diff options
Diffstat (limited to 'doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml')
-rw-r--r-- | doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml | 465 |
1 files changed, 0 insertions, 465 deletions
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml deleted file mode 100644 index 63c1225..0000000 --- a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml +++ /dev/null | |||
@@ -1,465 +0,0 @@ | |||
1 | <?xml version="1.0" encoding="ISO-8859-1"?> | ||
2 | <chapter id="metasecure_tools"> | ||
3 | <title>Introduction to Meta-Security Layer Tools</title> | ||
4 | |||
5 | <section id="summary"> | ||
6 | <title>Summary of tools supported in the Meta-Security layer</title> | ||
7 | |||
8 | <informaltable> | ||
9 | <tgroup cols="2"> | ||
10 | <tbody> | ||
11 | <row> | ||
12 | <entry>Afflib</entry> | ||
13 | |||
14 | <entry>On-disk format for storing computer forensic | ||
15 | information</entry> | ||
16 | </row> | ||
17 | |||
18 | <row> | ||
19 | <entry>Aircrack-ng</entry> | ||
20 | |||
21 | <entry>A set of tools for auditing wireless networks</entry> | ||
22 | </row> | ||
23 | |||
24 | <row> | ||
25 | <entry>AppArmor</entry> | ||
26 | |||
27 | <entry>A MAC control system</entry> | ||
28 | </row> | ||
29 | |||
30 | <row> | ||
31 | <entry>Bastille</entry> | ||
32 | |||
33 | <entry>Linux hardening tool</entry> | ||
34 | </row> | ||
35 | |||
36 | <row> | ||
37 | <entry>Buck-security</entry> | ||
38 | |||
39 | <entry>Linux security scanner</entry> | ||
40 | </row> | ||
41 | |||
42 | <row> | ||
43 | <entry>TOMOYO</entry> | ||
44 | |||
45 | <entry>A Mandatory Access Control (MAC) implementation for | ||
46 | Linux</entry> | ||
47 | </row> | ||
48 | |||
49 | <row> | ||
50 | <entry>checksec</entry> | ||
51 | |||
52 | <entry>Program randominization</entry> | ||
53 | </row> | ||
54 | |||
55 | <row> | ||
56 | <entry>checksecurity</entry> | ||
57 | |||
58 | <entry>Basic system security checks</entry> | ||
59 | </row> | ||
60 | |||
61 | <row> | ||
62 | <entry>ClamAV</entry> | ||
63 | |||
64 | <entry>Anti-virus utility for command-line interface</entry> | ||
65 | </row> | ||
66 | |||
67 | <row> | ||
68 | <entry>ecryptfs-utils</entry> | ||
69 | |||
70 | <entry>The eCryptfs mount helper and support libraries</entry> | ||
71 | </row> | ||
72 | |||
73 | <row> | ||
74 | <entry>freediameter</entry> | ||
75 | |||
76 | <entry>Platform for deploying a Diameter network for | ||
77 | Authentication, Authorization and Accounting.</entry> | ||
78 | </row> | ||
79 | |||
80 | <row> | ||
81 | <entry>ISIC</entry> | ||
82 | |||
83 | <entry>IP Stack Integrity Checker</entry> | ||
84 | </row> | ||
85 | |||
86 | <row> | ||
87 | <entry>keynote</entry> | ||
88 | |||
89 | <entry>Linux Key Management Utilities</entry> | ||
90 | </row> | ||
91 | |||
92 | <row> | ||
93 | <entry>keyutils</entry> | ||
94 | |||
95 | <entry>Linux Key Management Utilities</entry> | ||
96 | </row> | ||
97 | |||
98 | <row> | ||
99 | <entry>libdhash</entry> | ||
100 | |||
101 | <entry>Library of hashing algorithms</entry> | ||
102 | </row> | ||
103 | |||
104 | <row> | ||
105 | <entry>libgssglue</entry> | ||
106 | |||
107 | <entry>Exports a gssapi interface which calls other gssapi | ||
108 | libraries</entry> | ||
109 | </row> | ||
110 | |||
111 | <row> | ||
112 | <entry>libmhash</entry> | ||
113 | |||
114 | <entry>Library of hashing algorithms</entry> | ||
115 | </row> | ||
116 | |||
117 | <row> | ||
118 | <entry>Libmspack</entry> | ||
119 | |||
120 | <entry>A library for Microsoft compression formats</entry> | ||
121 | </row> | ||
122 | |||
123 | <row> | ||
124 | <entry>Libseccomp</entry> | ||
125 | |||
126 | <entry>The libseccomp library provides an easy to use, platform | ||
127 | independent, interface to the Linux Kernel's syscall filtering | ||
128 | mechanism: seccomp.</entry> | ||
129 | </row> | ||
130 | |||
131 | <row> | ||
132 | <entry>Nikto</entry> | ||
133 | |||
134 | <entry>Web server scanner</entry> | ||
135 | </row> | ||
136 | |||
137 | <row> | ||
138 | <entry>Nmap</entry> | ||
139 | |||
140 | <entry>Network auditing tool</entry> | ||
141 | </row> | ||
142 | |||
143 | <row> | ||
144 | <entry>Paxctl</entry> | ||
145 | |||
146 | <entry>A tool that allows PaX flags to be modified on a per-binary | ||
147 | basis</entry> | ||
148 | </row> | ||
149 | |||
150 | <row> | ||
151 | <entry>redhat-security</entry> | ||
152 | |||
153 | <entry>redhat security tools</entry> | ||
154 | </row> | ||
155 | |||
156 | <row> | ||
157 | <entry>samhain</entry> | ||
158 | |||
159 | <entry>Samhain is an integrity checker and host intrusion | ||
160 | detection system that can be used on single hosts as well as large | ||
161 | ones.</entry> | ||
162 | </row> | ||
163 | |||
164 | <row> | ||
165 | <entry>Scapy</entry> | ||
166 | |||
167 | <entry>Network scanning and manipulation tool</entry> | ||
168 | </row> | ||
169 | |||
170 | <row> | ||
171 | <entry>Smack</entry> | ||
172 | |||
173 | <entry>A simplified Mandatory Access Control</entry> | ||
174 | </row> | ||
175 | |||
176 | <row> | ||
177 | <entry>sssd</entry> | ||
178 | |||
179 | <entry>Selection of tools for developers working with | ||
180 | Smack</entry> | ||
181 | </row> | ||
182 | |||
183 | <row> | ||
184 | <entry>Suricata</entry> | ||
185 | |||
186 | <entry>The Suricata Engine is an Open Source Next Generation | ||
187 | Intrusion Detection and Prevention Engine</entry> | ||
188 | </row> | ||
189 | |||
190 | <row> | ||
191 | <entry>Tripwire</entry> | ||
192 | |||
193 | <entry>A system integrity assessment tool (IDS)</entry> | ||
194 | </row> | ||
195 | |||
196 | <row> | ||
197 | <entry>xmlsec1</entry> | ||
198 | |||
199 | <entry>XML Security Library is a C library based on | ||
200 | LibXML2</entry> | ||
201 | </row> | ||
202 | </tbody> | ||
203 | </tgroup> | ||
204 | </informaltable> | ||
205 | </section> | ||
206 | |||
207 | <section id="run_tools"> | ||
208 | <title>How to configure, build and run the tools</title> | ||
209 | |||
210 | <para>In order to use this layer, you need to make the build system aware | ||
211 | of it. To do so, first clone the layer located at the address: | ||
212 | http://git.enea.com/cgit/linux/meta-security.git, then add the following | ||
213 | lines to the files below.</para> | ||
214 | |||
215 | <itemizedlist> | ||
216 | <listitem> | ||
217 | <para>In <literal>bblayers.conf</literal>:</para> | ||
218 | |||
219 | <para><programlisting>BBLAYERS ?= " \ | ||
220 | /path/to/oe-core/meta \ | ||
221 | /path/to/meta-openembedded/meta-oe \ | ||
222 | /path/to/meta-openembedded/meta-perl \ | ||
223 | /path/to/meta-openembedded/meta-gnome \ | ||
224 | /path/to/meta-openembedded/meta-xfce \ | ||
225 | /path/to/meta-openembedded/meta-python \ | ||
226 | /path/to/meta-openembedded/meta-networking \ | ||
227 | /path/to/layer/meta-security \</programlisting></para> | ||
228 | </listitem> | ||
229 | |||
230 | <listitem> | ||
231 | <para>In <literal>local.conf</literal>:</para> | ||
232 | |||
233 | <para><programlisting>IMAGE_INSTALL_append = "aircrack-ng buck-security checksecurity freediameter / | ||
234 | keynote libgssglue libseccomp samhain-client samhain-server samhain-standalone / | ||
235 | sssd xmlsec1 clamav keyutils libmhash nikto paxctl scapy suricata bastille / | ||
236 | checksec ecryptfs-utils isic libmspack nmap redhat-security smack tripwire"</programlisting></para> | ||
237 | </listitem> | ||
238 | |||
239 | <listitem> | ||
240 | <para><programlisting>poky/build $ bitbake enea-hardend-image-virtualization-host</programlisting></para> | ||
241 | |||
242 | <remark>Need clarification here on a possible intro or specified | ||
243 | action/file as noted above.</remark> | ||
244 | </listitem> | ||
245 | </itemizedlist> | ||
246 | |||
247 | <section id="apparmor"> | ||
248 | <title>AppArmor</title> | ||
249 | |||
250 | <para>AppArmor, like most other LSMs, supplements rather than replaces | ||
251 | the default Discretionary Access Control (DAC). As such, it's impossible | ||
252 | to grant a process more privileges than it had in the first place. When | ||
253 | AppArmor is active for an application, the operating system allows the | ||
254 | application to access only those files and folders that are mentioned in | ||
255 | its security profile. Thus, with a well-planned security profile, even | ||
256 | if the application is compromised during an attack, it won't be able to | ||
257 | do much harm.</para> | ||
258 | |||
259 | <para>Before compiling the kernel, set the following | ||
260 | options:<programlisting>CONFIG_SECURITY_APPARMOR=y | ||
261 | CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 | ||
262 | CONFIG_DEFAULT_SECURITY_APPARMOR=y | ||
263 | CONFIG_AUDIT=y</programlisting>Alternatively, instead of setting | ||
264 | <literal>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE</literal> and | ||
265 | <literal>CONFIG_DEFAULT_SECURITY_APPARMOR</literal>, you can set the | ||
266 | <ulink | ||
267 | url="https://wiki.archlinux.org/index.php/Kernel_parameters">kernel boot | ||
268 | parameters</ulink> in this manner: <literal>apparmor=1 | ||
269 | security=apparmor</literal>. For those new or altered variables to not | ||
270 | get overridden, place them at the bottom of the config file or adjust | ||
271 | the previous invocations accordingly.</para> | ||
272 | |||
273 | <para>For further information see <ulink | ||
274 | url="https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04">https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04</ulink>.</para> | ||
275 | |||
276 | <para>To put the profile in enforce mode, use the | ||
277 | <literal>aa-enforce</literal>:</para> | ||
278 | |||
279 | <para><programlisting>sudo apparmor_status | ||
280 | sudo aa-enforce nginx</programlisting>It is recommended that you reload all | ||
281 | profiles and restart Nginx to be sure that the latest changes are in | ||
282 | effect: <programlisting>sudo /etc/init.d/apparmor reload | ||
283 | sudo service nginx restart</programlisting>Enable complain mode with the | ||
284 | <literal>aa-complain</literal> command. It is recommended that you wait | ||
285 | several days before running the <literal>aa-logprof</literal> command, | ||
286 | to give the system time to log more common actions for the application | ||
287 | if you are going to create a profile that will be used in production | ||
288 | systems.</para> | ||
289 | </section> | ||
290 | |||
291 | <section id="isic"> | ||
292 | <title>ISIC - IP Stack Integrity Checker</title> | ||
293 | |||
294 | <para><emphasis role="bold">ISIC</emphasis> is a suite of utilities | ||
295 | meant to exercise the stability of an IP Stack and its component stacks | ||
296 | (TCP, UDP, ICMP et. al.). It generates many pseudo-random packets of the | ||
297 | target protocol, which are given tendancies to conform to. For example: | ||
298 | 50% of the packets generated can have IP Options, and 25% of the packets | ||
299 | can be IP fragments, the percentages are arbitrary however, and most of | ||
300 | the packet fields have a configurable tendancy. <programlisting>root@qemux86:~# esic -i eth0 -s 52:54:00:12:34:0A -p rand -m 5000</programlisting><remark>what | ||
301 | does this programlisting detail exactly, is it an example or something | ||
302 | more directly concrete?</remark></para> | ||
303 | </section> | ||
304 | |||
305 | <section id="nikto"> | ||
306 | <title>Nikto Web Vulnerability Scanner</title> | ||
307 | |||
308 | <para>Nikto is a web vulnerability scanner, a security testing tool that | ||
309 | scans web servers for vulnerabilities and other known issues.</para> | ||
310 | </section> | ||
311 | |||
312 | <section id="nmap"> | ||
313 | <title>Nmap Network Exploration Tool</title> | ||
314 | |||
315 | <para>Nmap (Network Mapper), is an open source security scanner for | ||
316 | network exploration and security auditing. It is used to discover hosts | ||
317 | and services on a network, essentially creating a "map" of the network. | ||
318 | Nmap sends specially crafted packets to the target host(s), then | ||
319 | analyzes the responses.</para> | ||
320 | |||
321 | <para>Nmap uses raw IP packets in novel ways to determine what hosts are | ||
322 | available on the network, what services (application name and version) | ||
323 | those hosts are offering, what operating systems (and OS versions) they | ||
324 | are running, what type of packet filters/firewalls are in use, and | ||
325 | dozens of other characteristics. While Nmap is commonly used for | ||
326 | security audits, many systems and network administrators find it useful | ||
327 | for routine tasks such as network inventory, managing service upgrade | ||
328 | schedules, and monitoring host or service uptime. See a few examples of | ||
329 | options to use below:</para> | ||
330 | |||
331 | <para><programlisting>nmap -v -A scanme.nmap.org | ||
332 | nmap -v -sn 192.168.0.0/16 10.0.0.0/8 | ||
333 | nmap -v -iR 10000 -Pn -p 80</programlisting>For more info see <ulink | ||
334 | url="https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/">https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/</ulink>.</para> | ||
335 | </section> | ||
336 | |||
337 | <section id="paxctl"> | ||
338 | <title>Paxctl</title> | ||
339 | |||
340 | <para>A tool that allows PaX flags to be modified on a per-binary basis. | ||
341 | PaX provides various types of protection against abuses of memory, some | ||
342 | of which can only be enabled or disabled by (re)configuring the kernel | ||
343 | and recompiling/rebooting it.</para> | ||
344 | |||
345 | <para>Several important types (PAGEEXEC, EMUTRAMP, MPROTECT, RANDMMAP | ||
346 | and SEGMEXEC) can be tweaked when the system is up and running by | ||
347 | marking the PaX flags on the ELF objects of the program you want to run. | ||
348 | Since some programs need to use memory in a way normally forbidden by | ||
349 | PaX, some restrictions may have to be relaxed on a per program basis. | ||
350 | For more informations see: <ulink | ||
351 | url="https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX">https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX</ulink>.</para> | ||
352 | |||
353 | <para>Example:<programlisting>root #paxctl-ng -v /bin/*</programlisting></para> | ||
354 | </section> | ||
355 | |||
356 | <section id="samhin"> | ||
357 | <title>Samhin</title> | ||
358 | |||
359 | <para><emphasis>Samhain</emphasis> is a host-based intrusion detection | ||
360 | system (HIDS) which provides integrity checking and log file | ||
361 | monitoring/analysis, as well as 4.1detection, port monitoring, detection | ||
362 | of rogue SUID executables, and hidden processes. It's main features | ||
363 | include:</para> | ||
364 | |||
365 | <itemizedlist> | ||
366 | <listitem> | ||
367 | <para>Complete integrity check</para> | ||
368 | |||
369 | <para>Uses cryptographic checksums of files to detect modifications. | ||
370 | It can find rogue SUID executables anywhere on disk.</para> | ||
371 | </listitem> | ||
372 | |||
373 | <listitem> | ||
374 | <para>Centralized monitoring</para> | ||
375 | |||
376 | <para>Native support for logging to a central server via encrypted | ||
377 | and authenticated connections.</para> | ||
378 | </listitem> | ||
379 | |||
380 | <listitem> | ||
381 | <para>Tamper resistance</para> | ||
382 | |||
383 | <para>Database and configuration files can be signed log file | ||
384 | entries. E-mail reports are signed support for stealth | ||
385 | operations.</para> | ||
386 | </listitem> | ||
387 | </itemizedlist> | ||
388 | </section> | ||
389 | |||
390 | <section id="smack"> | ||
391 | <title>Smack</title> | ||
392 | |||
393 | <para>A simplified Mandatory Access Control.</para> | ||
394 | </section> | ||
395 | |||
396 | <section id="suricata"> | ||
397 | <title>Suricata</title> | ||
398 | |||
399 | <para>The Suricata Engine is an Open Source Next Generation <emphasis | ||
400 | role="bold">Intrusion Detection and Prevention Engine.</emphasis></para> | ||
401 | </section> | ||
402 | |||
403 | <section id="tomoyo"> | ||
404 | <title>TOMOYO</title> | ||
405 | |||
406 | <para><ulink | ||
407 | url="http://tomoyo.sourceforge.jp/1.8/index.html.en">TOMOYO</ulink> is | ||
408 | an alternative (pathname-based) Mandatory Access Control (MAC) | ||
409 | implementation for Linux that can be used to increase the security of a | ||
410 | system, while also being useful purely as a system analysis tool. The | ||
411 | main features of TOMOYO Linux include:</para> | ||
412 | |||
413 | <itemizedlist> | ||
414 | <listitem> | ||
415 | <para>System analysis</para> | ||
416 | </listitem> | ||
417 | |||
418 | <listitem> | ||
419 | <para>Increased security through Mandatory Access Control</para> | ||
420 | </listitem> | ||
421 | |||
422 | <listitem> | ||
423 | <para>Tools to aid in policy generation</para> | ||
424 | </listitem> | ||
425 | |||
426 | <listitem> | ||
427 | <para>Simple syntax</para> | ||
428 | </listitem> | ||
429 | |||
430 | <listitem> | ||
431 | <para>Easy to use</para> | ||
432 | </listitem> | ||
433 | |||
434 | <listitem> | ||
435 | <para>Very few dependencies</para> | ||
436 | </listitem> | ||
437 | |||
438 | <listitem> | ||
439 | <para>Requires no modification of existing binaries</para> | ||
440 | </listitem> | ||
441 | </itemizedlist> | ||
442 | |||
443 | <para>To start via command line add:<programlisting>"security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd"</programlisting>To | ||
444 | initialize:<programlisting>/usr/lib/ccs/init_policy | ||
445 | DISTRO_FEATURES_append = " tomoyo"</programlisting></para> | ||
446 | </section> | ||
447 | |||
448 | <section id="tripwire"> | ||
449 | <title>Tripwire</title> | ||
450 | |||
451 | <para>Tripwire is an intrusion detection system (IDS), which constantly | ||
452 | and automatically, keeps your critical system files and reports under | ||
453 | control if they have been destroyed or modified by a hacker (or by | ||
454 | mistake). It allows the system administrator to know immediately what | ||
455 | was compromised and fix it. For more information see: <ulink | ||
456 | url="http://www.linuxjournal.com/article/8758">http://www.linuxjournal.com/article/8758</ulink>.</para> | ||
457 | </section> | ||
458 | |||
459 | <section id="xmlsec1"> | ||
460 | <title>xmlsec1</title> | ||
461 | |||
462 | <para>XML Security Library is a C library based on LibXML2.</para> | ||
463 | </section> | ||
464 | </section> | ||
465 | </chapter> \ No newline at end of file | ||