26.05.2014 - Monolith Linux Version 0.2 released.
Version 0.2 is especially aimed for small and secure Virtual Machines like Router, Firewalls, Load-Balancer (LVS), VPN-Concentrator or other Virtual Machines where security plays a major role. You also can use it for a install on Bare Metal systems, but Virtualization more and more plays a major role in computer technology and Bare Metal in my oppinion is a waste of ressources in times of "cheap" 48 core machines with Terrabytes of fast RAM.
All Security Features/Optimizations are especially for X86_64 architecture. Its based on Hardened Linux from Scratch (HLFS) and uses PaX/grsecurity with some additional Kernel Patches for Kernel Hardening. A Demo Template shipped with Monolith Linux contains a setup for Citrix XenServer® VM. The documentation section in detail displays how to set up a working virtual XenServer® Monolith Linux Machine including Partitioning.
All Machine setup configurations can be stored in a template folder so you are able to do Version Control. Now edit your config(s) in the specified folder and run installation script with domain and profile name (detailed description see documentation):
- Monolithic Kernel (Static Kernel Build without Kernel Module Support)
- PaX/grsecurity Kernel Hardening (see http://www.grsecurity.org)
- Ptrace Kernel functionality removed completely
- GCC Stack Smashing Protector (--fstack-protector-all)
- GLibC Fortify Source Protection
- Position Independant Executables for most Binary Files
- Linking with "-z,now" and "-z,relro"
- Linux Kernel 3.2.56
The System is completely build from Scratch (Source). GCC Version 4.7.3 has been used for successful compiling. Building with GCC Profiles has been "disabled" due to problems with single sources (e.g. openssl). The compiler settings are configured in every single build script, somehow this is not the best approach of a generic setup, but it works.
XenServer® used for Virtualization: XenServer® 6.2, XenCenter® 6.2 on Intel Xeon(R) CPU E5-4610 0 @ 2.40GHz 48 CPU Core with Hyperthreading
For an apt enabled system (e.g. Ubuntu 12.04) add ubuntu-ppa-toolchain-restricted repository (for gcc-4.7 with plugin dev feature) to apt sources.
deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu precise main
To install all needed Packages (Ubuntu 12.04 Server used in the example), install the following listed dpkg Packages with apt-get install.
# apt-get install \
libncurses5 libncurses5-dev libncursesw5 libncursesw5-dev
> Please feel free to contact us if you like to contribute in the following or different subprojects:
- Lightweight Package Manager
- Xorg Integration
- Xorg Lightweight Window-Manager
- Porting YATE, OpenSIPS as secure Voip Engines
- Porting to ARM Architecture
- Centralized Template Management including strong SmartCard Security