On Sun, Dec 11, 2011 at 3:30 PM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
On Sun, 11 Dec 2011 10:18:51 +0000
Sven Vermeulen wrote:

> Also consider hardening your system settings-wise. I would appreciate if you
> take a look at
> http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
> With the instructions given, you can even have your system validated (as far
> as possible) automatically.

I was expecting to find here what one distro uses which is binary
signature checking upon execution.

Another thing that I try to do as a better method of TPE which is a
breeze on OpenBSD and sometimes I find myself working against Linux
developers¹ is to make it so that any writeable area of the filesystem
is mounted noexec and mounts have the least priviledges required.

If don't mind my asking, what is it that OpenBSD does differently than the Linux distros that make it so much easier? Do they actually follow the security practices you mentioned in the bug report?

 

¹ "https://bugs.launchpad.net/ubuntu/+source/udisks/+bug/880965"
set as won't fix and also e.g. apt-get expecting /tmp exec.


Thanks, 
Matt

--
Matthew Finkel