diff options
| author | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-07-11 17:37:43 +0300 |
|---|---|---|
| committer | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-07-11 17:37:43 +0300 |
| commit | 2d0c61a39f5608fbe2180ccfd067d0858aa12092 (patch) | |
| tree | 83f6ab9e0f71af2e873083602e0673bbdb81dc50 /README | |
| parent | d54c9d7dadfddcd60ca11be23c5a2946f8a1b385 (diff) | |
| download | meta-security-2d0c61a39f5608fbe2180ccfd067d0858aa12092.tar.gz | |
meta-security-1.0-final
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Diffstat (limited to 'README')
| -rw-r--r-- | README | 131 |
1 files changed, 65 insertions, 66 deletions
| @@ -36,9 +36,9 @@ In this section the contents of the layer is listed, along with a short | |||
| 36 | help for each package. | 36 | help for each package. |
| 37 | 37 | ||
| 38 | == bastille == | 38 | == bastille == |
| 39 | 39 | ||
| 40 | Bastille is a system hardening / lockdown program which enhances the | 40 | Bastille is a system hardening / lockdown program which enhances the |
| 41 | security of a Unix host. It configures daemons, system settings and | 41 | security of a Unix host. It configures daemons, system settings and |
| 42 | firewalls to be more secure. It can shut off unneeded services | 42 | firewalls to be more secure. It can shut off unneeded services |
| 43 | like rcp and rlogin, and helps create "chroot jails" that help limit the | 43 | like rcp and rlogin, and helps create "chroot jails" that help limit the |
| 44 | vulnerability of common Internet services like Web services and DNS. | 44 | vulnerability of common Internet services like Web services and DNS. |
| @@ -53,79 +53,81 @@ help for each package. | |||
| 53 | a config file will be created and run. After these steps, you will have a | 53 | a config file will be created and run. After these steps, you will have a |
| 54 | hardened system. | 54 | hardened system. |
| 55 | 55 | ||
| 56 | If you only want to run the config file, without stepping through the | 56 | If you only want to run the config file, without stepping through the |
| 57 | list of questions, simply write in a terminal : | 57 | list of questions, simply write in a terminal : |
| 58 | 58 | ||
| 59 | bastille -b | 59 | bastille -b |
| 60 | 60 | ||
| 61 | More information can be found in the package readme and manual. | 61 | More information can be found in the package readme and manual. |
| 62 | 62 | ||
| 63 | 63 | ||
| 64 | == redhat-security == | 64 | == redhat-security == |
| 65 | 65 | ||
| 66 | Sometimes you want to check different aspects of a distribution for security problems. | 66 | Sometimes you want to check different aspects of a distribution for security problems. |
| 67 | This can be anything from file permissions to correctness of code. This is a collection of those tools. | 67 | This can be anything from file permissions to correctness of code. This is a collection of those tools. |
| 68 | Depending on what information the tool has to access, it may need to be run as root. | 68 | Depending on what information the tool has to access, it may need to be run as root. |
| 69 | 69 | ||
| 70 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags | 70 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags |
| 71 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. | 71 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. |
| 72 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. | 72 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. |
| 73 | In this mode it will only give a summary result for the package. To find which files don't comply, | 73 | In this mode it will only give a summary result for the package. To find which files don't comply, |
| 74 | re-run using just the package name. | 74 | re-run using just the package name. |
| 75 | 75 | ||
| 76 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID | 76 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID |
| 77 | and GID without also calling setgroups or initgroups. | 77 | and GID without also calling setgroups or initgroups. |
| 78 | 78 | ||
| 79 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. | 79 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. |
| 80 | 80 | ||
| 81 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. | 81 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. |
| 82 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. | 82 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. |
| 83 | 83 | ||
| 84 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. | 84 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. |
| 85 | 85 | ||
| 86 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. | 86 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. |
| 87 | This means that if the program has another vulnerablity such as stack buffer overflow, | 87 | This means that if the program has another vulnerablity such as stack buffer overflow, |
| 88 | any code the attacker places there is executable. Any program found must be fixed. | 88 | any code the attacker places there is executable. Any program found must be fixed. |
| 89 | 89 | ||
| 90 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. | 90 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. |
| 91 | Anything found must be investigated since its highly unusual for executables to be hidden. | 91 | Anything found must be investigated since its highly unusual for executables to be hidden. |
| 92 | 92 | ||
| 93 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. | 93 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. |
| 94 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. | 94 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. |
| 95 | 95 | ||
| 96 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. | 96 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. |
| 97 | Anything found by this test should be reported so that selinux policy can be fixed. | 97 | Anything found by this test should be reported so that selinux policy can be fixed. |
| 98 | This test is very hardware specific, so to be effective a lot of people with different hardware | 98 | This test is very hardware specific, so to be effective a lot of people with different hardware |
| 99 | should run this test each upstream kernel version release. | 99 | should run this test each upstream kernel version release. |
| 100 | 100 | ||
| 101 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. | 101 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. |
| 102 | These both mean that there are daemons that do not have policy and are therefore running unconfined. | 102 | These both mean that there are daemons that do not have policy and are therefore running unconfined. |
| 103 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, | 103 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, |
| 104 | the more you have running, the better the test is. | 104 | the more you have running, the better the test is. |
| 105 | 105 | ||
| 106 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names | 106 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names |
| 107 | instead of obscure ones created by something like mktemp. | 107 | instead of obscure ones created by something like mktemp. |
| 108 | 108 | ||
| 109 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, | 109 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, |
| 110 | it also looks to see if any of the known good random name generator functions is called by looking | 110 | it also looks to see if any of the known good random name generator functions is called by looking |
| 111 | at the symbol table. If not, it will output the string. | 111 | at the symbol table. If not, it will output the string. |
| 112 | 112 | ||
| 113 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. | 113 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. |
| 114 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. | 114 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. |
| 115 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. | 115 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. |
| 116 | |||
| 116 | 117 | ||
| 117 | |||
| 118 | usage : simply invoke the script name in the terminal. | 118 | usage : simply invoke the script name in the terminal. |
| 119 | 119 | ||
| 120 | 120 | ||
| 121 | == pax-utils == | 121 | == pax-utils == |
| 122 | 122 | ||
| 123 | ( This package can be found in oe-core ) | ||
| 124 | |||
| 123 | pax-utils is a small set of various PaX aware and related utilities for | 125 | pax-utils is a small set of various PaX aware and related utilities for |
| 124 | ELF binaries. | 126 | ELF binaries. |
| 125 | 127 | ||
| 126 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. | 128 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. |
| 127 | For more help please consult the man pages or the readme file. | 129 | For more help please consult the man pages or the readme file. |
| 128 | 130 | ||
| 129 | - pspax : is a user-space utility that scans the proc directory and list | 131 | - pspax : is a user-space utility that scans the proc directory and list |
| 130 | ELF types, as well as their respective PaX flags and filenames and | 132 | ELF types, as well as their respective PaX flags and filenames and |
| 131 | attributes. Depending on build options, it may additionaly display the | 133 | attributes. Depending on build options, it may additionaly display the |
| @@ -142,7 +144,7 @@ help for each package. | |||
| 142 | 144 | ||
| 143 | usage : simply invoke the script name in the terminal. | 145 | usage : simply invoke the script name in the terminal. |
| 144 | 146 | ||
| 145 | 147 | ||
| 146 | == buck-security == | 148 | == buck-security == |
| 147 | 149 | ||
| 148 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux | 150 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux |
| @@ -150,7 +152,7 @@ help for each package. | |||
| 150 | 152 | ||
| 151 | usage : switch to directory /usr/local/buck-security. | 153 | usage : switch to directory /usr/local/buck-security. |
| 152 | before running the script, you should check the activated checks in conf/buck-security.conf file. | 154 | before running the script, you should check the activated checks in conf/buck-security.conf file. |
| 153 | after altering the changes, save the file and simply run : | 155 | after altering the changes, save the file and simply run : |
| 154 | 156 | ||
| 155 | ./buck-security | 157 | ./buck-security |
| 156 | 158 | ||
| @@ -158,44 +160,44 @@ help for each package. | |||
| 158 | 160 | ||
| 159 | More detailed usage can be found typing ./buck-security --help | 161 | More detailed usage can be found typing ./buck-security --help |
| 160 | 162 | ||
| 161 | 163 | ||
| 162 | == libseccomp == | 164 | == libseccomp == |
| 163 | 165 | ||
| 164 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. | 166 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. |
| 165 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional | 167 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional |
| 166 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. | 168 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. |
| 167 | 169 | ||
| 168 | usage : More detailed usage can be found in the man pages and README file of the package. | 170 | usage : More detailed usage can be found in the man pages and README file of the package. |
| 169 | 171 | ||
| 170 | 172 | ||
| 171 | 173 | ||
| 172 | == checksecurity == | 174 | == checksecurity == |
| 173 | 175 | ||
| 174 | checksecurity is a simple package which will scan your system for several simple security holes. | 176 | checksecurity is a simple package which will scan your system for several simple security holes. |
| 175 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. | 177 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. |
| 176 | 178 | ||
| 177 | !! IMPORTANT !! | 179 | !! IMPORTANT !! |
| 178 | 180 | ||
| 179 | When including this package in the image, please consider adding the following line to the end of the conf/local.conf file: | 181 | When including this package in the image, please consider adding the following line to the end of the conf/local.conf file: |
| 180 | 182 | ||
| 181 | CORE_IMAGE_EXTRA_INSTALL = "coreutils" | 183 | CORE_IMAGE_EXTRA_INSTALL = "coreutils" |
| 182 | 184 | ||
| 183 | usage : To start checksecurity simply write in the terminal : | 185 | usage : To start checksecurity simply write in the terminal : |
| 184 | 186 | ||
| 185 | checksecurity | 187 | checksecurity |
| 186 | 188 | ||
| 187 | More detailed usage can be found in the man pages and README file of the package. | 189 | More detailed usage can be found in the man pages and README file of the package. |
| 188 | 190 | ||
| 189 | 191 | ||
| 190 | == nikto == | 192 | == nikto == |
| 191 | 193 | ||
| 192 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, | 194 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, |
| 193 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific | 195 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific |
| 194 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, | 196 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, |
| 195 | HTTP server options, and will attempt to identify installed web servers and software. | 197 | HTTP server options, and will attempt to identify installed web servers and software. |
| 196 | 198 | ||
| 197 | usage : To start nikto simply write in the terminal : | 199 | usage : To start nikto simply write in the terminal : |
| 198 | 200 | ||
| 199 | nikto | 201 | nikto |
| 200 | 202 | ||
| 201 | More detailed usage can be found in the man pages and README file of the package. | 203 | More detailed usage can be found in the man pages and README file of the package. |
| @@ -203,18 +205,15 @@ help for each package. | |||
| 203 | 205 | ||
| 204 | == nmap == | 206 | == nmap == |
| 205 | 207 | ||
| 206 | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. | 208 | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. |
| 207 | Many systems and network administrators also find it useful for tasks such as network inventory, | 209 | Many systems and network administrators also find it useful for tasks such as network inventory, |
| 208 | managing service upgrade schedules, and monitoring host or service uptime. | 210 | managing service upgrade schedules, and monitoring host or service uptime. |
| 209 | 211 | ||
| 210 | usage : To start nikto simply write in the terminal : | 212 | usage : To start nikto simply write in the terminal : |
| 211 | 213 | ||
| 212 | nmap | 214 | nmap |
| 213 | 215 | ||
| 214 | More detailed usage can be found in the man pages and README file of the package. | 216 | More detailed usage can be found in the man pages and README file of the package. |
| 215 | |||
| 216 | |||
| 217 | |||
| 218 | 217 | ||
| 219 | License | 218 | License |
| 220 | ======= | 219 | ======= |