1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
Gentoo Hardened Roadmap</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Gentoo Hardened Roadmap</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Vision</option>
<option value="#doc_chap2">2. Strategy</option>
<option value="#doc_chap3">3. Documentation Goals and Milestones</option>
<option value="#doc_chap4">4. Hardened Toolchain Goals and Milestones</option>
<option value="#doc_chap5">5. grSecurity Goals and Milestones</option>
<option value="#doc_chap6">6. SELinux Goals and Milestones</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Vision</p>
<p>
Within Gentoo Linux, the Gentoo Hardened project wants to be a shepherd for all
security oriented projects. The project wants to make Gentoo viable for highly
secure, high stability production environments.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Strategy</p>
<p class="secthead"><a name="doc_chap2_sect1">Introduction</a></p>
<p>
In order to succesfully strive towards our vision, Gentoo Hardened aims to
provide subprojects that test, develop, enhance, implement and integrate
specific security measures in Gentoo Linux. Although each of these projects has
operational responsibilities (after all, the technologies that they support are
used by users all around) they continue to research and develop, making Gentoo
Linux even better than it is today.
</p>
<p>
The direction that each of these projects is heading towards is described in
their <span class="emphasis">roadmap</span>, a combination of strategic directions and shorter term
milestones. These roadmaps are combined in this very document, allowing users to
get a general overview of where Gentoo Hardened is evolving towards.
</p>
<p class="secthead"><a name="doc_chap2_sect2">Documentation</a></p>
<p>
Documentation is Gentoo Hardened's first asset that users come in contact with.
It is important that Gentoo Hardened's documentation is well structured, easily
accessible and correctly written. Although we currently focus on technically
educated users and system administrators, this focus should not lower our
responsibility of creating the necessary documents to guide new users in Gentoo
Hardened's realms.
</p>
<p class="secthead"><a name="doc_chap2_sect3">Vulnerability Mitigation</a></p>
<p>
Users use a <span class="emphasis">toolchain</span>, a set of libraries and tools like compilers,
linkers and more, to build their systems with. To fight potential
vulnerabilities and future exploits, Gentoo Hardened maintains a toolchain that
supports additional security-enhancing features like SSP, PIE and PIC.
Our focus is to enhance and maintain this toolchain and help the integration of
these security-enhancing patchsets within the upstream communities so that the
benefits are available for all Linux users.
</p>
<p>
Yet toolchains are not the only method where risks can be reduced. Specific
patch sets that enhance Linux' security-related capabilities exist, such as
PAX, that help users mitigate the risk of succesful exploitation of
vulnerabilities. Gentoo Hardened positions and integrates these patches in the
distribution.
</p>
<p class="secthead"><a name="doc_chap2_sect4">Access Control</a></p>
<p>
Although definitely not the only security component of a system, proper access
control is a prerequisite for a safer environment. Within Gentoo Hardened,
support of proper access control systems is important, and reflected in our
choices of enhanced development of SELinux, grSecurity RSBAC and more.
</p>
<p class="secthead"><a name="doc_chap2_sect5">Architecture Support</a></p>
<p>
The current primary development activities take place within the popular and
commodity architectures x86 and amd64 (x86_64). Yet many other architectures
exist, especially within the server and embedded/mobile environments. These
architectures need to be properly supported as well.
</p>
<p class="secthead"><a name="doc_chap2_sect6">Staffing</a></p>
<p>
In order to sustain or even grow our research and development pace and keep
supporting operational tasks and help out users, the Gentoo Hardened team is
always looking for fresh blood. Users who take a proactive approach to finding
places for improvement and filling in the holes should and will be noticed and
probably recruited. Yet recruitment is not mandatory to help out our project.
The necessary resources are put in place to let contributors efficiently help
out the project.
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>Documentation Goals and Milestones</p>
<p class="secthead"><a name="doc_chap3_sect1">Current State</a></p>
<p>
The Gentoo Hardened project is currently lagging behind a bit on documentation.
Recent upstaffing and contributions have helped this out, but we still need to
focus on the toolchain documentation (both toolchain-specific documentation
as wel as documents that relate to the toolchain) such as SSP, PIE and PIC
information.
</p>
<p>
Also, comparative documents should be written to explain the choices that Gentoo
Hardened has made, such as tool selection.
</p>
<p class="secthead"><a name="doc_chap3_sect2">Goals and Milestones</a></p>
<table class="ntable">
<tr>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>ETA</b></td>
<td class="infohead"><b>Status</b></td>
<td class="infohead"><b>Coordinator(s)</b></td>
<td class="infohead"><b>Related Bugs</b></td>
</tr>
<tr>
<td class="tableinfo">Document the Hardened Toolchain</td>
<td class="tableinfo"></td>
<td class="tableinfo">In Progress</td>
<td class="tableinfo">Zorry</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Comparative analysis of security approaches taken by distributions</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Rework grSecurity documentation</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Update/rewrite propolice documentation</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>Hardened Toolchain Goals and Milestones</p>
<p class="secthead"><a name="doc_chap4_sect1">Current State</a></p>
<p>
Our toolchain so far has seen a tremendous evolution. Some of the integrated
patches have been accepted upstream (like SSP), but work can still improve.
To allow changes to be pushed upstream more easily, we might need improvements
on the ways to strengthen the current implementation, and work on the areas of
code that need clean-up.
</p>
<p>
Our next steps are to take a step backwards and examine the work that has been
done so far. We need to improve our existing documents, but also review the
packages available in the Portage tree and help out the package maintainers in
handling CFLAG filters for a hardened toolchain in a proper way.
</p>
<p class="secthead"><a name="doc_chap4_sect2">Goals and Milestones</a></p>
<table class="ntable">
<tr>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>ETA</b></td>
<td class="infohead"><b>Status</b></td>
<td class="infohead"><b>Coordinator(s)</b></td>
<td class="infohead"><b>Related Bugs</b></td>
</tr>
<tr>
<td class="infohead" colspan="5" style="text-align:center"><b>Enhance documentation</b></td>
</tr>
<tr>
<td class="tableinfo">Document the toolchain feature set</td>
<td class="tableinfo"></td>
<td class="tableinfo">In progress</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Describe the grSecurity RBAC system</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="infohead" colspan="5" style="text-align:center"><b>Kernel development and maintenance</b></td>
</tr>
<tr>
<td class="tableinfo">Release hardened-sources-2.6.37</td>
<td class="tableinfo"></td>
<td class="tableinfo">Done</td>
<td class="tableinfo">blueness</td>
<td class="tableinfo"></td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>grSecurity Goals and Milestones</p>
<p class="secthead"><a name="doc_chap5_sect1">Current State</a></p>
<p>
grSecurity is well integrated within Gentoo Hardened (patch- and software wise
as well as knowledge). However, the documentation is lagging behind a lot and
is in need for attention.
</p>
<p class="secthead"><a name="doc_chap5_sect2">Goals and Milestones</a></p>
<table class="ntable">
<tr>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>ETA</b></td>
<td class="infohead"><b>Status</b></td>
<td class="infohead"><b>Coordinator(s)</b></td>
<td class="infohead"><b>Related Bugs</b></td>
</tr>
<tr>
<td class="tableinfo">
the existing grSecurity2 document needs to be converted to Handbook XML
</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">
the features of PAX and grSecurity need to be described and documented
</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">
the RBAC system needs to be covered documentation-wise in much more detail
</td>
<td class="tableinfo"></td>
<td class="tableinfo">Unassigned</td>
<td class="tableinfo"></td>
<td class="tableinfo"></td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>SELinux Goals and Milestones</p>
<p class="secthead"><a name="doc_chap6_sect1">Current State</a></p>
<p>
The Gentoo Hardened SELinux state is up to date and fully supported (except
MLS which is considered experimental). The documentation is being updated as
the state evolves, but can still improve. Primary focus now is on the quality
of the packages and improved support for MCS.
</p>
<p class="secthead"><a name="doc_chap6_sect2">Goals and Milestones</a></p>
<table class="ntable">
<tr>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>ETA</b></td>
<td class="infohead"><b>Status</b></td>
<td class="infohead"><b>Coordinator(s)</b></td>
<td class="infohead"><b>Related Bugs</b></td>
</tr>
<tr>
<td class="tableinfo">Stabilize the userland tools and libraries</td>
<td class="tableinfo">2011-05-24</td>
<td class="tableinfo">Done</td>
<td class="tableinfo">blueness, SwifT</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">
Stabilize the ~arch SELinux policies based on 2.20101213 upstream branch
</td>
<td class="tableinfo">2011-06-07</td>
<td class="tableinfo">Done</td>
<td class="tableinfo">blueness, SwifT</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Improve QA on SELinux packages (f.i. migrate patchbundles away from filesdir)</td>
<td class="tableinfo">2011-07-18</td>
<td class="tableinfo">Done</td>
<td class="tableinfo">blueness, SwifT</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">Stabilize the new SELinux profile structure</td>
<td class="tableinfo">2011-08-01</td>
<td class="tableinfo">In progress</td>
<td class="tableinfo">blueness, SwifT</td>
<td class="tableinfo"><a href="https://bugs.gentoo.org/365483">#365483</a></td>
</tr>
<tr>
<td class="tableinfo">Add support for MCS (driver is virtualization)</td>
<td class="tableinfo">2011-08-15</td>
<td class="tableinfo">Done</td>
<td class="tableinfo">SwifT</td>
<td class="tableinfo"></td>
</tr>
</table>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="roadmap.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated July 21, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
A roadmap that plots current needs and goals of the
Hardened Gentoo project.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
Adam Mondl
<br><i>Author</i><br><br>
Rob Holland
<br><i>Editor</i><br><br>
<a href="mailto:solar@gentoo.org" class="altlink"><b>Ned Ludd</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:pebenito@gentoo.org" class="altlink"><b>Chris PeBenito</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:method@manicmethod.com" class="altlink"><b>Joshua Brindle</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:kang@insecure.ws" class="altlink"><b>Guillaume Destuynder</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:pappy@retired" class="altlink"><b>Alexander Gabert</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:tseng@retired" class="altlink"><b>Brandon Hale</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:klondike@xiscosoft.es" class="altlink"><b>klondike</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:zorry@gentoo.org" class="altlink"><b>Magnus Granberg</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:blueness@gentoo.org" class="altlink"><b>Anthony G. Basile</b></a>
<br><i>Contributor</i><br><br>
<a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
<br><i>Contributor</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|