From Annvix
2.1 Roadmap
This page is a scratchboard of ideas for 2.1-CURRENT that we should aim to accomplish for this release. For now this is an un-ordered list; we can assign priorities later.
- provide better documentation on the website (styled like a user's guide manual)
- drop RSBAC and integrate grsec instead (this might require a kernel upgrade, however)
- provide default AppArmor policies and make AppArmor installed per default
- packages provide their own AppArmor policies as configuration files?
- drop openswan kernel patches (investigate something simpler like openvpn as a viable alternative to ipsec; as well, doesn't the 2.6 kernel have it's own ipsec support? do we even still need openswan?)
- audit packages to remove useless/frivolous patches
- apply more hardening patches... many visits to the openwall CVS for this
- possibly re-write srv to use sv to do the heavy lifting
- re-do or drop dependency handling -- right now it's iffy at best
- enable logfile reporting as part of rsec -- use swatch for this?
- make sure config files in /etc/ (i.e. /etc/init.d, /etc/sysconfig/*, etc.) are appropriately owned (root:admin, 0640, etc.)
- make builder optionally sign rpm packages it produces
- make builder maintain a cache of old packages (that can be cleaned), but keep only newly built packages in the repository (i.e. if joe exists and a user creates joe again, both joe packages aren't in the repository) -- make cache cleaning with a certain threshold (i.e. delete packages in the cache older than xx days)
- make builder's home /var/builder instead of /usr/local/ports
- evaluate default-created user accounts; some may not be required and are legacy Mandrake: i.e. adm, lp, sync, shutdown, halt, news, operator (as per tim scott)
- harden mount flags, i.e. /proc could be mounted nosuid, and so could /dev/pts I think
- double-check pam_limits settings
- verify there is no mysql "anonymous" account
- drop the mysql test databases
- PaX support? (might get this "free" when we use grsec)
