Hardened Lunar Linux

[Kok, Auke]

Dennis Veatch wrote:
> On Friday 09 March 2007 02:19:43 pm Jean Michel Bruenn wrote:
>> heh. forgotten to answer on something:
>>> 1) security reasons (better control of system by having knowledge and
>>> tools to gather status of modules installed (hardened/not hardened). In
>>> security enhanced system non-hardened modules are not welcome and
>>> probably sysadmin will would like to scan installed modules list for the
>>> items not meeting this requirement (to find possible weaknesses/holes).
>>> Maybe download via https or secure ftp from secured server over encrypted
>>> connection would be another argument for separate moonbase-hd file.
>> Another thing (PERHAPS) could be, that we don't want every module in an
>> hardened moonbase. For example: Normal Moonbase is user friendly. Mostly
>> used for Desktop environments. A Hardened Moonbase wouldn't be as user
>> friendly as it now is. And it would be for ppl who wants a secured system.
>> The Question is, is it possible to say a secured system is a server-system?
>> If yes - we wouldn't need xmms or audacity or ... you know what i mean.
>> some modules or packages are useless on a server-system. The Question is
>> should it be a moonbase with every module from the original moonbase, or
>> simply a moonbase for server users.
>>
>> cheers, jean
> 
> 2 Cent quip;
> 
> Do you really need a separate moonbase? Why not follow the same method sofar 
> used for x86_64 modules? Example;
> 
> BUILD.x86_64
> 
> And make them BUILD.hard (or whatever you want to call it.)

that is a possiblity, but for now I would use modules with the same name and put 
them into zlocal, and set ZLOCAL_OVERRIDES to on.

this way you can have a zlocal/hardened folder and group them neatly, and 
provide a single tarball for people to drop in there.

lunar already made that extremely easy, so you should exploit it and get to the 
real work: make hardened modules where it is needed.

Auke