Expanding the list of "Hardened Packages"
Richard W.M. Jones
rjones at redhat.com
Fri Mar 29 17:13:33 UTC 2013
On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
> Hi,
>
> This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
>
> (mitr asked me to move the discussion to fedora-devel to get more
> attention and feedback)
>
> ...
>
> http://fedoraproject.org/wiki/Hardened_Packages page mentions
> that "FESCo requires some packages to use PIE and relro hardening by
> default."
>
> It would be great if this list could be expanded to include even more
> packages which are at comparatively more risk of being exploited (locally
> or remotely).
>
> Such packages will typically include various system daemons, network
> daemons and network enabled applications.
Qemu is surely a good candidate for this. Although it's not network-
accessible, it is accessible from the guests that it runs via its huge
and ill-specified surface of emulated devices.
> 1. Hardening flags should be turned on (by default) for all packages
> which are at comparatively more risk of being exploited or which meet
> some well-defined criteria (suggestions welcome).
Is there somewhere which describes what to do / what flags to enable?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
More information about the devel
mailing list