Gentoo Logo

Gentoo Hardened Roadmap

Content:

1.  Vision

Within Gentoo Linux, the Gentoo Hardened project wants to be a shepherd for all security oriented projects. The project wants to make Gentoo viable for highly secure, high stability production environments.

2.  Strategy

Introduction

In order to succesfully strive towards our vision, Gentoo Hardened aims to provide subprojects that test, develop, enhance, implement and integrate specific security measures in Gentoo Linux. Although each of these projects has operational responsibilities (after all, the technologies that they support are used by users all around) they continue to research and develop, making Gentoo Linux even better than it is today.

The direction that each of these projects is heading towards is described in their roadmap, a combination of strategic directions and shorter term milestones. These roadmaps are combined in this very document, allowing users to get a general overview of where Gentoo Hardened is evolving towards.

Documentation

Documentation is Gentoo Hardened's first asset that users come in contact with. It is important that Gentoo Hardened's documentation is well structured, easily accessible and correctly written. Although we currently focus on technically educated users and system administrators, this focus should not lower our responsibility of creating the necessary documents to guide new users in Gentoo Hardened's realms.

Vulnerability Mitigation

Users use a toolchain, a set of libraries and tools like compilers, linkers and more, to build their systems with. To fight potential vulnerabilities and future exploits, Gentoo Hardened maintains a toolchain that supports additional security-enhancing features like SSP, PIE and PIC. Our focus is to enhance and maintain this toolchain and help the integration of these security-enhancing patchsets within the upstream communities so that the benefits are available for all Linux users.

Yet toolchains are not the only method where risks can be reduced. Specific patch sets that enhance Linux' security-related capabilities exist, such as PAX, that help users mitigate the risk of succesful exploitation of vulnerabilities. Gentoo Hardened positions and integrates these patches in the distribution.

Access Control

Although definitely not the only security component of a system, proper access control is a prerequisite for a safer environment. Within Gentoo Hardened, support of proper access control systems is important, and reflected in our choices of enhanced development of SELinux, grSecurity RSBAC and more.

Architecture Support

The current primary development activities take place within the popular and commodity architectures x86 and amd64 (x86_64). Yet many other architectures exist, especially within the server and embedded/mobile environments. These architectures need to be properly supported as well.

Staffing

In order to sustain or even grow our research and development pace and keep supporting operational tasks and help out users, the Gentoo Hardened team is always looking for fresh blood. Users who take a proactive approach to finding places for improvement and filling in the holes should and will be noticed and probably recruited. Yet recruitment is not mandatory to help out our project. The necessary resources are put in place to let contributors efficiently help out the project.

3.  Documentation Goals and Milestones

Current State

The Gentoo Hardened project is currently lagging behind a bit on documentation. Recent upstaffing and contributions have helped this out, but we still need to focus on the toolchain documentation (both toolchain-specific documentation as wel as documents that relate to the toolchain) such as SSP, PIE and PIC information.

Also, comparative documents should be written to explain the choices that Gentoo Hardened has made, such as tool selection.

Goals and Milestones

Description ETA Status Coordinator(s) Related Bugs
Document the Hardened Toolchain In Progress Zorry
Comparative analysis of security approaches taken by distributions Unassigned
Rework grSecurity documentation Unassigned
Update/rewrite propolice documentation Unassigned

4.  Hardened Toolchain Goals and Milestones

Current State

Our toolchain so far has seen a tremendous evolution. Some of the integrated patches have been accepted upstream (like SSP), but work can still improve. To allow changes to be pushed upstream more easily, we might need improvements on the ways to strengthen the current implementation, and work on the areas of code that need clean-up.

Our next steps are to take a step backwards and examine the work that has been done so far. We need to improve our existing documents, but also review the packages available in the Portage tree and help out the package maintainers in handling CFLAG filters for a hardened toolchain in a proper way.

Goals and Milestones

Description ETA Status Coordinator(s) Related Bugs
Enhance documentation
Document the toolchain feature set In progress
Describe the grSecurity RBAC system Unassigned
Kernel development and maintenance
Release hardened-sources-2.6.37 Done blueness

5.  grSecurity Goals and Milestones

Current State

grSecurity is well integrated within Gentoo Hardened (patch- and software wise as well as knowledge). However, the documentation is lagging behind a lot and is in need for attention.

Goals and Milestones

Description ETA Status Coordinator(s) Related Bugs
the existing grSecurity2 document needs to be converted to Handbook XML Unassigned
the features of PAX and grSecurity need to be described and documented Unassigned
the RBAC system needs to be covered documentation-wise in much more detail Unassigned

6.  SELinux Goals and Milestones

Current State

The Gentoo Hardened SELinux state is up to date and fully supported (except MLS which is considered experimental). The documentation is being updated as the state evolves, but can still improve. Primary focus now is on the quality of the packages and standard policies.

Goals and Milestones

Description ETA Status Coordinator(s) Related Bugs
Have SELinux-enabled stage3 available on the mirrors 2012-06-31


Print

Page updated May 26, 2012

Summary: A roadmap that plots current needs and goals of the Hardened Gentoo project.

Adam Mondl
Author

Rob Holland
Editor

Ned Ludd
Contributor

Chris PeBenito
Contributor

Joshua Brindle
Contributor

Guillaume Destuynder
Contributor

Alexander Gabert
Contributor

Brandon Hale
Contributor

klondike
Contributor

Magnus Granberg
Contributor

Anthony G. Basile
Contributor

Sven Vermeulen
Contributor

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.