diff options
author | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-07-11 17:37:43 +0300 |
---|---|---|
committer | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-07-11 17:37:43 +0300 |
commit | 2d0c61a39f5608fbe2180ccfd067d0858aa12092 (patch) | |
tree | 83f6ab9e0f71af2e873083602e0673bbdb81dc50 /README | |
parent | d54c9d7dadfddcd60ca11be23c5a2946f8a1b385 (diff) | |
download | meta-security-2d0c61a39f5608fbe2180ccfd067d0858aa12092.tar.gz |
meta-security-1.0-final
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Diffstat (limited to 'README')
-rw-r--r-- | README | 131 |
1 files changed, 65 insertions, 66 deletions
@@ -36,9 +36,9 @@ In this section the contents of the layer is listed, along with a short | |||
36 | help for each package. | 36 | help for each package. |
37 | 37 | ||
38 | == bastille == | 38 | == bastille == |
39 | 39 | ||
40 | Bastille is a system hardening / lockdown program which enhances the | 40 | Bastille is a system hardening / lockdown program which enhances the |
41 | security of a Unix host. It configures daemons, system settings and | 41 | security of a Unix host. It configures daemons, system settings and |
42 | firewalls to be more secure. It can shut off unneeded services | 42 | firewalls to be more secure. It can shut off unneeded services |
43 | like rcp and rlogin, and helps create "chroot jails" that help limit the | 43 | like rcp and rlogin, and helps create "chroot jails" that help limit the |
44 | vulnerability of common Internet services like Web services and DNS. | 44 | vulnerability of common Internet services like Web services and DNS. |
@@ -53,79 +53,81 @@ help for each package. | |||
53 | a config file will be created and run. After these steps, you will have a | 53 | a config file will be created and run. After these steps, you will have a |
54 | hardened system. | 54 | hardened system. |
55 | 55 | ||
56 | If you only want to run the config file, without stepping through the | 56 | If you only want to run the config file, without stepping through the |
57 | list of questions, simply write in a terminal : | 57 | list of questions, simply write in a terminal : |
58 | 58 | ||
59 | bastille -b | 59 | bastille -b |
60 | 60 | ||
61 | More information can be found in the package readme and manual. | 61 | More information can be found in the package readme and manual. |
62 | 62 | ||
63 | 63 | ||
64 | == redhat-security == | 64 | == redhat-security == |
65 | 65 | ||
66 | Sometimes you want to check different aspects of a distribution for security problems. | 66 | Sometimes you want to check different aspects of a distribution for security problems. |
67 | This can be anything from file permissions to correctness of code. This is a collection of those tools. | 67 | This can be anything from file permissions to correctness of code. This is a collection of those tools. |
68 | Depending on what information the tool has to access, it may need to be run as root. | 68 | Depending on what information the tool has to access, it may need to be run as root. |
69 | 69 | ||
70 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags | 70 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags |
71 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. | 71 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. |
72 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. | 72 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. |
73 | In this mode it will only give a summary result for the package. To find which files don't comply, | 73 | In this mode it will only give a summary result for the package. To find which files don't comply, |
74 | re-run using just the package name. | 74 | re-run using just the package name. |
75 | 75 | ||
76 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID | 76 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID |
77 | and GID without also calling setgroups or initgroups. | 77 | and GID without also calling setgroups or initgroups. |
78 | 78 | ||
79 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. | 79 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. |
80 | 80 | ||
81 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. | 81 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. |
82 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. | 82 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. |
83 | 83 | ||
84 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. | 84 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. |
85 | 85 | ||
86 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. | 86 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. |
87 | This means that if the program has another vulnerablity such as stack buffer overflow, | 87 | This means that if the program has another vulnerablity such as stack buffer overflow, |
88 | any code the attacker places there is executable. Any program found must be fixed. | 88 | any code the attacker places there is executable. Any program found must be fixed. |
89 | 89 | ||
90 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. | 90 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. |
91 | Anything found must be investigated since its highly unusual for executables to be hidden. | 91 | Anything found must be investigated since its highly unusual for executables to be hidden. |
92 | 92 | ||
93 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. | 93 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. |
94 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. | 94 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. |
95 | 95 | ||
96 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. | 96 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. |
97 | Anything found by this test should be reported so that selinux policy can be fixed. | 97 | Anything found by this test should be reported so that selinux policy can be fixed. |
98 | This test is very hardware specific, so to be effective a lot of people with different hardware | 98 | This test is very hardware specific, so to be effective a lot of people with different hardware |
99 | should run this test each upstream kernel version release. | 99 | should run this test each upstream kernel version release. |
100 | 100 | ||
101 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. | 101 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. |
102 | These both mean that there are daemons that do not have policy and are therefore running unconfined. | 102 | These both mean that there are daemons that do not have policy and are therefore running unconfined. |
103 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, | 103 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, |
104 | the more you have running, the better the test is. | 104 | the more you have running, the better the test is. |
105 | 105 | ||
106 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names | 106 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names |
107 | instead of obscure ones created by something like mktemp. | 107 | instead of obscure ones created by something like mktemp. |
108 | 108 | ||
109 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, | 109 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, |
110 | it also looks to see if any of the known good random name generator functions is called by looking | 110 | it also looks to see if any of the known good random name generator functions is called by looking |
111 | at the symbol table. If not, it will output the string. | 111 | at the symbol table. If not, it will output the string. |
112 | 112 | ||
113 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. | 113 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. |
114 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. | 114 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. |
115 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. | 115 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. |
116 | |||
116 | 117 | ||
117 | |||
118 | usage : simply invoke the script name in the terminal. | 118 | usage : simply invoke the script name in the terminal. |
119 | 119 | ||
120 | 120 | ||
121 | == pax-utils == | 121 | == pax-utils == |
122 | 122 | ||
123 | ( This package can be found in oe-core ) | ||
124 | |||
123 | pax-utils is a small set of various PaX aware and related utilities for | 125 | pax-utils is a small set of various PaX aware and related utilities for |
124 | ELF binaries. | 126 | ELF binaries. |
125 | 127 | ||
126 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. | 128 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. |
127 | For more help please consult the man pages or the readme file. | 129 | For more help please consult the man pages or the readme file. |
128 | 130 | ||
129 | - pspax : is a user-space utility that scans the proc directory and list | 131 | - pspax : is a user-space utility that scans the proc directory and list |
130 | ELF types, as well as their respective PaX flags and filenames and | 132 | ELF types, as well as their respective PaX flags and filenames and |
131 | attributes. Depending on build options, it may additionaly display the | 133 | attributes. Depending on build options, it may additionaly display the |
@@ -142,7 +144,7 @@ help for each package. | |||
142 | 144 | ||
143 | usage : simply invoke the script name in the terminal. | 145 | usage : simply invoke the script name in the terminal. |
144 | 146 | ||
145 | 147 | ||
146 | == buck-security == | 148 | == buck-security == |
147 | 149 | ||
148 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux | 150 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux |
@@ -150,7 +152,7 @@ help for each package. | |||
150 | 152 | ||
151 | usage : switch to directory /usr/local/buck-security. | 153 | usage : switch to directory /usr/local/buck-security. |
152 | before running the script, you should check the activated checks in conf/buck-security.conf file. | 154 | before running the script, you should check the activated checks in conf/buck-security.conf file. |
153 | after altering the changes, save the file and simply run : | 155 | after altering the changes, save the file and simply run : |
154 | 156 | ||
155 | ./buck-security | 157 | ./buck-security |
156 | 158 | ||
@@ -158,44 +160,44 @@ help for each package. | |||
158 | 160 | ||
159 | More detailed usage can be found typing ./buck-security --help | 161 | More detailed usage can be found typing ./buck-security --help |
160 | 162 | ||
161 | 163 | ||
162 | == libseccomp == | 164 | == libseccomp == |
163 | 165 | ||
164 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. | 166 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. |
165 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional | 167 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional |
166 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. | 168 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. |
167 | 169 | ||
168 | usage : More detailed usage can be found in the man pages and README file of the package. | 170 | usage : More detailed usage can be found in the man pages and README file of the package. |
169 | 171 | ||
170 | 172 | ||
171 | 173 | ||
172 | == checksecurity == | 174 | == checksecurity == |
173 | 175 | ||
174 | checksecurity is a simple package which will scan your system for several simple security holes. | 176 | checksecurity is a simple package which will scan your system for several simple security holes. |
175 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. | 177 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. |
176 | 178 | ||
177 | !! IMPORTANT !! | 179 | !! IMPORTANT !! |
178 | 180 | ||
179 | When including this package in the image, please consider adding the following line to the end of the conf/local.conf file: | 181 | When including this package in the image, please consider adding the following line to the end of the conf/local.conf file: |
180 | 182 | ||
181 | CORE_IMAGE_EXTRA_INSTALL = "coreutils" | 183 | CORE_IMAGE_EXTRA_INSTALL = "coreutils" |
182 | 184 | ||
183 | usage : To start checksecurity simply write in the terminal : | 185 | usage : To start checksecurity simply write in the terminal : |
184 | 186 | ||
185 | checksecurity | 187 | checksecurity |
186 | 188 | ||
187 | More detailed usage can be found in the man pages and README file of the package. | 189 | More detailed usage can be found in the man pages and README file of the package. |
188 | 190 | ||
189 | 191 | ||
190 | == nikto == | 192 | == nikto == |
191 | 193 | ||
192 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, | 194 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, |
193 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific | 195 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific |
194 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, | 196 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, |
195 | HTTP server options, and will attempt to identify installed web servers and software. | 197 | HTTP server options, and will attempt to identify installed web servers and software. |
196 | 198 | ||
197 | usage : To start nikto simply write in the terminal : | 199 | usage : To start nikto simply write in the terminal : |
198 | 200 | ||
199 | nikto | 201 | nikto |
200 | 202 | ||
201 | More detailed usage can be found in the man pages and README file of the package. | 203 | More detailed usage can be found in the man pages and README file of the package. |
@@ -203,18 +205,15 @@ help for each package. | |||
203 | 205 | ||
204 | == nmap == | 206 | == nmap == |
205 | 207 | ||
206 | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. | 208 | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. |
207 | Many systems and network administrators also find it useful for tasks such as network inventory, | 209 | Many systems and network administrators also find it useful for tasks such as network inventory, |
208 | managing service upgrade schedules, and monitoring host or service uptime. | 210 | managing service upgrade schedules, and monitoring host or service uptime. |
209 | 211 | ||
210 | usage : To start nikto simply write in the terminal : | 212 | usage : To start nikto simply write in the terminal : |
211 | 213 | ||
212 | nmap | 214 | nmap |
213 | 215 | ||
214 | More detailed usage can be found in the man pages and README file of the package. | 216 | More detailed usage can be found in the man pages and README file of the package. |
215 | |||
216 | |||
217 | |||
218 | 217 | ||
219 | License | 218 | License |
220 | ======= | 219 | ======= |