Hardened Linux From Scratch
Version 0.6
HLFS Development Team
Copyright (c) 2004-2007 HLFS Development Team
– Who willed you? or whose will stands but mine?
There's none protector of the realm but I.
Break up the gates, I'll be your warrantize.
Shall I be flouted thus by dunghill grooms?
(Gloucester - 1593)
What noise is this? what traitors have we here?
(Woodviles's responce)
This is HLFS-unstable featuring:
-
uClibc: http://www.uclibc.org/
-
Stack Smashing Protector, this is now part of GCC-4.1+: http://www.trl.ibm.com/projects/security/ssp/
-
Grsecurity: http://www.grsecurity.net/
-
Frandom/Erandom device drivers: http://frandom.sourceforge.net/
-
GCC PIE patch. This is now part of gcc-3.4+: http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
-
Binutils PIE patch. This is now part of bintuils-2.15+ and is utilized by Glibc and uClibc: http://sources.redhat.com/ml/binutils/2003-05/msg00832.html
-
Binutils Non-lazy Runtime Binding. This is part of Binutils and is utilized by Glibc and uClibc: 'man 1 ld'
-
Binutils Relocation Read-only patch. This is now part of Bintuils and is utilized by Glibc and uClibc: http://sources.redhat.com/ml/binutils/2004-01/msg00070.html
-
FORTIFY_SOURCE runtime buffer overflow protection: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
-
Heap Consistency Checking in Glibc: http://www.gnu.org/software/libc/manual/html_node/Heap-Consistency-Checking.html
-
strlcpy() strlcat() C library functions: http://www.courtesan.com/todd/papers/strlcpy.html
-
Mudflap GCC debugging library: http://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging
-
Owl Linux temporary-file hardening: http://www.openwall.com/Owl/
Recent LFS-stable (6.*), or HLFS-0.1+, are the prerequisite for the host system. Other systems may work but are not supported.
UTF-8 compatability is not yet implemented. Notes in the BLFS book regarding UTF-8 workarounds will generally not apply to HLFS systems. Anyone seeking to implement LFS-based UTF-8 compatability, especially with the uClibc version of HLFS, should subscribe to mailto:hlfs-dev AT linuxfromscratch D0T org.
See chapter02 for descriptions of the Stack Smashing Protector, and Position Independent Executables.
The instructions in this book only work for i386 so far. The instructions in this book were tested on an LFS host system.
Note:
This book assumes you already have experience with Linux From Scratch and are comfortable using it.
Warning:
This book may be broken in some places, but less broken than before. The Glibc-2.6 book works, the rest need a bit more work. Be warned the stability is unknown. Please report bugs to http://wiki.linuxfromscratch.org/hlfs/, and/or send comments, and questions to: mailto:hlfs-dev AT linuxfromscratch D0T org.