Within Gentoo Linux, the Gentoo Hardened project wants to be a shepherd for all security oriented projects. The project wants to make Gentoo viable for highly secure, high stability production environments.

In order to succesfully strive towards our vision, Gentoo Hardened aims to provide subprojects that test, develop, enhance, implement and integrate specific security measures in Gentoo Linux. Although each of these projects has operational responsibilities (after all, the technologies that they support are used by users all around) they continue to research and develop, making Gentoo Linux even better than it is today.

The direction that each of these projects is heading towards is described in their roadmap, a combination of strategic directions and shorter term milestones. These roadmaps are combined in this very document, allowing users to get a general overview of where Gentoo Hardened is evolving towards.

Documentation is Gentoo Hardened's first asset that users come in contact with. It is important that Gentoo Hardened's documentation is well structured, easily accessible and correctly written. Although we currently focus on technically educated users and system administrators, this focus should not lower our responsibility of creating the necessary documents to guide new users in Gentoo Hardened's realms.

Users use a toolchain, a set of libraries and tools like compilers, linkers and more, to build their systems with. To fight potential vulnerabilities and future exploits, Gentoo Hardened maintains a toolchain that supports additional security-enhancing features like SSP, PIE and PIC. Our focus is to enhance and maintain this toolchain and help the integration of these security-enhancing patchsets within the upstream communities so that the benefits are available for all Linux users.

Yet toolchains are not the only method where risks can be reduced. Specific patch sets that enhance Linux' security-related capabilities exist, such as PAX, that help users mitigate the risk of succesful exploitation of vulnerabilities. Gentoo Hardened positions and integrates these patches in the distribution.

Although definitely not the only security component of a system, proper access control is a prerequisite for a safer environment. Within Gentoo Hardened, support of proper access control systems is important, and reflected in our choices of enhanced development of SELinux, grSecurity RSBAC and more.

The current primary development activities take place within the popular and commodity architectures x86 and amd64 (x86_64). Yet many other architectures exist, especially within the server and embedded/mobile environments. These architectures need to be properly supported as well.

In order to sustain or even grow our research and development pace and keep supporting operational tasks and help out users, the Gentoo Hardened team is always looking for fresh blood. Users who take a proactive approach to finding places for improvement and filling in the holes should and will be noticed and probably recruited. Yet recruitment is not mandatory to help out our project. The necessary resources are put in place to let contributors efficiently help out the project.

The Gentoo Hardened project is currently lagging behind a bit on documentation. Recent upstaffing and contributions have helped this out, but we still need to focus on the toolchain documentation (both toolchain-specific documentation as wel as documents that relate to the toolchain) such as SSP, PIE and PIC information.

Also, comparative documents should be written to explain the choices that Gentoo Hardened has made, such as tool selection.

Our toolchain so far has seen a tremendous evolution. Some of the integrated patches have been accepted upstream (like SSP), but work can still improve. To allow changes to be pushed upstream more easily, we might need improvements on the ways to strengthen the current implementation, and work on the areas of code that need clean-up.

Our next steps are to take a step backwards and examine the work that has been done so far. We need to improve our existing documents, but also review the packages available in the Portage tree and help out the package maintainers in handling CFLAG filters for a hardened toolchain in a proper way.

grSecurity is well integrated within Gentoo Hardened (patch- and software wise as well as knowledge). However, the documentation is lagging behind a lot and is in need for attention.

The Gentoo Hardened SELinux state is up to date and fully supported (except MLS which is considered experimental). The documentation is being updated as the state evolves, but can still improve. Primary focus now is on the quality of the packages and standard policies.