How to Build Your Own Linux Distribution

By Frank Pohlmann
2005-07-06


Hardened LFS
The final member of the LFS family addresses a particularly important aspect of source-based Linux: security. The common-sense approach to security for someone who does not intend to rely on patches delivered from your Linux distribution server of choice would be to track security advisories for selected core libraries and applications. For LFS implementers, the problem is somewhat different: It would be difficult, although not impossible, to audit Linux kernel code, and perhaps a number of libraries and utilities central to the internal functioning of a Linux-based operating system.

Code audits are extremely time-consuming, and adding a large number of patches is advisable only if patch servers are maintained centrally by dedicated staff. It is, however, possible to replace some libraries that have been rewritten from the ground up to reflect new approaches to security problems. A good example is to make it extremely difficult to guess process identifiers by randomly allocating numbers from a reasonable large random number pool. The OpenBSD project has pioneered this method, which has found its way into various UNIX flavors and Linux distributions.

A fairly new project known as Hardened Linux From Scratch (HLFS) takes this approach to security under Linux. The project, which presupposes a fairly decent grasp of LFS and some parts of BLFS, uses several utilities and libraries that do not tend to be standard in most Linux systems.

Possibly the most important addition to HLFS is the Stack-Smashing Protector (SSP), which you enable by using a gcc directive. SSP was developed to protect against stack-smashing attacks, which belong to the most common class of security threats affecting Linux systems. Other security goodies include a first-class random number generator and the compilation of position-independent executables, where executable code typically turned into statically linked object code appears as shared libraries, and position-independent executables libraries can hide their addresses by randomizing them. Of course, a large number of patches are available and can be sourced from the HLFS Web site.

Tutorial Pages:
» Go to the source to learn Linux basics and build the right Linux for you
» Why UNIX internals matter
» Linux From Scratch
» Beyond LFS
» Hardened LFS
» The growing LFS family
» Resources


First published by IBM DeveloperWorks

Related Tutorials: » How to Install PHP 5 on Linux » How to Install Apache 2 on Linux » How to Install MySQL 5.0 on Linux » SMB Caching » Mound --Bind » Tar Wild Card Interpretation

Tutorials AJAX ASP CGI & Perl CSS Flash HTML Illustrator Java JavaScript Linux MySQL PHP Photoshop Python Wireless XML Miscellaneous Scripts AJAX ASP ASP.NET CGI & Perl Flash Java JavaScript PHP Python Remotely Hosted Tools & Utilities XML Web Hosting Articles ASP.NET Budget Dedicated Servers Ecommerce Linux Resellers Shared Small Business Windows Developer Manuals Learn HTML Learn PHP Learn CSS Learn AJAX Learn JavaScript Learn Pear White Papers Resources Developer Tools Developer Content