Packages and USE Flag selection
The primary consideration that goes into selecting packages is that TinHat is meant to provide a fully featured Desktop environment with all of the usual productivity software included.
In the attachments below, we give the output of the following which should give a full account of what went into build both the i686 and amd64 releases.
equery list "*"
emerge -ep world
There is a complex playoff between the services you provide and security. The following is an abridged list of the services provided:
- System services:
- syslog-ng - system logger
- cronie - periodic scheduling daemon
- net.* - network services
- bluetooth - bluetooth services
- postfix - SMTP daemon
- sshd - secure shell daemon
- nfs - network file system services
- mdadm - raid services (DEPRECATED 20110613)
- lvm - logical volume management services
- rsyncd - rsync daemon
- samba - samba services
- iptables / ip6tables - firewall services for IPv4 and IPv6
- Desktop services:
- xdm - Gnome desktop manager
- cupsd - printer daemon
- alsasound - sound daemon
- avahi-daemon / avahi-dnsconfd - discover Zeroconf services on a local network
Of these, the following are started at boot.
- net.* for lo and non-wireless NIC interfaces
Services should not be started if they are not needed to minimize opportunities for exploit. Note: starting some services, like cups starts avahi-daemon to discover LAN printers.
Note: the information on services is not up to date and will need to be modified to reflect the new changes...eventually. :)
The kernel configuration is as extreme as the RAM usage. We employ a monolithic kernel with support for almost all hardware. (There are a few exceptions where we had concerns.) The choice of a monolithic kernel is to prevent LKM's from being inserted during runtime, which is a security risk. It does, however, result in a 7+ MB kernel. Nonetheless, we have not noticed any appreciable performance loss as a result.
GRSEC/PaX hardening is turned on. We enabled as many hardening features as possible without breaking the system, particularly the X server. This means we could not deny writing to /dev/kmem, /dev/mem, and /dev/port, or disable privileged I/O, which breaks X, but closes some serious security loops.
The following information is for the latest release: