Diff for /wikisrc/pkgsrc/hardening.mdwn between versions 1.21 and 1.22

version 1.21, 2017/09/07 11:32:21 version 1.22, 2017/11/05 23:07:27
Line 1 Line 1
 [[!meta title="Hardening pkgsrc"]]  [[!meta title="Hardening pkgsrc"]]
   
 A number of mechanisms are available in [pkgsrc](https://www.pkgsrc.org/) to  A number of mechanisms are available in
 improve the security of the resulting system. They can be enabled individually  [pkgsrc](https://www.pkgsrc.org/) to improve the security of the
 in `mk.conf`, and consist of:  resulting system. This page describes the mechanisms, and gives hints
   about detecting and fixing problems.
   
   # Mechanisms
   
   Mechanisms can be enabled individually in `mk.conf`, and are
   individually described below.  They are sorted by whether thery are
   enabled by default, and then by their ordering in mk/defaults/mk.conf.
   
   ## Enabled by default in the stable branch
   
 * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent  
   Executables) when supported on the current platform. This option is necessary  
   to fully leverage ASLR as a mitigation for security vulnerabilities.  
 * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used  * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
   functions that do not bounds checking regularly - but could in some cases    functions that do not bounds checking regularly - but could in some cases
   (enabled by default since pkgsrc-2017Q3)    (enabled by default since pkgsrc-2017Q3)
   
   * 'PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled
     by default where known supported since pkgsrc-2017Q3)
   
   ## Enabled by default in pkgsrc HEAD
   
   ## Not enabled by default
   
   * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
     Executables) when supported on the current platform.  With PIE
     executables, a platform that supports ASLR will be able to randomize
     the process layout.
   
 * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security  * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
   vulnerabilities more difficult in some cases.    vulnerabilities more difficult in some cases.
 * `PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled  
   by default where known supported since pkgsrc-2017Q3)  
 * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack  * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack
   protection mitigation.    protection mitigation.
   

Removed from v.1.21  
changed lines
  Added in v.1.22


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb