Oleksiy V. Khilkevich wrote:
It's a very-very nice thing. I thought a couple of times to make a modified version of CRUX like Gentoo Hardened or similar [1]. However, the fact is that i'm satisfied with the current mainstream CRUX fully. So I'll prefer to not move fast this way. It already suits my needs best among all that distrozoo and all the rest I can do by myself :). This is way I like.
In the past few months, I've started using Crux 2.2 with a *lot* of custom packages on some production servers. Its working really well, so far, and we've been developing some tools to make installations and configurations easier. It's a lot of work to get the custom packages done the way that we need them, but it's the kind of work that you only have to do once (go Crux!). I think that there might be some overlap between your goals of hardening the default installation and some of our tweaks. Some of the significant changes: - swapping out sysklogd for syslog-ng; - installing user/group accounts for daemons that can run with reduced privileges, and using them; - beefing up init scripts to handle chrooting more easily; - lots and lots of configuration changes to make various daemons more "crux-ish" in their behavior and file placement; - extensive post-install scripts to create ready-to-go setups; Some of these changes support each other: using daemon accounts wherever possible makes chrooting much more effective (a root process on Linux can break out of a chroot jail, unfortunately), and having everything work through syslog-ng makes the chroot setups easier to manage. I have also considered implementing: - a lot of the additions from the Hardened LFS project, which I believe overlaps heavily with hardened Gentoo; - PAM support, which I believe has made it into the latest Crux64; These last two are waiting on free time, which is in short supply. Anyway, we don't have a package repository set up, yet, but I'm thinking of publishing one along with the documentation describing what we're doing with Crux. If anyone is interested, please let me know, and I'll notify the list when it goes live. -Ryan