summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2018-10-28 23:07:29 +0000
committerArmin Kuster <akuster808@gmail.com>2018-10-31 09:02:21 -0700
commitdcb0395033e1b4a5d44d467d041114c5cb5e13eb (patch)
tree6e51c06b742055c4e4add57640765ac7dcaa2f6a
parent28508811dc7e664474496b45e6ebad8399c439f3 (diff)
downloadmeta-security-dcb0395033e1b4a5d44d467d041114c5cb5e13eb.tar.gz
README: update maintainers email and move pkg help info
This is to simplify the main README Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--README207
-rw-r--r--docs/overview.txt197
2 files changed, 199 insertions, 205 deletions
diff --git a/README b/README
index ef80f2b..e238271 100644
--- a/README
+++ b/README
@@ -48,209 +48,6 @@ other layers needed. e.g.:
48 /path/to/meta-openembedded/meta-networking \ 48 /path/to/meta-openembedded/meta-networking \
49 /path/to/layer/meta-security \ 49 /path/to/layer/meta-security \
50 50
51Contents and Help
52=================
53
54In this section the contents of the layer is listed, along with a short
55help for each package.
56
57 == bastille ==
58
59 Bastille is a system hardening / lockdown program which enhances the
60 security of a Unix host. It configures daemons, system settings and
61 firewalls to be more secure. It can shut off unneeded services
62 like rcp and rlogin, and helps create "chroot jails" that help limit the
63 vulnerability of common Internet services like Web services and DNS.
64
65 usage : The functionality of Bastille which is available is
66 restricted to a purely informational one. The command:
67 bastille -c --os Yocto
68 will cause a series of menus containing security questions
69 about the system to be displayed to the user. For each
70 question, a default response, specified in the configuration
71 file which is installed with Bastille, will be selected.
72 The user may select an alternate response. When the user
73 has completed the sequence of menus Bastille saves the
74 responses to the configuration file.
75
76 The command:
77 bastille -l lists the configuration files that Bastille
78 is able to locate.
79
80 The other functionality which Bastille is intended to provide
81 is actually unavailable. This is not due to errors in poky
82 installation or configuration of the application. The Bastille
83 distribution is no longer supported. Significant modifications
84 would be required to make it possible to make use of the
85 functionality which is currently unavailable.
86
87
88 Additional information about Bastille can be found in the package
89 README file and other documentation.
90
91 Alternatives to Bastille include buck-security and checksecurity,
92 described elsewhere in this file.
93
94
95 == redhat-security ==
96
97 Sometimes you want to check different aspects of a distribution for security problems.
98 This can be anything from file permissions to correctness of code. This is a collection of those tools.
99 Depending on what information the tool has to access, it may need to be run as root.
100
101 - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
102 to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
103 It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
104 In this mode it will only give a summary result for the package. To find which files don't comply,
105 re-run using just the package name.
106
107 !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
108 IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image
109 IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
110
111 - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
112 and GID without also calling setgroups or initgroups.
113
114 - rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
115
116 - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
117 Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
118
119 - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
120
121 - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
122 This means that if the program has another vulnerablity such as stack buffer overflow,
123 any code the attacker places there is executable. Any program found must be fixed.
124
125 - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
126 Anything found must be investigated since its highly unusual for executables to be hidden.
127
128 - find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
129 It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
130
131 - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
132 Anything found by this test should be reported so that selinux policy can be fixed.
133 This test is very hardware specific, so to be effective a lot of people with different hardware
134 should run this test each upstream kernel version release.
135
136 - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd.
137 These both mean that there are daemons that do not have policy and are therefore running unconfined.
138 These should be reported as SE Linux policy problems. Because it checks currently running daemons,
139 the more you have running, the better the test is.
140
141 - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
142 instead of obscure ones created by something like mktemp.
143
144 - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
145 it also looks to see if any of the known good random name generator functions is called by looking
146 at the symbol table. If not, it will output the string.
147
148 - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
149 The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
150 Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
151
152
153 usage : simply invoke the script name in the terminal.
154
155
156 == pax-utils ==
157
158 ( This package can be found in oe-core )
159
160 pax-utils is a small set of various PaX aware and related utilities for
161 ELF binaries.
162
163 - scanelf : With this application you can print out information specific to the ELF structure of a binary.
164 For more help please consult the man pages or the readme file.
165
166 - pspax : is a user-space utility that scans the proc directory and list
167 ELF types, as well as their respective PaX flags and filenames and
168 attributes. Depending on build options, it may additionaly display the
169 process running set of capabilities.
170
171 - scanmacho : is a user-space utility to quickly scan given
172 Mach-Os, directories, or common system paths for different information. This
173 may include Mach-O types, their install_names, etc.
174
175 - dumpelf : is a user-space utility to dump all of the internal
176 ELF structures into the equivalent C structures for fun debugging and/or
177 reference purposes.
178
179
180 usage : simply invoke the script name in the terminal.
181
182
183 == buck-security ==
184
185 Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
186 system. This enables you to quickly overview the security status of your Linux system.
187
188 usage : !!! before starting to use this tool please run the following command: !!!
189
190 export GPG_TTY=`tty`
191
192 This command is needed for the usage of the comand --make-checksum, which creates
193 a checksum for the files in the system.
194
195 switch to directory /usr/local/buck-security.
196 before running the script, you should check the activated checks in conf/buck-security.conf file.
197 after altering the changes, save the file and simply run :
198
199 ./buck-security
200
201 you can choose between different outputs : 1, 2(default) or 3.
202
203 More detailed usage can be found typing ./buck-security --help
204
205
206 == libseccomp ==
207
208 The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
209 The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
210 function-call based filtering interface that should be familiar to, and easily adopted by application developers.
211
212 usage : More detailed usage can be found in the man pages and README file of the package.
213
214
215
216 == checksecurity ==
217
218 checksecurity is a simple package which will scan your system for several simple security holes.
219 It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
220
221
222 usage : To start checksecurity simply write in the terminal :
223
224 checksecurity
225
226 More detailed usage can be found in the man pages and README file of the package.
227
228
229 == nikto ==
230
231 Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
232 including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
233 problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
234 HTTP server options, and will attempt to identify installed web servers and software.
235
236 usage : To start nikto simply write in the terminal :
237
238 nikto
239
240 More detailed usage can be found in the man pages and README file of the package.
241
242
243 == nmap ==
244
245 Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
246 Many systems and network administrators also find it useful for tasks such as network inventory,
247 managing service upgrade schedules, and monitoring host or service uptime.
248
249 usage : To start nikto simply write in the terminal :
250
251 nmap
252
253 More detailed usage can be found in the man pages and README file of the package.
254 51
255Maintenance 52Maintenance
256----------- 53-----------
@@ -260,8 +57,8 @@ Send pull requests, patches, comments or questions to yocto@yoctoproject.org
260When sending single patches, please using something like: 57When sending single patches, please using something like:
261'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' 58'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
262 59
263Maintainers: Saul Wold <sgw@linux.intel.com> 60Maintainers: Armin Kuster <akuster808@gmail.com>
264 Armin Kuster <akuster@mvista.com> 61 Saul Wold <sgw@linux.intel.com>
265 62
266 63
267License 64License
diff --git a/docs/overview.txt b/docs/overview.txt
new file mode 100644
index 0000000..ed3135a
--- /dev/null
+++ b/docs/overview.txt
@@ -0,0 +1,197 @@
1Meta-security Docs
2=============
3
4In this section the contents of the layer is listed, along with a short
5help for each package.
6
7 == bastille ==
8
9 Bastille is a system hardening / lockdown program which enhances the
10 security of a Unix host. It configures daemons, system settings and
11 firewalls to be more secure. It can shut off unneeded services
12 like rcp and rlogin, and helps create "chroot jails" that help limit the
13 vulnerability of common Internet services like Web services and DNS.
14
15 usage : The functionality of Bastille which is available is
16 restricted to a purely informational one. The command:
17 bastille -c --os Yocto
18 will cause a series of menus containing security questions
19 about the system to be displayed to the user. For each
20 question, a default response, specified in the configuration
21 file which is installed with Bastille, will be selected.
22 The user may select an alternate response. When the user
23 has completed the sequence of menus Bastille saves the
24 responses to the configuration file.
25
26 The command:
27 bastille -l lists the configuration files that Bastille
28 is able to locate.
29
30 The other functionality which Bastille is intended to provide
31 is actually unavailable. This is not due to errors in poky
32 installation or configuration of the application. The Bastille
33 distribution is no longer supported. Significant modifications
34 would be required to make it possible to make use of the
35 functionality which is currently unavailable.
36
37
38 Additional information about Bastille can be found in the package
39 README file and other documentation.
40
41 Alternatives to Bastille include buck-security and checksecurity,
42 described elsewhere in this file.
43
44
45 == redhat-security ==
46
47 Sometimes you want to check different aspects of a distribution for security problems.
48 This can be anything from file permissions to correctness of code. This is a collection of those tools.
49 Depending on what information the tool has to access, it may need to be run as root.
50
51 - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
52 to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
53 It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
54 In this mode it will only give a summary result for the package. To find which files don't comply,
55 re-run using just the package name.
56
57 !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
58 IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image
59 IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
60
61 - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
62 and GID without also calling setgroups or initgroups.
63
64 - rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
65
66 - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
67 Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
68
69 - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
70
71 - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
72 This means that if the program has another vulnerablity such as stack buffer overflow,
73 any code the attacker places there is executable. Any program found must be fixed.
74
75 - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
76 Anything found must be investigated since its highly unusual for executables to be hidden.
77
78 - find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
79 It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
80
81 - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
82 Anything found by this test should be reported so that selinux policy can be fixed.
83 This test is very hardware specific, so to be effective a lot of people with different hardware
84 should run this test each upstream kernel version release.
85
86 - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd.
87 These both mean that there are daemons that do not have policy and are therefore running unconfined.
88 These should be reported as SE Linux policy problems. Because it checks currently running daemons,
89 the more you have running, the better the test is.
90
91 - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
92 instead of obscure ones created by something like mktemp.
93
94 - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
95 it also looks to see if any of the known good random name generator functions is called by looking
96 at the symbol table. If not, it will output the string.
97
98 - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
99 The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
100 Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
101
102
103 usage : simply invoke the script name in the terminal.
104
105
106 == pax-utils ==
107
108 ( This package can be found in oe-core )
109
110 pax-utils is a small set of various PaX aware and related utilities for
111 ELF binaries.
112
113 - scanelf : With this application you can print out information specific to the ELF structure of a binary.
114 For more help please consult the man pages or the readme file.
115
116 - pspax : is a user-space utility that scans the proc directory and list
117 ELF types, as well as their respective PaX flags and filenames and
118 attributes. Depending on build options, it may additionaly display the
119 process running set of capabilities.
120
121 - scanmacho : is a user-space utility to quickly scan given
122 Mach-Os, directories, or common system paths for different information. This
123 may include Mach-O types, their install_names, etc.
124
125 - dumpelf : is a user-space utility to dump all of the internal
126 ELF structures into the equivalent C structures for fun debugging and/or
127 reference purposes.
128
129
130 usage : simply invoke the script name in the terminal.
131
132
133 == buck-security ==
134
135 Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
136 system. This enables you to quickly overview the security status of your Linux system.
137
138 usage : !!! before starting to use this tool please run the following command: !!!
139
140 export GPG_TTY=`tty`
141
142 This command is needed for the usage of the comand --make-checksum, which creates
143 a checksum for the files in the system.
144
145 switch to directory /usr/local/buck-security.
146 before running the script, you should check the activated checks in conf/buck-security.conf file.
147 after altering the changes, save the file and simply run :
148
149 ./buck-security
150
151 you can choose between different outputs : 1, 2(default) or 3.
152
153 More detailed usage can be found typing ./buck-security --help
154
155
156 == libseccomp ==
157
158 The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
159 The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
160 function-call based filtering interface that should be familiar to, and easily adopted by application developers.
161
162 usage : More detailed usage can be found in the man pages and README file of the package.
163
164
165
166 == checksecurity ==
167
168 checksecurity is a simple package which will scan your system for several simple security holes.
169 It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
170
171
172 usage : To start checksecurity simply write in the terminal :
173
174 checksecurity
175
176 More detailed usage can be found in the man pages and README file of the package.
177
178
179 == nikto ==
180
181 Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
182 including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
183 problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
184 HTTP server options, and will attempt to identify installed web servers and software.
185
186 usage : To start nikto simply write in the terminal :
187
188 nikto
189
190 More detailed usage can be found in the man pages and README file of the package.
191
192License
193=======
194
195All metadata is MIT licensed unless otherwise stated. Source code included
196in tree for individual recipes is under the LICENSE stated in each recipe
197(.bb file) unless otherwise stated.
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-23 13:55:27 +0000