On Fri, 09 Jun 2006 09:31:15 +0300 "Oleksiy V. Khilkevich" <grim@asu.ntu-kpi.kiev.ua> wrote:
Ryan B. Lynch wrote:
I think that there might be some overlap between your goals of hardening the default installation and some of our tweaks. Some of the significant changes:
- swapping out sysklogd for syslog-ng; - installing user/group accounts for daemons that can run with reduced privileges, and using them; - lots and lots of configuration changes to make various daemons more "crux-ish" in their behavior and file placement; - extensive post-install scripts to create ready-to-go setups;
Relatively to user accounts - I think it is possible to not branch the tons of ports just in order to add post-install scripts. Maybe some sort of 'hardening' script for every port is enough. Say - add user and change the configuration file as needed. The changes should be very transparent to the end-users in order to give them the choice :). Besides we can make such scripts interactive, where needed. This way hardening will be an optional step for normal CRUX.
I have some semi-unified not-so-dumb post-install scripts adding additional users for some ports. As I can remember, Mark Rosenstand wanted to unify post-install stuff. Seems to be a good place to start: for example provide a port containing several useful bash functions, define a few variables and allow port maintainers to source them from post-install...
As for making the behaviour of daemons more cruxish - i didn't fully get the point. Do you mean some sort of file system hierarchy recommendation?
And adding some simple checks like pid-file presence, and avoiding complex stuff?
I have also considered implementing:
- a lot of the additions from the Hardened LFS project, which I believe overlaps heavily with hardened Gentoo; - PAM support, which I believe has made it into the latest Crux64;
I hope it was not PAM, who killed it (http://crux.danm.de/).
That's a must I think. For server-grade CRUX PAM brings a lot of flexibility.
Anyway, we don't have a package repository set up, yet, but I'm thinking of publishing one along with the documentation describing what we're doing with Crux. If anyone is interested, please let me know, and I'll notify the list when it goes live. Would be great to participate.
I'd like to make something useful too. -- Mikhail Kolesnik ICQ: 260259143 IRC: mike_k at freenode/#crux, rusnet/#yalta Jabber: mike_k@jabber.lafox.net NIC handle: MKK83-UANIC