diff options
Diffstat (limited to 'README')
-rw-r--r-- | README | 191 |
1 files changed, 189 insertions, 2 deletions
@@ -15,7 +15,7 @@ This layer depends on: | |||
15 | prio: default | 15 | prio: default |
16 | 16 | ||
17 | Adding the security layer to your build | 17 | Adding the security layer to your build |
18 | ================================================= | 18 | ======================================== |
19 | 19 | ||
20 | In order to use this layer, you need to make the build system aware of | 20 | In order to use this layer, you need to make the build system aware of |
21 | it. | 21 | it. |
@@ -29,8 +29,195 @@ other layers needed. e.g.: | |||
29 | /path/to/yocto/meta \ | 29 | /path/to/yocto/meta \ |
30 | /path/to/poky/meta-security \ | 30 | /path/to/poky/meta-security \ |
31 | 31 | ||
32 | Contents and Help | ||
33 | ================= | ||
34 | |||
35 | In this section the contents of the layer is listed, along with a short | ||
36 | help for each package. | ||
37 | |||
38 | == bastille == | ||
39 | |||
40 | Bastille is a system hardening / lockdown program which enhances the | ||
41 | security of a Unix host. It configures daemons, system settings and | ||
42 | firewalls to be more secure. It can shut off unneeded services | ||
43 | like rcp and rlogin, and helps create "chroot jails" that help limit the | ||
44 | vulnerability of common Internet services like Web services and DNS. | ||
45 | |||
46 | usage : Bastille can be used via meta-security layer only in command line mode. | ||
47 | To start Bastille simply write in a terminal : | ||
48 | |||
49 | bastille -c | ||
50 | |||
51 | If this is the first usage of Bastille on the system, the user will be | ||
52 | guided through a list of questions which need to be answered. In the end, | ||
53 | a config file will be created and run. After these steps, you will have a | ||
54 | hardened system. | ||
55 | |||
56 | If you only want to run the config file, without stepping through the | ||
57 | list of questions, simply write in a terminal : | ||
58 | |||
59 | bastille -b | ||
60 | |||
61 | More information can be found in the package readme and manual. | ||
62 | |||
63 | |||
64 | == redhat-security == | ||
65 | |||
66 | Sometimes you want to check different aspects of a distribution for security problems. | ||
67 | This can be anything from file permissions to correctness of code. This is a collection of those tools. | ||
68 | Depending on what information the tool has to access, it may need to be run as root. | ||
69 | |||
70 | - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags | ||
71 | to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. | ||
72 | It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. | ||
73 | In this mode it will only give a summary result for the package. To find which files don't comply, | ||
74 | re-run using just the package name. | ||
75 | |||
76 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID | ||
77 | and GID without also calling setgroups or initgroups. | ||
78 | |||
79 | - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. | ||
80 | |||
81 | - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. | ||
82 | Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. | ||
83 | |||
84 | - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. | ||
85 | |||
86 | - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. | ||
87 | This means that if the program has another vulnerablity such as stack buffer overflow, | ||
88 | any code the attacker places there is executable. Any program found must be fixed. | ||
89 | |||
90 | - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. | ||
91 | Anything found must be investigated since its highly unusual for executables to be hidden. | ||
92 | |||
93 | - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. | ||
94 | It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. | ||
95 | |||
96 | - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. | ||
97 | Anything found by this test should be reported so that selinux policy can be fixed. | ||
98 | This test is very hardware specific, so to be effective a lot of people with different hardware | ||
99 | should run this test each upstream kernel version release. | ||
100 | |||
101 | - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. | ||
102 | These both mean that there are daemons that do not have policy and are therefore running unconfined. | ||
103 | These should be reported as SE Linux policy problems. Because it checks currently running daemons, | ||
104 | the more you have running, the better the test is. | ||
105 | |||
106 | - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names | ||
107 | instead of obscure ones created by something like mktemp. | ||
108 | |||
109 | - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, | ||
110 | it also looks to see if any of the known good random name generator functions is called by looking | ||
111 | at the symbol table. If not, it will output the string. | ||
112 | |||
113 | - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. | ||
114 | The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. | ||
115 | Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. | ||
116 | |||
117 | |||
118 | usage : simply invoke the script name in the terminal. | ||
119 | |||
120 | |||
121 | == pax-utils == | ||
122 | |||
123 | pax-utils is a small set of various PaX aware and related utilities for | ||
124 | ELF binaries. | ||
125 | |||
126 | - scanelf : With this application you can print out information specific to the ELF structure of a binary. | ||
127 | For more help please consult the man pages or the readme file. | ||
128 | |||
129 | - pspax : is a user-space utility that scans the proc directory and list | ||
130 | ELF types, as well as their respective PaX flags and filenames and | ||
131 | attributes. Depending on build options, it may additionaly display the | ||
132 | process running set of capabilities. | ||
133 | |||
134 | - scanmacho : is a user-space utility to quickly scan given | ||
135 | Mach-Os, directories, or common system paths for different information. This | ||
136 | may include Mach-O types, their install_names, etc. | ||
137 | |||
138 | - dumpelf : is a user-space utility to dump all of the internal | ||
139 | ELF structures into the equivalent C structures for fun debugging and/or | ||
140 | reference purposes. | ||
141 | |||
142 | |||
143 | usage : simply invoke the script name in the terminal. | ||
144 | |||
145 | |||
146 | == buck-security == | ||
147 | |||
148 | Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux | ||
149 | system. This enables you to quickly overview the security status of your Linux system. | ||
150 | |||
151 | usage : switch to directory /usr/local/buck-security. | ||
152 | before running the script, you should check the activated checks in conf/buck-security.conf file. | ||
153 | after altering the changes, save the file and simply run : | ||
154 | |||
155 | ./buck-security | ||
156 | |||
157 | you can choose between different outputs : 1, 2(default) or 3. | ||
158 | |||
159 | More detailed usage can be found typing ./buck-security --help | ||
160 | |||
161 | |||
162 | == libseccomp == | ||
163 | |||
164 | The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. | ||
165 | The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional | ||
166 | function-call based filtering interface that should be familiar to, and easily adopted by application developers. | ||
167 | |||
168 | usage : More detailed usage can be found in the man pages and README file of the package. | ||
169 | |||
170 | |||
171 | |||
172 | == checksecurity == | ||
173 | |||
174 | checksecurity is a simple package which will scan your system for several simple security holes. | ||
175 | It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. | ||
176 | |||
177 | !! IMPORTANT !! | ||
178 | |||
179 | When including this package in the image, please consider adding the following line to the end of the conf/local.conf file: | ||
180 | |||
181 | CORE_IMAGE_EXTRA_INSTALL = "coreutils" | ||
182 | |||
183 | usage : To start checksecurity simply write in the terminal : | ||
184 | |||
185 | checksecurity | ||
186 | |||
187 | More detailed usage can be found in the man pages and README file of the package. | ||
188 | |||
189 | |||
190 | == nikto == | ||
191 | |||
192 | Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, | ||
193 | including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific | ||
194 | problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, | ||
195 | HTTP server options, and will attempt to identify installed web servers and software. | ||
196 | |||
197 | usage : To start nikto simply write in the terminal : | ||
198 | |||
199 | nikto | ||
200 | |||
201 | More detailed usage can be found in the man pages and README file of the package. | ||
202 | |||
203 | |||
204 | == nmap == | ||
205 | |||
206 | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. | ||
207 | Many systems and network administrators also find it useful for tasks such as network inventory, | ||
208 | managing service upgrade schedules, and monitoring host or service uptime. | ||
209 | |||
210 | usage : To start nikto simply write in the terminal : | ||
211 | |||
212 | nmap | ||
213 | |||
214 | More detailed usage can be found in the man pages and README file of the package. | ||
215 | |||
216 | |||
217 | |||
218 | |||
32 | License | 219 | License |
33 | ------- | 220 | ======= |
34 | 221 | ||
35 | All metadata is MIT licensed unless otherwise stated. Source code included | 222 | All metadata is MIT licensed unless otherwise stated. Source code included |
36 | in tree for individual recipes is under the LICENSE stated in each recipe | 223 | in tree for individual recipes is under the LICENSE stated in each recipe |