1 files changed, 0 insertions, 465 deletions
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml
deleted file mode 100644
index 63c1225..0000000
--- a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml
+++ /dev/null
@@ -1,465 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<chapter id="metasecure_tools">
-  <title>Introduction to Meta-Security Layer Tools</title>
-  <section id="summary">
-    <title>Summary of tools supported in the Meta-Security layer</title>
-    <informaltable>
-      <tgroup cols="2">
-        <tbody>
-          <row>
-            <entry>Afflib</entry>
-            <entry>On-disk format for storing computer forensic
-            information</entry>
-          </row>
-          <row>
-            <entry>Aircrack-ng</entry>
-            <entry>A set of tools for auditing wireless networks</entry>
-          </row>
-          <row>
-            <entry>AppArmor</entry>
-            <entry>A MAC control system</entry>
-          </row>
-          <row>
-            <entry>Bastille</entry>
-            <entry>Linux hardening tool</entry>
-          </row>
-          <row>
-            <entry>Buck-security</entry>
-            <entry>Linux security scanner</entry>
-          </row>
-          <row>
-            <entry>TOMOYO</entry>
-            <entry>A Mandatory Access Control (MAC) implementation for
-            Linux</entry>
-          </row>
-          <row>
-            <entry>checksec</entry>
-            <entry>Program randominization</entry>
-          </row>
-          <row>
-            <entry>checksecurity</entry>
-            <entry>Basic system security checks</entry>
-          </row>
-          <row>
-            <entry>ClamAV</entry>
-            <entry>Anti-virus utility for command-line interface</entry>
-          </row>
-          <row>
-            <entry>ecryptfs-utils</entry>
-            <entry>The eCryptfs mount helper and support libraries</entry>
-          </row>
-          <row>
-            <entry>freediameter</entry>
-            <entry>Platform for deploying a Diameter network for
-            Authentication, Authorization and Accounting.</entry>
-          </row>
-          <row>
-            <entry>ISIC</entry>
-            <entry>IP Stack Integrity Checker</entry>
-          </row>
-          <row>
-            <entry>keynote</entry>
-            <entry>Linux Key Management Utilities</entry>
-          </row>
-          <row>
-            <entry>keyutils</entry>
-            <entry>Linux Key Management Utilities</entry>
-          </row>
-          <row>
-            <entry>libdhash</entry>
-            <entry>Library of hashing algorithms</entry>
-          </row>
-          <row>
-            <entry>libgssglue</entry>
-            <entry>Exports a gssapi interface which calls other gssapi
-            libraries</entry>
-          </row>
-          <row>
-            <entry>libmhash</entry>
-            <entry>Library of hashing algorithms</entry>
-          </row>
-          <row>
-            <entry>Libmspack</entry>
-            <entry>A library for Microsoft compression formats</entry>
-          </row>
-          <row>
-            <entry>Libseccomp</entry>
-            <entry>The libseccomp library provides an easy to use, platform
-            independent, interface to the Linux Kernel's syscall filtering
-            mechanism: seccomp.</entry>
-          </row>
-          <row>
-            <entry>Nikto</entry>
-            <entry>Web server scanner</entry>
-          </row>
-          <row>
-            <entry>Nmap</entry>
-            <entry>Network auditing tool</entry>
-          </row>
-          <row>
-            <entry>Paxctl</entry>
-            <entry>A tool that allows PaX flags to be modified on a per-binary
-            basis</entry>
-          </row>
-          <row>
-            <entry>redhat-security</entry>
-            <entry>redhat security tools</entry>
-          </row>
-          <row>
-            <entry>samhain</entry>
-            <entry>Samhain is an integrity checker and host intrusion
-            detection system that can be used on single hosts as well as large
-            ones.</entry>
-          </row>
-          <row>
-            <entry>Scapy</entry>
-            <entry>Network scanning and manipulation tool</entry>
-          </row>
-          <row>
-            <entry>Smack</entry>
-            <entry>A simplified Mandatory Access Control</entry>
-          </row>
-          <row>
-            <entry>sssd</entry>
-            <entry>Selection of tools for developers working with
-            Smack</entry>
-          </row>
-          <row>
-            <entry>Suricata</entry>
-            <entry>The Suricata Engine is an Open Source Next Generation
-            Intrusion Detection and Prevention Engine</entry>
-          </row>
-          <row>
-            <entry>Tripwire</entry>
-            <entry>A system integrity assessment tool (IDS)</entry>
-          </row>
-          <row>
-            <entry>xmlsec1</entry>
-            <entry>XML Security Library is a C library based on
-            LibXML2</entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-  </section>
-  <section id="run_tools">
-    <title>How to configure, build and run the tools</title>
-    <para>In order to use this layer, you need to make the build system aware
-    of it. To do so, first clone the layer located at the address:
-    http://git.enea.com/cgit/linux/meta-security.git, then add the following
-    lines to the files below.</para>
-    <itemizedlist>
-      <listitem>
-        <para>In <literal>bblayers.conf</literal>:</para>
-        <para><programlisting>BBLAYERS ?= " \
-/path/to/oe-core/meta \
-/path/to/meta-openembedded/meta-oe \
-/path/to/meta-openembedded/meta-perl \
-/path/to/meta-openembedded/meta-gnome \
-/path/to/meta-openembedded/meta-xfce \
-/path/to/meta-openembedded/meta-python \
-/path/to/meta-openembedded/meta-networking \
-/path/to/layer/meta-security \</programlisting></para>
-      </listitem>
-      <listitem>
-        <para>In <literal>local.conf</literal>:</para>
-        <para><programlisting>IMAGE_INSTALL_append = "aircrack-ng buck-security checksecurity freediameter /
-keynote libgssglue libseccomp samhain-client samhain-server samhain-standalone /
-sssd xmlsec1 clamav keyutils libmhash  nikto paxctl scapy suricata bastille /
-checksec ecryptfs-utils isic libmspack nmap redhat-security smack tripwire"</programlisting></para>
-      </listitem>
-      <listitem>
-        <para><programlisting>poky/build $ bitbake enea-hardend-image-virtualization-host</programlisting></para>
-        <remark>Need clarification here on a possible intro or specified
-        action/file as noted above.</remark>
-      </listitem>
-    </itemizedlist>
-    <section id="apparmor">
-      <title>AppArmor</title>
-      <para>AppArmor, like most other LSMs, supplements rather than replaces
-      the default Discretionary Access Control (DAC). As such, it's impossible
-      to grant a process more privileges than it had in the first place. When
-      AppArmor is active for an application, the operating system allows the
-      application to access only those files and folders that are mentioned in
-      its security profile. Thus, with a well-planned security profile, even
-      if the application is compromised during an attack, it won't be able to
-      do much harm.</para>
-      <para>Before compiling the kernel, set the following
-      options:<programlisting>CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
-CONFIG_DEFAULT_SECURITY_APPARMOR=y
-CONFIG_AUDIT=y</programlisting>Alternatively, instead of setting
-      <literal>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE</literal> and
-      <literal>CONFIG_DEFAULT_SECURITY_APPARMOR</literal>, you can set the
-      <ulink
-      url="https://wiki.archlinux.org/index.php/Kernel_parameters">kernel boot
-      parameters</ulink> in this manner: <literal>apparmor=1
-      security=apparmor</literal>. For those new or altered variables to not
-      get overridden, place them at the bottom of the config file or adjust
-      the previous invocations accordingly.</para>
-      <para>For further information see <ulink
-      url="https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04">https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04</ulink>.</para>
-      <para>To put the profile in enforce mode, use the
-      <literal>aa-enforce</literal>:</para>
-      <para><programlisting>sudo apparmor_status
-sudo aa-enforce nginx</programlisting>It is recommended that you reload all
-      profiles and restart Nginx to be sure that the latest changes are in
-      effect: <programlisting>sudo /etc/init.d/apparmor reload
-sudo service nginx restart</programlisting>Enable complain mode with the
-      <literal>aa-complain</literal> command. It is recommended that you wait
-      several days before running the <literal>aa-logprof</literal> command,
-      to give the system time to log more common actions for the application
-      if you are going to create a profile that will be used in production
-      systems.</para>
-    </section>
-    <section id="isic">
-      <title>ISIC - IP Stack Integrity Checker</title>
-      <para><emphasis role="bold">ISIC</emphasis> is a suite of utilities
-      meant to exercise the stability of an IP Stack and its component stacks
-      (TCP, UDP, ICMP et. al.). It generates many pseudo-random packets of the
-      target protocol, which are given tendancies to conform to. For example:
-      50% of the packets generated can have IP Options, and 25% of the packets
-      can be IP fragments, the percentages are arbitrary however, and most of
-      the packet fields have a configurable tendancy. <programlisting>root@qemux86:~# esic -i eth0 -s 52:54:00:12:34:0A -p rand -m 5000</programlisting><remark>what
-      does this programlisting detail exactly, is it an example or something
-      more directly concrete?</remark></para>
-    </section>
-    <section id="nikto">
-      <title>Nikto Web Vulnerability Scanner</title>
-      <para>Nikto is a web vulnerability scanner, a security testing tool that
-      scans web servers for vulnerabilities and other known issues.</para>
-    </section>
-    <section id="nmap">
-      <title>Nmap Network Exploration Tool</title>
-      <para>Nmap (Network Mapper), is an open source security scanner for
-      network exploration and security auditing. It is used to discover hosts
-      and services on a network, essentially creating a "map" of the network.
-      Nmap sends specially crafted packets to the target host(s), then
-      analyzes the responses.</para>
-      <para>Nmap uses raw IP packets in novel ways to determine what hosts are
-      available on the network, what services (application name and version)
-      those hosts are offering, what operating systems (and OS versions) they
-      are running, what type of packet filters/firewalls are in use, and
-      dozens of other characteristics. While Nmap is commonly used for
-      security audits, many systems and network administrators find it useful
-      for routine tasks such as network inventory, managing service upgrade
-      schedules, and monitoring host or service uptime. See a few examples of
-      options to use below:</para>
-      <para><programlisting>nmap -v -A scanme.nmap.org
-nmap -v -sn 192.168.0.0/16 10.0.0.0/8
-nmap -v -iR 10000 -Pn -p 80</programlisting>For more info see <ulink
-      url="https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/">https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/</ulink>.</para>
-    </section>
-    <section id="paxctl">
-      <title>Paxctl</title>
-      <para>A tool that allows PaX flags to be modified on a per-binary basis.
-      PaX provides various types of protection against abuses of memory, some
-      of which can only be enabled or disabled by (re)configuring the kernel
-      and recompiling/rebooting it.</para>
-      <para>Several important types (PAGEEXEC, EMUTRAMP, MPROTECT, RANDMMAP
-      and SEGMEXEC) can be tweaked when the system is up and running by
-      marking the PaX flags on the ELF objects of the program you want to run.
-      Since some programs need to use memory in a way normally forbidden by
-      PaX, some restrictions may have to be relaxed on a per program basis.
-      For more informations see: <ulink
-      url="https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX">https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX</ulink>.</para>
-      <para>Example:<programlisting>root #paxctl-ng -v /bin/*</programlisting></para>
-    </section>
-    <section id="samhin">
-      <title>Samhin</title>
-      <para><emphasis>Samhain</emphasis> is a host-based intrusion detection
-      system (HIDS) which provides integrity checking and log file
-      monitoring/analysis, as well as 4.1detection, port monitoring, detection
-      of rogue SUID executables, and hidden processes. It's main features
-      include:</para>
-      <itemizedlist>
-        <listitem>
-          <para>Complete integrity check</para>
-          <para>Uses cryptographic checksums of files to detect modifications.
-          It can find rogue SUID executables anywhere on disk.</para>
-        </listitem>
-        <listitem>
-          <para>Centralized monitoring</para>
-          <para>Native support for logging to a central server via encrypted
-          and authenticated connections.</para>
-        </listitem>
-        <listitem>
-          <para>Tamper resistance</para>
-          <para>Database and configuration files can be signed log file
-          entries. E-mail reports are signed support for stealth
-          operations.</para>
-        </listitem>
-      </itemizedlist>
-    </section>
-    <section id="smack">
-      <title>Smack</title>
-      <para>A simplified Mandatory Access Control.</para>
-    </section>
-    <section id="suricata">
-      <title>Suricata</title>
-      <para>The Suricata Engine is an Open Source Next Generation <emphasis
-      role="bold">Intrusion Detection and Prevention Engine.</emphasis></para>
-    </section>
-    <section id="tomoyo">
-      <title>TOMOYO</title>
-      <para><ulink
-      url="http://tomoyo.sourceforge.jp/1.8/index.html.en">TOMOYO</ulink> is
-      an alternative (pathname-based) Mandatory Access Control (MAC)
-      implementation for Linux that can be used to increase the security of a
-      system, while also being useful purely as a system analysis tool. The
-      main features of TOMOYO Linux include:</para>
-      <itemizedlist>
-        <listitem>
-          <para>System analysis</para>
-        </listitem>
-        <listitem>
-          <para>Increased security through Mandatory Access Control</para>
-        </listitem>
-        <listitem>
-          <para>Tools to aid in policy generation</para>
-        </listitem>
-        <listitem>
-          <para>Simple syntax</para>
-        </listitem>
-        <listitem>
-          <para>Easy to use</para>
-        </listitem>
-        <listitem>
-          <para>Very few dependencies</para>
-        </listitem>
-        <listitem>
-          <para>Requires no modification of existing binaries</para>
-        </listitem>
-      </itemizedlist>
-      <para>To start via command line add:<programlisting>"security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd"</programlisting>To
-      initialize:<programlisting>/usr/lib/ccs/init_policy
-DISTRO_FEATURES_append = " tomoyo"</programlisting></para>
-    </section>
-    <section id="tripwire">
-      <title>Tripwire</title>
-      <para>Tripwire is an intrusion detection system (IDS), which constantly
-      and automatically, keeps your critical system files and reports under
-      control if they have been destroyed or modified by a hacker (or by
-      mistake). It allows the system administrator to know immediately what
-      was compromised and fix it. For more information see: <ulink
-      url="http://www.linuxjournal.com/article/8758">http://www.linuxjournal.com/article/8758</ulink>.</para>
-    </section>
-    <section id="xmlsec1">
-      <title>xmlsec1</title>
-      <para>XML Security Library is a C library based on LibXML2.</para>
-    </section>
-  </section>
-</chapter>
-\ No newline at end of file

diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml deleted file mode 100644 index 63c1225..0000000 --- a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml +++ /dev/null
@@ -1,465 +0,0 @@
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<chapter id="metasecure_tools">
3	<title>Introduction to Meta-Security Layer Tools</title>
4
5	<section id="summary">
6	<title>Summary of tools supported in the Meta-Security layer</title>
7
8	<informaltable>
9	<tgroup cols="2">
10	<tbody>
11	<row>
12	<entry>Afflib</entry>
13
14	<entry>On-disk format for storing computer forensic
15	information</entry>
16	</row>
17
18	<row>
19	<entry>Aircrack-ng</entry>
20
21	<entry>A set of tools for auditing wireless networks</entry>
22	</row>
23
24	<row>
25	<entry>AppArmor</entry>
26
27	<entry>A MAC control system</entry>
28	</row>
29
30	<row>
31	<entry>Bastille</entry>
32
33	<entry>Linux hardening tool</entry>
34	</row>
35
36	<row>
37	<entry>Buck-security</entry>
38
39	<entry>Linux security scanner</entry>
40	</row>
41
42	<row>
43	<entry>TOMOYO</entry>
44
45	<entry>A Mandatory Access Control (MAC) implementation for
46	Linux</entry>
47	</row>
48
49	<row>
50	<entry>checksec</entry>
51
52	<entry>Program randominization</entry>
53	</row>
54
55	<row>
56	<entry>checksecurity</entry>
57
58	<entry>Basic system security checks</entry>
59	</row>
60
61	<row>
62	<entry>ClamAV</entry>
63
64	<entry>Anti-virus utility for command-line interface</entry>
65	</row>
66
67	<row>
68	<entry>ecryptfs-utils</entry>
69
70	<entry>The eCryptfs mount helper and support libraries</entry>
71	</row>
72
73	<row>
74	<entry>freediameter</entry>
75
76	<entry>Platform for deploying a Diameter network for
77	Authentication, Authorization and Accounting.</entry>
78	</row>
79
80	<row>
81	<entry>ISIC</entry>
82
83	<entry>IP Stack Integrity Checker</entry>
84	</row>
85
86	<row>
87	<entry>keynote</entry>
88
89	<entry>Linux Key Management Utilities</entry>
90	</row>
91
92	<row>
93	<entry>keyutils</entry>
94
95	<entry>Linux Key Management Utilities</entry>
96	</row>
97
98	<row>
99	<entry>libdhash</entry>
100
101	<entry>Library of hashing algorithms</entry>
102	</row>
103
104	<row>
105	<entry>libgssglue</entry>
106
107	<entry>Exports a gssapi interface which calls other gssapi
108	libraries</entry>
109	</row>
110
111	<row>
112	<entry>libmhash</entry>
113
114	<entry>Library of hashing algorithms</entry>
115	</row>
116
117	<row>
118	<entry>Libmspack</entry>
119
120	<entry>A library for Microsoft compression formats</entry>
121	</row>
122
123	<row>
124	<entry>Libseccomp</entry>
125
126	<entry>The libseccomp library provides an easy to use, platform
127	independent, interface to the Linux Kernel's syscall filtering
128	mechanism: seccomp.</entry>
129	</row>
130
131	<row>
132	<entry>Nikto</entry>
133
134	<entry>Web server scanner</entry>
135	</row>
136
137	<row>
138	<entry>Nmap</entry>
139
140	<entry>Network auditing tool</entry>
141	</row>
142
143	<row>
144	<entry>Paxctl</entry>
145
146	<entry>A tool that allows PaX flags to be modified on a per-binary
147	basis</entry>
148	</row>
149
150	<row>
151	<entry>redhat-security</entry>
152
153	<entry>redhat security tools</entry>
154	</row>
155
156	<row>
157	<entry>samhain</entry>
158
159	<entry>Samhain is an integrity checker and host intrusion
160	detection system that can be used on single hosts as well as large
161	ones.</entry>
162	</row>
163
164	<row>
165	<entry>Scapy</entry>
166
167	<entry>Network scanning and manipulation tool</entry>
168	</row>
169
170	<row>
171	<entry>Smack</entry>
172
173	<entry>A simplified Mandatory Access Control</entry>
174	</row>
175
176	<row>
177	<entry>sssd</entry>
178
179	<entry>Selection of tools for developers working with
180	Smack</entry>
181	</row>
182
183	<row>
184	<entry>Suricata</entry>
185
186	<entry>The Suricata Engine is an Open Source Next Generation
187	Intrusion Detection and Prevention Engine</entry>
188	</row>
189
190	<row>
191	<entry>Tripwire</entry>
192
193	<entry>A system integrity assessment tool (IDS)</entry>
194	</row>
195
196	<row>
197	<entry>xmlsec1</entry>
198
199	<entry>XML Security Library is a C library based on
200	LibXML2</entry>
201	</row>
202	</tbody>
203	</tgroup>
204	</informaltable>
205	</section>
206
207	<section id="run_tools">
208	<title>How to configure, build and run the tools</title>
209
210	<para>In order to use this layer, you need to make the build system aware
211	of it. To do so, first clone the layer located at the address:
212	http://git.enea.com/cgit/linux/meta-security.git, then add the following
213	lines to the files below.</para>
214
215	<itemizedlist>
216	<listitem>
217	<para>In <literal>bblayers.conf</literal>:</para>
218
219	<para><programlisting>BBLAYERS ?= " \
220	/path/to/oe-core/meta \
221	/path/to/meta-openembedded/meta-oe \
222	/path/to/meta-openembedded/meta-perl \
223	/path/to/meta-openembedded/meta-gnome \
224	/path/to/meta-openembedded/meta-xfce \
225	/path/to/meta-openembedded/meta-python \
226	/path/to/meta-openembedded/meta-networking \
227	/path/to/layer/meta-security \</programlisting></para>
228	</listitem>
229
230	<listitem>
231	<para>In <literal>local.conf</literal>:</para>
232
233	<para><programlisting>IMAGE_INSTALL_append = "aircrack-ng buck-security checksecurity freediameter /
234	keynote libgssglue libseccomp samhain-client samhain-server samhain-standalone /
235	sssd xmlsec1 clamav keyutils libmhash nikto paxctl scapy suricata bastille /
236	checksec ecryptfs-utils isic libmspack nmap redhat-security smack tripwire"</programlisting></para>
237	</listitem>
238
239	<listitem>
240	<para><programlisting>poky/build $ bitbake enea-hardend-image-virtualization-host</programlisting></para>
241
242	<remark>Need clarification here on a possible intro or specified
243	action/file as noted above.</remark>
244	</listitem>
245	</itemizedlist>
246
247	<section id="apparmor">
248	<title>AppArmor</title>
249
250	<para>AppArmor, like most other LSMs, supplements rather than replaces
251	the default Discretionary Access Control (DAC). As such, it's impossible
252	to grant a process more privileges than it had in the first place. When
253	AppArmor is active for an application, the operating system allows the
254	application to access only those files and folders that are mentioned in
255	its security profile. Thus, with a well-planned security profile, even
256	if the application is compromised during an attack, it won't be able to
257	do much harm.</para>
258
259	<para>Before compiling the kernel, set the following
260	options:<programlisting>CONFIG_SECURITY_APPARMOR=y
261	CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
262	CONFIG_DEFAULT_SECURITY_APPARMOR=y
263	CONFIG_AUDIT=y</programlisting>Alternatively, instead of setting
264	<literal>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE</literal> and
265	<literal>CONFIG_DEFAULT_SECURITY_APPARMOR</literal>, you can set the
266	<ulink
267	url="https://wiki.archlinux.org/index.php/Kernel_parameters">kernel boot
268	parameters</ulink> in this manner: <literal>apparmor=1
269	security=apparmor</literal>. For those new or altered variables to not
270	get overridden, place them at the bottom of the config file or adjust
271	the previous invocations accordingly.</para>
272
273	<para>For further information see <ulink
274	url="https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04">https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04</ulink>.</para>
275
276	<para>To put the profile in enforce mode, use the
277	<literal>aa-enforce</literal>:</para>
278
279	<para><programlisting>sudo apparmor_status
280	sudo aa-enforce nginx</programlisting>It is recommended that you reload all
281	profiles and restart Nginx to be sure that the latest changes are in
282	effect: <programlisting>sudo /etc/init.d/apparmor reload
283	sudo service nginx restart</programlisting>Enable complain mode with the
284	<literal>aa-complain</literal> command. It is recommended that you wait
285	several days before running the <literal>aa-logprof</literal> command,
286	to give the system time to log more common actions for the application
287	if you are going to create a profile that will be used in production
288	systems.</para>
289	</section>
290
291	<section id="isic">
292	<title>ISIC - IP Stack Integrity Checker</title>
293
294	<para><emphasis role="bold">ISIC</emphasis> is a suite of utilities
295	meant to exercise the stability of an IP Stack and its component stacks
296	(TCP, UDP, ICMP et. al.). It generates many pseudo-random packets of the
297	target protocol, which are given tendancies to conform to. For example:
298	50% of the packets generated can have IP Options, and 25% of the packets
299	can be IP fragments, the percentages are arbitrary however, and most of
300	the packet fields have a configurable tendancy. <programlisting>root@qemux86:~# esic -i eth0 -s 52:54:00:12:34:0A -p rand -m 5000</programlisting><remark>what
301	does this programlisting detail exactly, is it an example or something
302	more directly concrete?</remark></para>
303	</section>
304
305	<section id="nikto">
306	<title>Nikto Web Vulnerability Scanner</title>
307
308	<para>Nikto is a web vulnerability scanner, a security testing tool that
309	scans web servers for vulnerabilities and other known issues.</para>
310	</section>
311
312	<section id="nmap">
313	<title>Nmap Network Exploration Tool</title>
314
315	<para>Nmap (Network Mapper), is an open source security scanner for
316	network exploration and security auditing. It is used to discover hosts
317	and services on a network, essentially creating a "map" of the network.
318	Nmap sends specially crafted packets to the target host(s), then
319	analyzes the responses.</para>
320
321	<para>Nmap uses raw IP packets in novel ways to determine what hosts are
322	available on the network, what services (application name and version)
323	those hosts are offering, what operating systems (and OS versions) they
324	are running, what type of packet filters/firewalls are in use, and
325	dozens of other characteristics. While Nmap is commonly used for
326	security audits, many systems and network administrators find it useful
327	for routine tasks such as network inventory, managing service upgrade
328	schedules, and monitoring host or service uptime. See a few examples of
329	options to use below:</para>
330
331	<para><programlisting>nmap -v -A scanme.nmap.org
332	nmap -v -sn 192.168.0.0/16 10.0.0.0/8
333	nmap -v -iR 10000 -Pn -p 80</programlisting>For more info see <ulink
334	url="https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/">https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/</ulink>.</para>
335	</section>
336
337	<section id="paxctl">
338	<title>Paxctl</title>
339
340	<para>A tool that allows PaX flags to be modified on a per-binary basis.
341	PaX provides various types of protection against abuses of memory, some
342	of which can only be enabled or disabled by (re)configuring the kernel
343	and recompiling/rebooting it.</para>
344
345	<para>Several important types (PAGEEXEC, EMUTRAMP, MPROTECT, RANDMMAP
346	and SEGMEXEC) can be tweaked when the system is up and running by
347	marking the PaX flags on the ELF objects of the program you want to run.
348	Since some programs need to use memory in a way normally forbidden by
349	PaX, some restrictions may have to be relaxed on a per program basis.
350	For more informations see: <ulink
351	url="https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX">https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX</ulink>.</para>
352
353	<para>Example:<programlisting>root #paxctl-ng -v /bin/*</programlisting></para>
354	</section>
355
356	<section id="samhin">
357	<title>Samhin</title>
358
359	<para><emphasis>Samhain</emphasis> is a host-based intrusion detection
360	system (HIDS) which provides integrity checking and log file
361	monitoring/analysis, as well as 4.1detection, port monitoring, detection
362	of rogue SUID executables, and hidden processes. It's main features
363	include:</para>
364
365	<itemizedlist>
366	<listitem>
367	<para>Complete integrity check</para>
368
369	<para>Uses cryptographic checksums of files to detect modifications.
370	It can find rogue SUID executables anywhere on disk.</para>
371	</listitem>
372
373	<listitem>
374	<para>Centralized monitoring</para>
375
376	<para>Native support for logging to a central server via encrypted
377	and authenticated connections.</para>
378	</listitem>
379
380	<listitem>
381	<para>Tamper resistance</para>
382
383	<para>Database and configuration files can be signed log file
384	entries. E-mail reports are signed support for stealth
385	operations.</para>
386	</listitem>
387	</itemizedlist>
388	</section>
389
390	<section id="smack">
391	<title>Smack</title>
392
393	<para>A simplified Mandatory Access Control.</para>
394	</section>
395
396	<section id="suricata">
397	<title>Suricata</title>
398
399	<para>The Suricata Engine is an Open Source Next Generation <emphasis
400	role="bold">Intrusion Detection and Prevention Engine.</emphasis></para>
401	</section>
402
403	<section id="tomoyo">
404	<title>TOMOYO</title>
405
406	<para><ulink
407	url="http://tomoyo.sourceforge.jp/1.8/index.html.en">TOMOYO</ulink> is
408	an alternative (pathname-based) Mandatory Access Control (MAC)
409	implementation for Linux that can be used to increase the security of a
410	system, while also being useful purely as a system analysis tool. The
411	main features of TOMOYO Linux include:</para>
412
413	<itemizedlist>
414	<listitem>
415	<para>System analysis</para>
416	</listitem>
417
418	<listitem>
419	<para>Increased security through Mandatory Access Control</para>
420	</listitem>
421
422	<listitem>
423	<para>Tools to aid in policy generation</para>
424	</listitem>
425
426	<listitem>
427	<para>Simple syntax</para>
428	</listitem>
429
430	<listitem>
431	<para>Easy to use</para>
432	</listitem>
433
434	<listitem>
435	<para>Very few dependencies</para>
436	</listitem>
437
438	<listitem>
439	<para>Requires no modification of existing binaries</para>
440	</listitem>
441	</itemizedlist>
442
443	<para>To start via command line add:<programlisting>"security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd"</programlisting>To
444	initialize:<programlisting>/usr/lib/ccs/init_policy
445	DISTRO_FEATURES_append = " tomoyo"</programlisting></para>
446	</section>
447
448	<section id="tripwire">
449	<title>Tripwire</title>
450
451	<para>Tripwire is an intrusion detection system (IDS), which constantly
452	and automatically, keeps your critical system files and reports under
453	control if they have been destroyed or modified by a hacker (or by
454	mistake). It allows the system administrator to know immediately what
455	was compromised and fix it. For more information see: <ulink
456	url="http://www.linuxjournal.com/article/8758">http://www.linuxjournal.com/article/8758</ulink>.</para>
457	</section>
458
459	<section id="xmlsec1">
460	<title>xmlsec1</title>
461
462	<para>XML Security Library is a C library based on LibXML2.</para>
463	</section>
464	</section>
465	</chapter> \ No newline at end of file