP, fortify source, and pic/pie compiler options like before. Add libcap2, and attr, to chapter 6, so Coreutils can link to libcap, and so setuid-root programs can be marked with posix capabilities so the setuid bit can be dropped. Privilege dropping for agetty, udevd, and examples of how to do this with random BLFS daemons. Add grsecurity ACL's, particularly for daemons. Add NSS to chapter 6, for Glibc's libcrypt. NSS can also be used by other packages in BLFS. Fedora is working on adding NSS support to anything that can use it. More emphasis on network security. Add iptables to chapter 6, and a working example. Add iptables examples to any package that include network servers. Every system on the Internet should have a firewall, and it should be working when we reboot the first time. Replace Sysklogd with Rsyslogd. Rsyslogd supports bidirectional TLS authentication, and encryption, of syslog client and server communication. The dependencies can also be used by other packages in BLFS. Rsyslogd also supports dropping root privileges. The boot scripts will need modification for iptables and rsyslogd. Add a chapter 10 for network software, such as NTPD, Bind/Named, and OpenSSH. In addition to the BLFS instructions, an iptables policy for each service will be included, and examples to use authentication and encryption. When these run as root, some capabilities can be dropped with libcap2. An example NAT, or OpenVPN, setup. The example network I have in mind is a server with a mobile client (wide or local area, wireless or wired). This is a good example where bidirectional authentication is needed. robert
signature.asc
Description: This is a digitally signed message part.
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
