On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
Hi,
This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more attention and feedback)
...
http://fedoraproject.org/wiki/Hardened_Packages page mentions that "FESCo requires some packages to use PIE and relro hardening by default."
It would be great if this list could be expanded to include even more packages which are at comparatively more risk of being exploited (locally or remotely).
Such packages will typically include various system daemons, network daemons and network enabled applications.
Qemu is surely a good candidate for this. Although it's not network- accessible, it is accessible from the guests that it runs via its huge and ill-specified surface of emulated devices.
- Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet some well-defined criteria (suggestions welcome).
Is there somewhere which describes what to do / what flags to enable?
Rich.