On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
Hi,
This proposal was originally at
https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more
attention and feedback)
...
http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hardening by
default."
It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
or remotely).
Such packages will typically include various system daemons, network
daemons and network enabled applications.
Qemu is surely a good candidate for this. Although it's not network-
accessible, it is accessible from the guests that it runs via its huge
and ill-specified surface of emulated devices.
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).
Is there somewhere which describes what to do / what flags to enable?
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top