Lunar Linux Hardened

From Lunar Linux
(Difference between revisions)
Jump to: navigation, search
(The Patches)
 
(35 intermediate revisions by one user not shown)
Line 1: Line 1:
== Hardened Lunar Linux ==
 
  
The maingoal of this project might be to have a Lunar Linux with security enhancements. The most modules will be patched with patches we've written or others written. Others could be Linux-from-Scratch users or other Distributions. As long as we keep credits - This should be okay.
 
 
== Language ==
 
 
The mainproblem is my language - so if you read things you don't understand please ask me - My english isn't as good as yours so probably i would be happy for corrections ;-)
 
 
== Warning ==
 
 
This project is in an experimental state - So use it only if you want to play with it or if you want help developing it. It's not for production use right now.
 
 
== HowTo get this Thingy running ==
 
 
 
Good question, i waited that u ask me. First, you'll download the hd-modules.tar.bz2 (I will add the url here soon). Extract it to /var/lib/lunar/moonbase/zlocal/ (Be careful if you stored own modules there. We don't want to overwrite something). Then you have to re-lin stuff:
 
 
 
'''Stage One'''
 
 
Preinstallation of needed modules
 
 
* lin -cr binutils # This will install binutils 2.17 with our hardened patches and configure options
 
* lin -cr gcc # This will install gcc 4.1.2 with our hardened patches and configure options
 
* lin -cr kernel-headers-2.6 # This will install the Kernel Headers we need for glibc
 
* lin -cr glibc # This will install glibc 2.5 with our hardened patches and configure options
 
* lin -cr linux-2.6 # Now reinstall the linux kernel.
 
 
'''Stage Two'''
 
 
Now reinstallation of the previosly installed modules, so that they're compiled using the preinstalled modules
 
 
* lin -cr binutils
 
* lin -cr gcc
 
* lin -cr db (if u have it installed (lvu installed db) but i bet you have)
 
* lin -cr coreutils
 
* lin -cr kernel-headers-2.6
 
* lin -cr glibc
 
* lin -cr linux-2.6
 
 
'''Stage Three'''
 
 
Now we relin some other useful modules:
 
* lin -cr bison
 
* lin -cr procps
 
* lin -cr libtool
 
* lin -cr perl
 
* lin -cr readline
 
* lin -cr zlib
 
* lin -cr autoconf
 
* lin -cr automake
 
 
Now your filesystem tools:
 
 
* lin -cr e2fsprogs (for ext2 and ext3fs)
 
* lin -cr xfsprogs (for xfs only if u use it)
 
* lin -cr jfsutils (for jfs only if u use it)
 
* lin -cr reiserfsprogs (for reiserfs only if u use it)
 
* ... ;-)
 
 
Now some other modules
 
* lin -cr file
 
* lin -cr flex
 
* lin -cr groff
 
* lin -cr less
 
* lin -cr man
 
* lin -cr mktemp
 
* lin -cr module-init-tools
 
* lin -cr psmisc
 
* lin -cr shadow
 
* lin -cr sysvinit
 
* lin -cr udev (or whatever u use, for example devfs)
 
* lin -cr ncurses (if u have it installed (lvu installed ncurses))
 
* lin -cr bash
 
* lin -cr bzip2
 
* lin -cr coreutils
 
* lin -cr diffutils
 
* lin -cr findutils
 
* lin -cr gawk
 
* lin -cr gettext
 
* lin -cr grep
 
* lin -cr gzip
 
* lin -cr m4
 
* lin -cr make
 
* lin -cr patch
 
* lin -cr perl
 
* lin -cr sed
 
* lin -cr tar
 
* lin -cr texinfo (if u have it installed (lvu installed texinfo))
 
* lin -cr util-linux
 
* lin -cr vim
 
 
== The Patches ==
 
 
You will see "Status:" in the following sections. Status 1 means i tested is it compiling and does it seem working, on my local system (Athlon XP 2600+, 512 MB Ram, Vanilla 2.6.20 Kernel). Status 2 means i tested it a bit more and recompiled it several times AND with optimizations. Status 3 means other people have tested it, too but it wasn't working sometimes. Status 4 means other people have tested it, too and it was working everywhere.
 
 
So:
 
 
* Status 0 is untested.
 
* Status 1 is really really alpha. (tested without optimizations)
 
* Status 2, too. (tested with optimizations: CPU: athlon-xp; FPU: both; MMX SSE SSE2, -O2)
 
* Status 3 is beta.
 
* Status 4 is ready to go ;-)
 
 
=== ToDo ===
 
 
* Do we need to port this patch http://www.linuxfromscratch.org/patches/downloads/db/db-4.4.20-trap-2.patch if we use 4.5.20?
 
* On some sites exists a branch_update-2.patch for binutils-2.17, i tried it and it was not working cause of another patch. http://www.ip-minds.de/patches/binutils-2.17-branch_update-2.patch (will be later available there)
 
* We have to look for other useful security related patches.
 
 
=== gcc 4.1.2 ===
 
 
Status: 2
 
 
<table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;">
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">posix-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">Makes GCC Posix Compliant</td>
 
    </tr>
 
</table>
 
 
=== binutils 2.17 ===
 
 
Status: 2
 
 
<table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;">
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">branch_update-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This is the binutils-2_17-branch (bug fix branch) update, compared from binutils-2.17-release and binutils-2_17-branch with all the fluff removed (CVS entries, maintainer files, etc). This patch should be updated periodically.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">hardened_tmp-3.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This patch uses mkstemp(3) and mkdtemp(3) for temporary file creation, if they are available, rather than the default mktemp(3). This is safer and removes some compiler warnings.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">lazy-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This adds -z lazy option, inverse of -z now.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">pt_pax-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This adds PT_PAX_FLAGS to Binutils. See: http://pax.grsecurity.net/</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">posix-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">Makes binutils Posix Compliant</td>
 
    </tr>
 
</table>
 
 
=== coreutils 6.7 ===
 
 
Status: 2
 
 
<table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;">
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">i18n-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This patch fixes various problems with multibyte character support.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">uname-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">Fix the output of uname once and for all.</td>
 
    </tr>
 
</table>
 
 
=== glibc 2.5 ===
 
 
Status: 1
 
 
<table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;">
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">blowfish.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This patch adds blowfish crypto to libcrypt.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">branch_update-2.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This is a branch update for Glibc-2.5, and should be rechecked periodically. See the "Changelog" and "localedata/ChangeLog" files for specific details.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">dl_execstack_PaX-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This is needed for Pax. http://pax.grsecurity.net/</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">hardened_tmp-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This patch instructs mktemp(1) to use temporary file directory from the '-t' option. It also makes sure temporary files get removed after exiting the scripts.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">iconv_unnest-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">Move nested function to a static one so we avoid generating a trampoline.</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">localedef_segfault-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">Fixes Segfault when using localdef. This problem is only noticed when using PaX and some architectures besides x86. See debian bug # 231438</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">pt_pax-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">This is needed for Pax. http://pax.grsecurity.net/</td>
 
    </tr>
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">strlcpy_strlcat-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">http://www.courtesan.com/todd/papers/strlcpy.html</td>
 
    </tr>
 
</table>
 
 
=== Berkeley DB 4.5.20 ===
 
 
Status: 1
 
 
<table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;">
 
    <tr>
 
        <td style="padding: 3px; vertical-align: top; background-color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 180px;">fixes-1.patch</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #a1a1a1; color: #d1d1d1; border-bottom: 1px dashed #000000; text-align: left; width: 10px;">-</td>
 
        <td style="padding: 3px; vertical-align: top; background-color: #c0c0c0; border-bottom: 1px dashed #000000; text-align: left;">Fixes a couple of issues when trying to access databases through the Java API.</td>
 
    </tr>
 
</table>
 

Latest revision as of 06:04, 15 March 2007

Personal tools
Namespaces
Variants
Actions
Wiki Navigation
Project Sites
Toolbox