diff options
author | Armin Kuster <akuster808@gmail.com> | 2018-10-28 23:07:29 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2018-10-31 09:02:21 -0700 |
commit | dcb0395033e1b4a5d44d467d041114c5cb5e13eb (patch) | |
tree | 6e51c06b742055c4e4add57640765ac7dcaa2f6a | |
parent | 28508811dc7e664474496b45e6ebad8399c439f3 (diff) | |
download | meta-security-dcb0395033e1b4a5d44d467d041114c5cb5e13eb.tar.gz |
README: update maintainers email and move pkg help info
This is to simplify the main README
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | README | 207 | ||||
-rw-r--r-- | docs/overview.txt | 197 |
2 files changed, 199 insertions, 205 deletions
@@ -48,209 +48,6 @@ other layers needed. e.g.: | |||
48 | /path/to/meta-openembedded/meta-networking \ | 48 | /path/to/meta-openembedded/meta-networking \ |
49 | /path/to/layer/meta-security \ | 49 | /path/to/layer/meta-security \ |
50 | 50 | ||
51 | Contents and Help | ||
52 | ================= | ||
53 | |||
54 | In this section the contents of the layer is listed, along with a short | ||
55 | help for each package. | ||
56 | |||
57 | == bastille == | ||
58 | |||
59 | Bastille is a system hardening / lockdown program which enhances the | ||
60 | security of a Unix host. It configures daemons, system settings and | ||
61 | firewalls to be more secure. It can shut off unneeded services | ||
62 | like rcp and rlogin, and helps create "chroot jails" that help limit the | ||
63 | vulnerability of common Internet services like Web services and DNS. | ||
64 | |||
65 | usage : The functionality of Bastille which is available is | ||
66 | restricted to a purely informational one. The command: | ||
67 | bastille -c --os Yocto | ||
68 | will cause a series of menus containing security questions | ||
69 | about the system to be displayed to the user. For each | ||
70 | question, a default response, specified in the configuration | ||
71 | file which is installed with Bastille, will be selected. | ||
72 | The user may select an alternate response. When the user | ||
73 | has completed the sequence of menus Bastille saves the | ||
74 | responses to the configuration file. | ||
75 | |||
76 | The command: | ||
77 | bastille -l lists the configuration files that Bastille | ||
78 | is able to locate. | ||
79 | |||
80 | The other functionality which Bastille is intended to provide | ||
81 | is actually unavailable. This is not due to errors in poky | ||
82 | installation or configuration of the application. The Bastille | ||
83 | distribution is no longer supported. Significant modifications | ||
84 | would be required to make it possible to make use of the | ||
85 | functionality which is currently unavailable. | ||
86 | |||
87 | |||
88 | Additional information about Bastille can be found in the package | ||
89 | README file and other documentation. | ||
90 | |||
91 | Alternatives to Bastille include buck-security and checksecurity, | ||
92 | described elsewhere in this file. | ||
93 | |||
94 | |||
95 | == redhat-security == | ||
96 | |||
97 | Sometimes you want to check different aspects of a distribution for security problems. | ||
98 | This can be anything from file permissions to correctness of code. This is a collection of those tools. | ||
99 | Depending on what information the tool has to access, it may need to be run as root. | ||
100 | |||
101 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags | ||
102 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. | ||
103 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. | ||
104 | In this mode it will only give a summary result for the package. To find which files don't comply, | ||
105 | re-run using just the package name. | ||
106 | |||
107 | !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: | ||
108 | IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image | ||
109 | IMAGE_FEATURES += "package management" - for the correct output of rpm -qa | ||
110 | |||
111 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID | ||
112 | and GID without also calling setgroups or initgroups. | ||
113 | |||
114 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. | ||
115 | |||
116 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. | ||
117 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. | ||
118 | |||
119 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. | ||
120 | |||
121 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. | ||
122 | This means that if the program has another vulnerablity such as stack buffer overflow, | ||
123 | any code the attacker places there is executable. Any program found must be fixed. | ||
124 | |||
125 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. | ||
126 | Anything found must be investigated since its highly unusual for executables to be hidden. | ||
127 | |||
128 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. | ||
129 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. | ||
130 | |||
131 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. | ||
132 | Anything found by this test should be reported so that selinux policy can be fixed. | ||
133 | This test is very hardware specific, so to be effective a lot of people with different hardware | ||
134 | should run this test each upstream kernel version release. | ||
135 | |||
136 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. | ||
137 | These both mean that there are daemons that do not have policy and are therefore running unconfined. | ||
138 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, | ||
139 | the more you have running, the better the test is. | ||
140 | |||
141 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names | ||
142 | instead of obscure ones created by something like mktemp. | ||
143 | |||
144 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, | ||
145 | it also looks to see if any of the known good random name generator functions is called by looking | ||
146 | at the symbol table. If not, it will output the string. | ||
147 | |||
148 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. | ||
149 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. | ||
150 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. | ||
151 | |||
152 | |||
153 | usage : simply invoke the script name in the terminal. | ||
154 | |||
155 | |||
156 | == pax-utils == | ||
157 | |||
158 | ( This package can be found in oe-core ) | ||
159 | |||
160 | pax-utils is a small set of various PaX aware and related utilities for | ||
161 | ELF binaries. | ||
162 | |||
163 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. | ||
164 | For more help please consult the man pages or the readme file. | ||
165 | |||
166 | - pspax : is a user-space utility that scans the proc directory and list | ||
167 | ELF types, as well as their respective PaX flags and filenames and | ||
168 | attributes. Depending on build options, it may additionaly display the | ||
169 | process running set of capabilities. | ||
170 | |||
171 | - scanmacho : is a user-space utility to quickly scan given | ||
172 | Mach-Os, directories, or common system paths for different information. This | ||
173 | may include Mach-O types, their install_names, etc. | ||
174 | |||
175 | - dumpelf : is a user-space utility to dump all of the internal | ||
176 | ELF structures into the equivalent C structures for fun debugging and/or | ||
177 | reference purposes. | ||
178 | |||
179 | |||
180 | usage : simply invoke the script name in the terminal. | ||
181 | |||
182 | |||
183 | == buck-security == | ||
184 | |||
185 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux | ||
186 | system. This enables you to quickly overview the security status of your Linux system. | ||
187 | |||
188 | usage : !!! before starting to use this tool please run the following command: !!! | ||
189 | |||
190 | export GPG_TTY=`tty` | ||
191 | |||
192 | This command is needed for the usage of the comand --make-checksum, which creates | ||
193 | a checksum for the files in the system. | ||
194 | |||
195 | switch to directory /usr/local/buck-security. | ||
196 | before running the script, you should check the activated checks in conf/buck-security.conf file. | ||
197 | after altering the changes, save the file and simply run : | ||
198 | |||
199 | ./buck-security | ||
200 | |||
201 | you can choose between different outputs : 1, 2(default) or 3. | ||
202 | |||
203 | More detailed usage can be found typing ./buck-security --help | ||
204 | |||
205 | |||
206 | == libseccomp == | ||
207 | |||
208 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. | ||
209 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional | ||
210 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. | ||
211 | |||
212 | usage : More detailed usage can be found in the man pages and README file of the package. | ||
213 | |||
214 | |||
215 | |||
216 | == checksecurity == | ||
217 | |||
218 | checksecurity is a simple package which will scan your system for several simple security holes. | ||
219 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. | ||
220 | |||
221 | |||
222 | usage : To start checksecurity simply write in the terminal : | ||
223 | |||
224 | checksecurity | ||
225 | |||
226 | More detailed usage can be found in the man pages and README file of the package. | ||
227 | |||
228 | |||
229 | == nikto == | ||
230 | |||
231 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, | ||
232 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific | ||
233 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, | ||
234 | HTTP server options, and will attempt to identify installed web servers and software. | ||
235 | |||
236 | usage : To start nikto simply write in the terminal : | ||
237 | |||
238 | nikto | ||
239 | |||
240 | More detailed usage can be found in the man pages and README file of the package. | ||
241 | |||
242 | |||
243 | == nmap == | ||
244 | |||
245 | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. | ||
246 | Many systems and network administrators also find it useful for tasks such as network inventory, | ||
247 | managing service upgrade schedules, and monitoring host or service uptime. | ||
248 | |||
249 | usage : To start nikto simply write in the terminal : | ||
250 | |||
251 | nmap | ||
252 | |||
253 | More detailed usage can be found in the man pages and README file of the package. | ||
254 | 51 | ||
255 | Maintenance | 52 | Maintenance |
256 | ----------- | 53 | ----------- |
@@ -260,8 +57,8 @@ Send pull requests, patches, comments or questions to yocto@yoctoproject.org | |||
260 | When sending single patches, please using something like: | 57 | When sending single patches, please using something like: |
261 | 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' | 58 | 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' |
262 | 59 | ||
263 | Maintainers: Saul Wold <sgw@linux.intel.com> | 60 | Maintainers: Armin Kuster <akuster808@gmail.com> |
264 | Armin Kuster <akuster@mvista.com> | 61 | Saul Wold <sgw@linux.intel.com> |
265 | 62 | ||
266 | 63 | ||
267 | License | 64 | License |
diff --git a/docs/overview.txt b/docs/overview.txt new file mode 100644 index 0000000..ed3135a --- /dev/null +++ b/docs/overview.txt | |||
@@ -0,0 +1,197 @@ | |||
1 | Meta-security Docs | ||
2 | ============= | ||
3 | |||
4 | In this section the contents of the layer is listed, along with a short | ||
5 | help for each package. | ||
6 | |||
7 | == bastille == | ||
8 | |||
9 | Bastille is a system hardening / lockdown program which enhances the | ||
10 | security of a Unix host. It configures daemons, system settings and | ||
11 | firewalls to be more secure. It can shut off unneeded services | ||
12 | like rcp and rlogin, and helps create "chroot jails" that help limit the | ||
13 | vulnerability of common Internet services like Web services and DNS. | ||
14 | |||
15 | usage : The functionality of Bastille which is available is | ||
16 | restricted to a purely informational one. The command: | ||
17 | bastille -c --os Yocto | ||
18 | will cause a series of menus containing security questions | ||
19 | about the system to be displayed to the user. For each | ||
20 | question, a default response, specified in the configuration | ||
21 | file which is installed with Bastille, will be selected. | ||
22 | The user may select an alternate response. When the user | ||
23 | has completed the sequence of menus Bastille saves the | ||
24 | responses to the configuration file. | ||
25 | |||
26 | The command: | ||
27 | bastille -l lists the configuration files that Bastille | ||
28 | is able to locate. | ||
29 | |||
30 | The other functionality which Bastille is intended to provide | ||
31 | is actually unavailable. This is not due to errors in poky | ||
32 | installation or configuration of the application. The Bastille | ||
33 | distribution is no longer supported. Significant modifications | ||
34 | would be required to make it possible to make use of the | ||
35 | functionality which is currently unavailable. | ||
36 | |||
37 | |||
38 | Additional information about Bastille can be found in the package | ||
39 | README file and other documentation. | ||
40 | |||
41 | Alternatives to Bastille include buck-security and checksecurity, | ||
42 | described elsewhere in this file. | ||
43 | |||
44 | |||
45 | == redhat-security == | ||
46 | |||
47 | Sometimes you want to check different aspects of a distribution for security problems. | ||
48 | This can be anything from file permissions to correctness of code. This is a collection of those tools. | ||
49 | Depending on what information the tool has to access, it may need to be run as root. | ||
50 | |||
51 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags | ||
52 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. | ||
53 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. | ||
54 | In this mode it will only give a summary result for the package. To find which files don't comply, | ||
55 | re-run using just the package name. | ||
56 | |||
57 | !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: | ||
58 | IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image | ||
59 | IMAGE_FEATURES += "package management" - for the correct output of rpm -qa | ||
60 | |||
61 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID | ||
62 | and GID without also calling setgroups or initgroups. | ||
63 | |||
64 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. | ||
65 | |||
66 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. | ||
67 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. | ||
68 | |||
69 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. | ||
70 | |||
71 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. | ||
72 | This means that if the program has another vulnerablity such as stack buffer overflow, | ||
73 | any code the attacker places there is executable. Any program found must be fixed. | ||
74 | |||
75 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. | ||
76 | Anything found must be investigated since its highly unusual for executables to be hidden. | ||
77 | |||
78 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. | ||
79 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. | ||
80 | |||
81 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. | ||
82 | Anything found by this test should be reported so that selinux policy can be fixed. | ||
83 | This test is very hardware specific, so to be effective a lot of people with different hardware | ||
84 | should run this test each upstream kernel version release. | ||
85 | |||
86 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. | ||
87 | These both mean that there are daemons that do not have policy and are therefore running unconfined. | ||
88 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, | ||
89 | the more you have running, the better the test is. | ||
90 | |||
91 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names | ||
92 | instead of obscure ones created by something like mktemp. | ||
93 | |||
94 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, | ||
95 | it also looks to see if any of the known good random name generator functions is called by looking | ||
96 | at the symbol table. If not, it will output the string. | ||
97 | |||
98 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. | ||
99 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. | ||
100 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. | ||
101 | |||
102 | |||
103 | usage : simply invoke the script name in the terminal. | ||
104 | |||
105 | |||
106 | == pax-utils == | ||
107 | |||
108 | ( This package can be found in oe-core ) | ||
109 | |||
110 | pax-utils is a small set of various PaX aware and related utilities for | ||
111 | ELF binaries. | ||
112 | |||
113 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. | ||
114 | For more help please consult the man pages or the readme file. | ||
115 | |||
116 | - pspax : is a user-space utility that scans the proc directory and list | ||
117 | ELF types, as well as their respective PaX flags and filenames and | ||
118 | attributes. Depending on build options, it may additionaly display the | ||
119 | process running set of capabilities. | ||
120 | |||
121 | - scanmacho : is a user-space utility to quickly scan given | ||
122 | Mach-Os, directories, or common system paths for different information. This | ||
123 | may include Mach-O types, their install_names, etc. | ||
124 | |||
125 | - dumpelf : is a user-space utility to dump all of the internal | ||
126 | ELF structures into the equivalent C structures for fun debugging and/or | ||
127 | reference purposes. | ||
128 | |||
129 | |||
130 | usage : simply invoke the script name in the terminal. | ||
131 | |||
132 | |||
133 | == buck-security == | ||
134 | |||
135 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux | ||
136 | system. This enables you to quickly overview the security status of your Linux system. | ||
137 | |||
138 | usage : !!! before starting to use this tool please run the following command: !!! | ||
139 | |||
140 | export GPG_TTY=`tty` | ||
141 | |||
142 | This command is needed for the usage of the comand --make-checksum, which creates | ||
143 | a checksum for the files in the system. | ||
144 | |||
145 | switch to directory /usr/local/buck-security. | ||
146 | before running the script, you should check the activated checks in conf/buck-security.conf file. | ||
147 | after altering the changes, save the file and simply run : | ||
148 | |||
149 | ./buck-security | ||
150 | |||
151 | you can choose between different outputs : 1, 2(default) or 3. | ||
152 | |||
153 | More detailed usage can be found typing ./buck-security --help | ||
154 | |||
155 | |||
156 | == libseccomp == | ||
157 | |||
158 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. | ||
159 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional | ||
160 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. | ||
161 | |||
162 | usage : More detailed usage can be found in the man pages and README file of the package. | ||
163 | |||
164 | |||
165 | |||
166 | == checksecurity == | ||
167 | |||
168 | checksecurity is a simple package which will scan your system for several simple security holes. | ||
169 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. | ||
170 | |||
171 | |||
172 | usage : To start checksecurity simply write in the terminal : | ||
173 | |||
174 | checksecurity | ||
175 | |||
176 | More detailed usage can be found in the man pages and README file of the package. | ||
177 | |||
178 | |||
179 | == nikto == | ||
180 | |||
181 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, | ||
182 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific | ||
183 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, | ||
184 | HTTP server options, and will attempt to identify installed web servers and software. | ||
185 | |||
186 | usage : To start nikto simply write in the terminal : | ||
187 | |||
188 | nikto | ||
189 | |||
190 | More detailed usage can be found in the man pages and README file of the package. | ||
191 | |||
192 | License | ||
193 | ======= | ||
194 | |||
195 | All metadata is MIT licensed unless otherwise stated. Source code included | ||
196 | in tree for individual recipes is under the LICENSE stated in each recipe | ||
197 | (.bb file) unless otherwise stated. | ||