summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMiruna Paun <Miruna.Paun@enea.com>2017-09-19 11:14:01 +0200
committerMiruna Paun <Miruna.Paun@enea.com>2017-09-19 11:14:01 +0200
commit2732662269d2ca8cc700be7a397296468ec54a7f (patch)
treed743fcc68109ca1f91c20de9aa297be45c6bd4a1
parent14f4e01d3d11ef77247b809d3410cae96aef94d0 (diff)
downloadnfv-access-documentation-2732662269d2ca8cc700be7a397296468ec54a7f.tar.gz
Created xml docs for Security Hardening for Enea NFV Access 1.1
USERDOCAP-236 Signed-off-by: Miruna Paun <Miruna.Paun@enea.com>
Diffstat
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml70
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml29
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml151
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml165
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt320
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml952
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml127
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml465
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk10
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml18
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml151
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml165
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt320
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml212
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml209
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml144
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml102
-rw-r--r--doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk10
18 files changed, 3620 insertions, 0 deletions
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml
new file mode 100644
index 0000000..c5d9aaa
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml
@@ -0,0 +1,70 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<appendix id="appendix_a">
3 <title>Useful Memory Terms</title>
4
5 <remark>Change the title to something better</remark>
6
7 <section id="buffer_overflow">
8 <title>Buffer overflow</title>
9
10 <para>A buffer overflow occurs when a program or process attempts to write
11 more data to a fixed length block of memory, or buffer, than the buffer is
12 allocated to hold.</para>
13
14 <para>Since buffers are created to contain a defined amount of data, the
15 extra data can overwrite data values in memory addresses adjacent to the
16 destination buffer, unless the program includes sufficient bounds checking
17 to flag or discard data when too much is sent to a memory buffer.
18 Languages such Ada, C#, Haskell, Java, JavaScript, Lisp, PHP, Python,
19 Ruby, and Visual Basic enforce run-time checking. </para>
20
21 <para>C and C++ are prone to buffer overflow attacks as they have no
22 built-in protection against accessing or overwriting data in any part of
23 their memory, and do not automatically check that data written to an array
24 (the built-in buffer type) is within the boundaries of that array.</para>
25 </section>
26
27 <section id="security_exploit">
28 <title>Security Exploit</title>
29
30 <para>On many systems, the memory layout of a program, or the system as a
31 whole, is well defined. Exploiting the behavior of a buffer overflow is a
32 well-known security exploit. By sending in data designed to cause a buffer
33 overflow, it is possible to write into areas known to hold an executable,
34 and replace it with malicious code.</para>
35
36 <para>Bounds checking can prevent buffer overflows, but requires
37 additional code and processing time. Modern operating systems use a
38 variety of techniques to combat malicious buffer overflows by randomizing
39 the layout of memory, or deliberately leaving space between buffers and
40 looking for actions that write into those areas "canaries". For further
41 reading about security exploits refer to the <ulink
42 url="https://www.exploit-db.com/">Exploit database</ulink>.</para>
43 </section>
44
45 <section id="hd_bounds_ck">
46 <title>Hardware Bounds Checking</title>
47
48 <para>The safety added by bounds checking costs CPU time if checking is
49 performed in software however, if the checks are performed by hardware
50 then safety can be provided "for free" with no runtime cost. </para>
51
52 <para>Research was started at least as early as 2005 regarding methods to
53 use x86's built-in virtual memory management unit to ensure safety of
54 array and buffer accesses. In 2015 Intel provided their Intel MPX
55 extensions in their Skylake processor architecture which stores bounds in
56 a CPU register and table in memory. As of early 2017 GCC among others,
57 supports MPX extensions.</para>
58 </section>
59
60 <section id="rootkit">
61 <title>Rootkit</title>
62
63 <para>A rootkit is a collection of malicious software designed to enable
64 access to another software that would not otherwise be allowed, e.g: to an
65 unauthorized user, and often masks its existence or the existence of other
66 software. The term rootkit is a concatenation of "root" and
67 the word "kit", which refers to the software components that implement the
68 tool, and is associated with malware.</para>
69 </section>
70</appendix> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml
new file mode 100644
index 0000000..1a75484
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml
@@ -0,0 +1,29 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4<!ENTITY % local.common.attrib "xml:base CDATA #IMPLIED">
5]>
6<book id="book_enea_nfv_access_hardening_guide">
7 <title><trademark class="registered">Enea</trademark> NFV Access Developer's
8 Hardening Guide</title>
9
10 <subtitle>Release Version <xi:include href="eltf_params_updated.xml"
11 xmlns:xi="http://www.w3.org/2001/XInclude"
12 xpointer="element(EneaLinux_REL_VER/1)" /></subtitle>
13
14 <!-- OLINKDBPATH_USED_BY_XMLMIND ../../s_docbuild/olinkdb -->
15
16 <xi:include href="../../s_docbuild/template/docsrc_common/bookinfo_userdoc.xml"
17 xmlns:xi="http://www.w3.org/2001/XInclude" />
18
19 <xi:include href="introduction.xml"
20 xmlns:xi="http://www.w3.org/2001/XInclude" />
21
22 <xi:include href="hardening_checklist.xml"
23 xmlns:xi="http://www.w3.org/2001/XInclude" />
24
25 <xi:include href="metasecure_tools.xml"
26 xmlns:xi="http://www.w3.org/2001/XInclude" />
27 <xi:include href="appendix_a.xml"
28 xmlns:xi="http://www.w3.org/2001/XInclude" />
29</book> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml
new file mode 100644
index 0000000..eaa7ebd
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml
@@ -0,0 +1,151 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<section id="eltf_created_params">
5 <title>File with Parameters in the Book Auto-updated by ELFT</title>
6
7 <note>
8 <para>See the <emphasis
9 role="bold">eltf_params_updated_template_howto_use.txt</emphasis> text
10 file for description of how to create the final <emphasis
11 role="bold">eltf_params_updated.xml</emphasis> from this template and for
12 all <emphasis role="bold">REQUIREMENTS</emphasis>. Use the command
13 "<emphasis role="bold">make eltf</emphasis>" to extract a full list of all
14 ELTF variables, which always begins with ELTF_ and don't only rely on the
15 howto text file list! The plan is that ELTF will auto-update this when
16 needed.</para>
17 </note>
18
19 <section id="host_prereq">
20 <title>Common Parameters</title>
21
22 <bridgehead>A programlisting, ID
23 "eltf-prereq-apt-get-commands-host"</bridgehead>
24
25 <para id="eltf-prereq-apt-get-commands-host"><programlisting>ELTF_PL_HOST_PREREQ</programlisting></para>
26
27 <bridgehead>A programlisting, ID
28 "eltf-getting-repo-install-command"</bridgehead>
29
30 <para id="eltf-getting-repo-install-command"><programlisting>ELTF_PL_GET_REPO</programlisting></para>
31
32 <bridgehead>Several phrase elements, various IDs. Ensure EL_REL_VER is
33 correct also compared to the "previous" REL VER in pardoc-distro.xml
34 "prev_baseline".</bridgehead>
35
36 <para id="EneaLinux_REL_VER"><phrase>ELTF_EL_REL_VER</phrase></para>
37
38 <para id="Yocto_VER"><phrase>ELTF_YOCTO_VER</phrase></para>
39
40 <para id="Yocto_NAME"><phrase>ELTF_YOCTO_NAME</phrase></para>
41
42 <para id="ULINK_YOCTO_PROJECT_DOWNLOAD"><ulink
43 url="ELTF_YOCTO_PROJ_DOWNLOAD_URL">ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL</ulink></para>
44
45 <para id="ULINK_ENEA_LINUX_URL"><ulink
46 url="ELTF_EL_DOWNLOAD_URL">ELTF_EL_DOWNLOAD_TXTURL</ulink></para>
47
48 <bridgehead>A programlisting, ID "eltf-repo-cloning-enea-linux". Use
49 $MACHINE/default.xml as parameter, where MACHINE is one of the target
50 directory names in the manifest.</bridgehead>
51
52 <para id="eltf-repo-cloning-enea-linux"><programlisting>ELTF_PL_CLONE_W_REPO</programlisting></para>
53
54 <bridgehead>A table with ONE row, only the row with ID
55 "eltf-eclipse-version-row" is included in the book. MANUALLY BOTH in the
56 template.xml and in the updated.xml, set condition hidden on the
57 &lt;row&gt;, if eclipse is not in the release.</bridgehead>
58
59 <informaltable>
60 <tgroup cols="1">
61 <tbody>
62 <row id="eltf-eclipse-version-row">
63 <entry>Eclipse version ELTF_ECLIPSE_VERSION plus command line
64 development tools are included in this Enea NFV Access release.</entry>
65 </row>
66 </tbody>
67 </tgroup>
68 </informaltable>
69
70 <bridgehead>Below is one big section with title "Supported Targets with
71 Parameters". The entire section is included completely in the book via ID
72 "eltf-target-tables-section" and shall be LAST in the template. The
73 template contains ONE target subsection. COPY/APPEND it, if multiple
74 targets exist in the release and optionally add rows with additional
75 target parameters in each target subsection table.</bridgehead>
76 </section>
77
78 <section id="eltf-target-tables-section">
79 <title>Supported Targets with Parameters</title>
80
81 <para>The tables below describes the target(s) supported in this Enea
82 NFV Access release.</para>
83
84 <section id="eltf-target-table-ELTF_T_MANIFEST_DIR">
85 <title>MACHINE ELTF_T_MANIFEST_DIR - Information</title>
86
87 <para><informaltable>
88 <tgroup cols="2">
89 <colspec colwidth="6*" />
90
91 <colspec colwidth="9*" />
92
93 <tbody>
94 <row>
95 <entry>Target official name</entry>
96
97 <entry>ELTF_T_NAME</entry>
98 </row>
99
100 <row>
101 <entry>Architecture and Description</entry>
102
103 <entry>ELTF_T_ARC_DESC</entry>
104 </row>
105
106 <row>
107 <entry>Link to target datasheet</entry>
108
109 <entry>See <ulink
110 url="ELTF_T_DS_URL">ELTF_T_DS_TXTURL</ulink></entry>
111 </row>
112
113 <row>
114 <entry>Poky version</entry>
115
116 <entry>ELTF_T_POKY_VER</entry>
117 </row>
118
119 <row>
120 <entry>GCC version</entry>
121
122 <entry>ELTF_T_GCC_VER</entry>
123 </row>
124
125 <row>
126 <entry>Linux Kernel Version</entry>
127
128 <entry>ELTF_T_KERN_VER</entry>
129 </row>
130
131 <row>
132 <entry>Supported Drivers</entry>
133
134 <entry>ELTF_T_DRIVERS</entry>
135 </row>
136
137 <row>
138 <entry>Enea rpm folder for downloading RPM packages for this
139 target</entry>
140
141 <entry><ulink
142 url="ELTF_T_EL_RPM_URL">ELTF_T_EL_RPM_TXTURL</ulink></entry>
143 </row>
144 </tbody>
145 </tgroup>
146 </informaltable></para>
147 </section>
148
149 <!-- ELTFADD_MORE_TARGET_SECTIONS_BELOW_IF_NEEDED -->
150 </section>
151</section> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml
new file mode 100644
index 0000000..f6bd068
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml
@@ -0,0 +1,165 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<section id="eltf_created_params">
5 <title>File with Parameters in the Book Auto-updated by ELFT</title>
6
7 <note>
8 <para>See the <emphasis
9 role="bold">eltf_params_updated_template_howto_use.txt</emphasis> text
10 file for description of how to create the final <emphasis
11 role="bold">eltf_params_updated.xml</emphasis> from this template and for
12 all <emphasis role="bold">REQUIREMENTS</emphasis>. Use the command
13 "<emphasis role="bold">make eltf</emphasis>" to extract a full list of all
14 ELTF variables, which always begins with ELTF_ and don't only rely on the
15 howto text file list! The plan is that ELTF will auto-update this when
16 needed.</para>
17 </note>
18
19 <section id="host_prereq">
20 <title>Common Parameters</title>
21
22 <bridgehead>A programlisting, ID
23 "eltf-prereq-apt-get-commands-host"</bridgehead>
24
25 <para id="eltf-prereq-apt-get-commands-host"><programlisting># Host Ubuntu 14.04.5 LTS 64bit
26sudo apt-get -y update
27sudo apt-get -y install sed wget subversion git-core coreutils unzip texi2html \
28 texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \
29 make gcc build-essential xsltproc g++ desktop-file-utils chrpath \
30 libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \
31 libxml-parser-perl</programlisting></para>
32
33 <bridgehead>A programlisting, ID
34 "eltf-getting-repo-install-command"</bridgehead>
35
36 <para id="eltf-getting-repo-install-command"><programlisting>mkdir -p ~/bin
37curl https://storage.googleapis.com/git-repo-downloads/repo &gt; ~/bin/repo
38chmod a+x ~/bin/repo
39export PATH=~/bin:$PATH</programlisting></para>
40
41 <bridgehead>Several phrase elements, various IDs. Ensure EL_REL_VER is
42 correct also compared to the "previous" REL VER in pardoc-distro.xml
43 "prev_baseline".</bridgehead>
44
45 <para id="EneaLinux_REL_VER"><phrase>1.0</phrase></para>
46
47 <para id="Yocto_VER"><phrase>2.1</phrase></para>
48
49 <para id="Yocto_NAME"><phrase>krogoth</phrase></para>
50
51 <para id="ULINK_YOCTO_PROJECT_DOWNLOAD"><ulink
52 url="http://www.yoctoproject.org/downloads/core/krogoth/21">http://www.yoctoproject.org/downloads/core/krogoth/21</ulink></para>
53
54 <para id="ULINK_ENEA_LINUX_URL"><ulink
55 url="https://linux.enea.com/6">https://linux.enea.com/6</ulink></para>
56
57 <bridgehead>A programlisting, ID "eltf-repo-cloning-enea-linux". Use
58 $MACHINE/default.xml as parameter, where MACHINE is one of the target
59 directory names in the manifest.</bridgehead>
60
61 <para id="eltf-repo-cloning-enea-linux"><programlisting>mkdir enea-linux
62cd enea-linux
63repo init -u git@git.enea.com:linux/manifests/el_manifests-virtualization.git \
64 -b refs/tags/EL6 -m $MACHINE/default.xml
65repo sync</programlisting></para>
66
67 <bridgehead>A table with ONE row, only the row with ID
68 "eltf-eclipse-version-row" is included in the book. MANUALLY in book, set
69 condition hidden if eclipse is not in the release. Do this both in
70 template.xml and updated.xml.</bridgehead>
71
72 <informaltable>
73 <tgroup cols="1">
74 <tbody>
75 <row condition="hidden" id="eltf-eclipse-version-row">
76 <entry>Eclipse version 4.3 (Mars) plus command line development
77 tools are included in this Enea NFV Access release.</entry>
78 </row>
79 </tbody>
80 </tgroup>
81 </informaltable>
82
83 <bridgehead>Below is one big section with title "Supported Targets with
84 Parameters". The entire section is included completely in the book via ID
85 "eltf-target-tables-section" and shall be LAST in the template. The
86 template contains ONE target subsection. COPY/APPEND it, if multiple
87 targets exist in the release and optionally add rows with additional
88 target parameters in each target subsection table.</bridgehead>
89 </section>
90
91 <section id="eltf-target-tables-section">
92 <title>Supported Reference Boards with Parameters</title>
93
94 <para>The tables below describes the target(s) supported in this Enea NFV
95 Access release.</para>
96
97 <section id="eltf-target-table-p2041rdb">
98 <title>MACHINE p2041rdb - Information</title>
99
100 <para><informaltable>
101 <tgroup cols="2">
102 <colspec colwidth="6*" />
103
104 <colspec colwidth="9*" />
105
106 <tbody>
107 <row>
108 <entry>Target official name</entry>
109
110 <entry>P2041RDB</entry>
111 </row>
112
113 <row>
114 <entry>Architecture and Description</entry>
115
116 <entry>Power, e500mc</entry>
117 </row>
118
119 <row>
120 <entry>Link to target datasheet</entry>
121
122 <entry>See <ulink
123 url="http://www.nxp.com/products/microcontrollers-and-processors/power-architecture-processors/qoriq-power-architecture-processors/p2041-qoriq-reference-design-board:RDP2041BOARD">link
124 to NXP's datasheet</ulink></entry>
125 </row>
126
127 <row>
128 <entry>Poky version</entry>
129
130 <entry>Git-commit-id:
131 75ca53211488a3e268037a44ee2a7ac5c7181bd2</entry>
132 </row>
133
134 <row>
135 <entry>GCC version</entry>
136
137 <entry>5.3</entry>
138 </row>
139
140 <row>
141 <entry>Linux Kernel Version</entry>
142
143 <entry>3.12</entry>
144 </row>
145
146 <row>
147 <entry>Supported Drivers</entry>
148
149 <entry>Ethernet, I2C, SPI, PCI Express, USB, Flash,
150 SD/SDHC/SDXC, RTC</entry>
151 </row>
152
153 <row>
154 <entry>Enea rpm folder for downloading RPM packages for this
155 target</entry>
156
157 <entry><ulink
158 url="https://linux.enea.com/6/p2041rgb/rpm">https://linux.enea.com/6/p2041rgb/rpm</ulink></entry>
159 </row>
160 </tbody>
161 </tgroup>
162 </informaltable></para>
163 </section>
164 </section>
165</section> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt
new file mode 100644
index 0000000..87a6445
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt
@@ -0,0 +1,320 @@
1eltf_params_template_updated_howto_use.txt
2
3This is a way to collect all parameters for an Enea NFV Access release
4in one parameter file, easy to automatically update by ELTF regularly.
5
6NOTE: Both the release info AND the open source books use parameters from
7 here, but the XML file is inside the release info book directory.
8
9NOTE: The manifest_conf.mk, or overridden by the environment variable
10 MANIFESTHASH, contains the full tag (or hashvalue) for downloading
11 the manifest when the books are built. The list of target
12 directories are fetched from the manifest into the book.
13 The eltf_params_updates.xml can all the time contain
14 the final next complete tag e.g. refs/tags/EL6 or similar
15 in the ELTF_PL_CLONE_W_REPO parameter command lines.
16
17The ordinary book XML files use xi:include statements to include elements
18from this parameter file. The book XML files can thus be manually edited.
19Before editing, you must run "make init".
20Any other text in the template or updated.xml file, outside the parts that
21are included in the book, are not used but still all must be correct
22DocBook XML files.
23
24ELTF work:
25 template => ELTF replaces ALL ELTF_xxx variables => updated XML file
26 => push to git only if changed
27
28
29eltf_params_template.xml (in git)
30 File used by ELTF to autocreate/update the real parameter
31 file eltf_params_updated.xml.
32
33eltf_params_updated.xml (in git)
34 Real parameter file where ELTF has replaced all ELTF_xx variables with
35 strings, in several cases with multiline strings.
36 No spaces or linefeed allowed in beginning or end of the variable values!
37
38
39xi:include: Each parameter is xi:include'ed in various book files, using
40 the IDs existing in the parameter files.
41 In most cases the 1:st element inside an element with an ID is included
42 using a format like eltf-prereq-apt-get-commands-host/1.
43 In very few cases the element with the ID is included in the book, one
44 example is the target section which has an ID, but which contains
45 multiple subsections, one per target.
46 All IDs in a book must be unique.
47
48DocBook XML: All XML files must be correct DocBook XML files.
49
50Do NOT edit/save the real *updated.xml file with XMLmind to avoid changes
51 not done by ELTF. But it is OK to open the real file in XMLmind to
52 check that the format is correct.
53
54ELTF should autocreate a temporary "real" file but only replace
55 and push the eltf_params_updated.xml if it is changed.
56
57
58make eltf
59 This lists all ELTF_xxx variables and some rules how to treat them
60
61DocBook Format: All elements - rules:
62 Several strict generic XML rules apply for all strings:
63 1. No TABs allowed or any other control chr than "linefeed"
64 2. Only 7-bit ASCII
65 3. Any < > & must be converted to &lt; &gt; and &amp;
66 Similar for any other non-7-bit-ASCII but avoid those!
67 4. No leading spaces or linefeeds when replacing the ELTF_* variable
68 5. No trailing spaces or linefeeds when replacing the ELTF_* variable
69 6. Note: Keep existing spaces before/efter ELTF_* in a few cases.
70
71DocBook Format: <programlisting> - rules: ELTF*PL* variables
72 Several strict rules apply for the multiline string in programlisting
73 in addition to the general XML rules above:
74 7. Max line length < 80 char
75 8. Use backslash (\) to break longer lines
76 9. Use spaces (e.g. 4) to indent continuation lines in programlistings
77 10. No trailing spaces on any line
78 11. No spaces or linefeed immediately after leading <programlisting>
79 12. No spaces or linefeed before trailing </programlisting>
80
81DocBook Format: <ulink> - rules: ELTF_*URL* variables
82 13. ELTF_*URL and corresponding ELTF_*TXTURL shall be identical strings
83 14. Only if the URL is extremely long, the TXTURL can be a separate string
84
85Each target has one section with target parameters:
86 <section id="eltf-target-table-ELTF_T_MANIFEST_DIR">
87 <title>MACHINE ELTF_T_MANIFEST_DIR - Information</title>
88 ..... with many ELTF_ variables ....
89 </section>
90
91 15. If there is only one target. ELTF just replaces ELTF parameters
92
93 16. It there are multiple targets. ELTF copies the section and appends the
94 section the required number of times.
95 Each section ID will become unique: eltf-target-table-ELTF_T_MANIFEST_DIR
96 Each section title will become unique
97
98Tables with target parameters in each target section:
99 17. It is possible for ELTF to append more rows with one parameter each
100 to these tables, because the entire tables are included in the book
101
102Special - NOT YET READY DEFINED how to handle the optionally included
103 Eclipse and its version, but this is a first suggestion:
104 18. Just now ELTF can define ELFT_ECLIPSE_VERSION as a full string
105 with both version number and name,
106 19. MANUALLY if Eclipse is NOT included in the release,
107 the release manager should manually set condition="hidden" on
108 the entire section in the book XML about Eclipse
109
110
111
112BELOW WE TRY TO EXPLAIN EACH ELTF_* variable, but always check with make eltf
113if there are more new variables, missing in this description file.
114
115_____________________________________________________________________________
116ELTF_PL_HOST_PREREQ Multiline list of host prerequisites, e.g. commands
117 like sudo apt-get install xxxx or similar.
118 First line = comment with the complete host name!
119 It is possible to include multiple hosts by just
120 adding an empty line, comment with host name, etc.
121 xi:include eltf-prereq-apt-get-commands-host/1
122 This is a <programlisting>...</programlisting>
123 Example:
124# Host Ubuntu 14.04.5 LTS 64bit
125sudo apt-get update
126sudo apt-get install sed wget subversion git-core coreutils unzip texi2html \
127 texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \
128 make gcc build-essential xsltproc g++ desktop-file-utils chrpath \
129 libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \
130 libxml-parser-perl
131
132_____________________________________________________________________________
133ELTF_PL_GET_REPO Multiline commands to download the repo tool
134 xi:include eltf-getting-repo-install-command/1
135 This is a <programlisting>...</programlisting>
136 Example:
137mkdir -p ~/bin
138curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
139chmod a+x ~/bin/repo
140export PATH=~/bin:$PATH
141
142_____________________________________________________________________________
143ELTF_EL_REL_VER General parameter string: The version of this Enea
144 Linux release. Major version and optional .Minor
145 Typically created from MAJOR and MINOR in enea.conf
146 MINOR in enea.conf is empty or contains a dot+minor
147 xi_include EneaLinux_REL_VER/1
148 This is a <phrase>X.x</phrase> used in many places.
149 Examples:
1506
151 or
1526.1
153
154_____________________________________________________________________________
155ELTF_YOCTO_VER General parameter string: Yocto version, created
156 from DISTRO in poky.ent
157 xi:include Yocto_VER/1
158 This is a <phrase>X.x</phrase> used in many places.
159 Example:
1602.1
161
162_____________________________________________________________________________
163ELTF_YOCTO_NAME General parameter string: Yocto name (branch), created
164 from DISTRO_NAME_NO_CAP in poky.ent
165 xi:include Yocto_NAME/1
166 This is a <phrase>X.x</phrase> used in many places.
167 Example:
168krogoth
169
170_____________________________________________________________________________
171ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL
172ELTF_YOCTO_PROJ_DOWNLOAD_URL strings with correct Yocto version string
173 at the end, typically without "dot".
174 xi:include ULINK_YOCTO_PROJECT_DOWNLOAD/1
175 This is an <ulink url="...">...</ulink>
176 Example:
177http://www.yoctoproject.org/downloads/core/krogoth/21
178
179_____________________________________________________________________________
180ELTF_EL_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL strings
181ELTF_EL_DOWNLOAD_URL and shall be the http:/..... address where
182 Enea NFV Access can be downloaded
183 Often containing same version as in ELTF_EL_REL_VER
184 xi:include ULINK_ENEA_LINUX_URL/1
185 This is an <ulink url="...">...</ulink>
186 Example:
187http://linux.enea.com/6
188
189_____________________________________________________________________________
190ELTF_PL_CLONE_W_REPO Multiline commands to run repo to clone everything.
191 Use the variable $MACHINE/default.xml (the text in
192 the book will list the avaiable values of MACHINE,
193 taken from the manifest repository)
194 xi:include eltf-repo-cloning-enea-linux/1
195 This is a <programlisting>...</programlisting>
196 Example:
197mkdir enea-linux
198cd enea-linux
199repo init -u git://git.enea.com/linux/el_manifests-standard.git \
200 -b refs/tags/EL6 -m $MACHINE/default.xml
201repo sync
202
203_____________________________________________________________________________
204ELTF_ECLIPSE_VERSION Optional general parameter string.
205 NOT YET READY DEFINED
206 Just now a release manage must manually set
207 condition="hidden" on the Eclipse section,
208 if Eclipse is not included in the release.
209 ELTF just replaces ELTF_ECLIPSE_VERSION with a full
210 string with "X.Y (name)"
211 It includes the ID and can only be ONCE in the book.
212 xi:include eltf-eclipse-version-row
213 Example.
2144.5 (Mars)
215
216
217_____________________________________________________________________________
218ELTF_T_* All these are in each target (MACHINE) and ELTF
219 must separately replace them with strings for
220 each target
221 NOTE: All (except the MANIFEST_DIR) are in rows
222 in a table and ELTF can select to append
223 more parameters by adding more rows
224
225_____________________________________________________________________________
226ELTF_T_MANIFEST_DIR This happens to be in two places. Must be exactly
227ELTF_T_MANIFEST_DIR the directory name in the manifest, e.g. same
228 as the MACHINE names in $MACHINE/default.xml.
229 In book: a) Part of section ID
230 b) Part of section title
231 Examples:
232p2041rgb
233 or
234ls1021aiot
235 or
236qemuarm
237
238_____________________________________________________________________________
239ELTF_T_NAME Target specific: "Target Official Name"
240 NOT same as the target directory name in most cases.
241 In book: An <entry> element in a row
242 Examples:
243P2041RGB
244 or
245LS1021a-IoT
246 or
247qemuarm
248
249_____________________________________________________________________________
250ELTF_T_ARC_DESC Target specific: "Architecture and Description"
251 It can be a short identification string or
252 it can be a longer descriptive sentence.
253 In book: An <entry> element in a row
254 Examples:
255Power, e500mc
256 or
257ARM Cortex-A7
258
259_____________________________________________________________________________
260ELTF_T_DS_TXTURL Target specific: "Link to target datasheet. These
261ELTF_T_DS_URL two usually are IDENTICAL strings with correct
262 hyperlink to the target's official datasheet.
263 In book: an <ulink url="...">...</ulink>
264 Only if the link is VERY LONG, the text part shall
265 instead be a descriptive string (see 2:nd example).
266 NOTE: Also here no spaces or line-feeds!
267 Examples:
268url="http://wiki.qemu.org">http://wiki.qemu.org
269or
270url="http://www.nxp.com/products/microcontrollers-and-processors/arm-processors/qoriq-arm-processors/qoriq-ls1021a-iot-gateway-reference-design:LS1021A-IoT">link to NXP's datasheet
271
272_____________________________________________________________________________
273ELTF_T_POKY_VER Target specific: "Poky version" created either
274 from POKYVERSION in poky.ent
275 or using a hashvalue with a leading string, in
276 which case it may be different per target.
277 In book: An <entry> in a row
278 Examples:
27915.0.0
280or
281Git commit id: 75ca53211488a3e268037a44ee2a7ac5c7181bd2
282
283_____________________________________________________________________________
284ELTF_T_GCC_VER Target specific: "GCC Version". Should be in poky
285 but not easy to find among various parameters.
286 ELTF would extract it from build logs building SDK
287 and it is possibly different per target.
288 In book: An <entry> in a row
289 Example:
2905.3
291
292_____________________________________________________________________________
293ELTF_T_KERN_VER Target specific: "Linux Kernel Version". Often
294 different per target.
295 In book: An <entry> in a row
296 Example:
2973.12
298
299_____________________________________________________________________________
300ELTF_T_DRIVERS Target specific: "Supported Drivers". This is a
301 comma-separated list of driver names.
302 ELTF should create the list in same order for each
303 target, e.g. alphabetic migth be OK.
304 In book: An <entry> in a row
305 Example:
306Ethernet, I2C, SPI, PCI, USB, SD/SDHC/SDXC
307
308
309_____________________________________________________________________________
310ELTF_T_EL_RPM_TXTURL Target specific: "Enea rpm folder for downloading
311ELTF_T_EL_RPM_URL RPM packages for this target". These two are
312 INDENTICAL strings with hyperlink to the web site
313 at Enea where the customer can download RPMs
314 Note: Often the ELFT_EL_REL_VER value and
315 the ELTF_T_MANIFEST_DIR are used in the link.
316 In book: an <ulink url="...">...</ulink>
317 Example:
318url="https://linux.enea.com/6/ls1021aiot/rpm">https://linux.enea.com/6/ls1021aiot/rpm
319
320_____________________________________________________________________________
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml
new file mode 100644
index 0000000..2e008e3
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml
@@ -0,0 +1,952 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="hardening_platform">
5 <title>Hardening Enea NFV Access</title>
6
7 <section id="broken_algorithms">
8 <title>Broken Algorithms</title>
9
10 <para>Make sure that algorithms that are broken in regards to security are
11 not used.</para>
12
13 <remark>Ask Sona/Casc if the algorithms listed below are the broken ones
14 to check for or if they're the ones that are broken to begin with and if
15 seen should be eliminated from use.</remark>
16
17 <itemizedlist>
18 <listitem>
19 <para>DES</para>
20 </listitem>
21
22 <listitem>
23 <para>3DES</para>
24 </listitem>
25
26 <listitem>
27 <para>CAST</para>
28 </listitem>
29
30 <listitem>
31 <para>BLOWFISH</para>
32 </listitem>
33
34 <listitem>
35 <para>MD5</para>
36 </listitem>
37
38 <listitem>
39 <para>SHA-1</para>
40 </listitem>
41
42 <listitem>
43 <para>MODP512</para>
44 </listitem>
45
46 <listitem>
47 <para>MODP768</para>
48 </listitem>
49
50 <listitem>
51 <para>MODP1024</para>
52 </listitem>
53 </itemizedlist>
54 </section>
55
56 <section id="sys_installation">
57 <title>System Installation</title>
58
59 <para>Enea NFV Access Images should be check summed with SHA512 and/or a
60 signed GPG key. See <ulink
61 url="https://www.openssl.org/source/">https://www.openssl.org/source/</ulink>
62 for more details on how to proceed.</para>
63 </section>
64
65 <section id="security_updates">
66 <title>Security Updates</title>
67
68 <para>Applying security patches is an important part of security hardening
69 and maintenance. Enea backports all known critical vulnerabilities within
70 a reasonable time frame if not immeditately, and makes them available to
71 users for updates/upgrades.</para>
72
73 <para>Prepare the system for regular updates in the following
74 manner:</para>
75
76 <itemizedlist>
77 <listitem>
78 <para>Configure the target to get software updates from the Enea
79 source repository.</para>
80 </listitem>
81
82 <listitem>
83 <para>Test to update or remove a package using apt-get command:
84 <programlisting>root@inteld1521:~#apt-get update/upgrade</programlisting></para>
85 </listitem>
86 </itemizedlist>
87 </section>
88
89 <section id="openembedded_security_layer">
90 <title>OpenEmbedded meta-security layer</title>
91
92 <para>An OpenEmbedded meta-security layer provides many hardening tools.
93 These tools are open source packages suited for embedded devices. Below is
94 a list of several packages included in meta-security layer:</para>
95
96 <itemizedlist>
97 <listitem>
98 <para>Bastille</para>
99 </listitem>
100
101 <listitem>
102 <para>Redhat-security</para>
103 </listitem>
104
105 <listitem>
106 <para>Buck-security</para>
107 </listitem>
108
109 <listitem>
110 <para>Libseccomp</para>
111 </listitem>
112
113 <listitem>
114 <para>Pax-utils</para>
115 </listitem>
116
117 <listitem>
118 <para>Nmap</para>
119 </listitem>
120
121 <listitem>
122 <para>ISIC</para>
123 </listitem>
124
125 <listitem>
126 <para>Tripwire</para>
127 </listitem>
128
129 <listitem>
130 <para>checksecurity</para>
131 </listitem>
132
133 <listitem>
134 <para>TOMOYO, which contains a number of very useful libraries for
135 system analysis. <remark>Ask Sona if this is the intended meaning of
136 what she wrote here originally: TOMOYO and a number of libraries which
137 is very useful system analysis tool</remark></para>
138 </listitem>
139 </itemizedlist>
140
141 <para>For more information about tools supported in the meta-security
142 layer please refer to <emphasis role="bold">Introduction to the Tools in
143 meta-security layer</emphasis>.</para>
144
145 <remark>change the bold text to point to the section/chapter in question
146 through an xref</remark>
147 </section>
148
149 <section id="ker-hardening">
150 <title>Kernel Hardening</title>
151
152 <para>For a secure set of build CONFIGs and runtime settings see the
153 <ulink
154 url="https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings">Kernel
155 Self Protection Project</ulink>. Essentially, there are three ways to pass
156 options to the kernel:</para>
157
158 <itemizedlist>
159 <listitem>
160 <para>When building the kernel (via
161 <command>menuconfig</command>)</para>
162 </listitem>
163
164 <listitem>
165 <para>When starting the kernel (usually, when invoked from a boot
166 loader).</para>
167 </listitem>
168
169 <listitem>
170 <para>At runtime (through the files in <command>/proc</command> and
171 <command>/sys</command>). See <command>sysctl</command> for
172 details.</para>
173 </listitem>
174 </itemizedlist>
175
176 <para>Parameters either have the format <literal>parameter</literal> or
177 <literal>parameter=value</literal>. Kernel parameters can be configured
178 via <command>/etc/sysctl.conf</command> at run time or via
179 <command>menuconfig</command> at build time.</para>
180
181 <orderedlist>
182 <listitem>
183 <para>How to enable/disable kernel parameters via menuconfig:</para>
184
185 <itemizedlist>
186 <listitem>
187 <para>bitbake virtual/kernel &ndash;c menuconfig</para>
188 </listitem>
189
190 <listitem>
191 <para>Enable the configuration you want, save the .config file in
192 the build directory, and run bitbake.</para>
193 </listitem>
194 </itemizedlist>
195
196 <para>For more info see <ulink
197 url="http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html">http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html</ulink>.</para>
198 </listitem>
199
200 <listitem>
201 <para>Permanently add a Kernel Boot Parameter from boot loader:</para>
202
203 <para><programlisting>sudo gedit /etc/default/grub</programlisting></para>
204
205 <para>Enter your password when prompted by sudo. If the file
206 <command>/etc/default/grub</command> appears to be empty or does not
207 exist, see the instructions for earlier releases above.</para>
208 </listitem>
209
210 <listitem>
211 <para>Using <command>etc/sysctl.conf</command>:</para>
212
213 <para>We can view the value of a particular Linux kernel parameter
214 using sysctl, followed by the name of the parameter:</para>
215
216 <programlisting>root@inteld1521:~# sysctl dev.cdrom.autoclose
217dev.cdrom.autoclose = 1</programlisting>
218
219 <para>Or read the associated file:</para>
220
221 <programlisting>root@inteld1521:~# cat /proc/sys/dev/cdrom/autoclose
2221
223root@inteld1521:~# cat /proc/sys/dev/cdrom/</programlisting>
224
225 <para>It is good to store the output of the kernel settings for
226 comparison or reference by redirecting the output of the sysctl
227 command to a file, for example:</para>
228
229 <programlisting>sysctl -A &gt; /root/sysctl.settings.store</programlisting>
230 </listitem>
231 </orderedlist>
232
233 <para>The following kernel configurations can be used to secure the Linux
234 system against attacks.</para>
235
236 <programlisting># Turn on execshield
237kernel.exec-shield=1
238kernel.randomize_va_space=1
239
240# Enable IP spoofing protection
241net.ipv4.conf.all.rp_filter=1
242
243# Disable IP source routing
244net.ipv4.conf.all.accept_source_route=0
245
246# Ignore broadcasts request
247net.ipv4.icmp_echo_ignore_broadcasts=1
248net.ipv4.icmp_ignore_bogus_error_messages=1
249
250# Make sure spoofed packets get logged
251net.ipv4.conf.all.log_martians = 1</programlisting>
252
253 <section id="security-options">
254 <title>Security Options</title>
255
256 <itemizedlist>
257 <listitem>
258 <para>SECURITY</para>
259
260 <itemizedlist>
261 <listitem>
262 <para>(on/off) Enable different security models</para>
263 </listitem>
264
265 <listitem>
266 <para>Depends on SYSFS</para>
267 </listitem>
268 </itemizedlist>
269
270 <para>This option allows you to choose different security modules to
271 configure into your kernel. If this option is not selected, the
272 default Linux security model will be used.</para>
273 </listitem>
274
275 <listitem>
276 <para>SECURITY_NETWORK</para>
277
278 <itemizedlist>
279 <listitem>
280 <para>(on/off) Socket and Networking Security Hooks</para>
281 </listitem>
282
283 <listitem>
284 <para>Depends on SECURITY</para>
285 </listitem>
286 </itemizedlist>
287
288 <para>This enables the socket and networking security hooks. If
289 enabled, a security module can use these hooks to implement socket
290 and networking access controls. If you are unsure how to answer this
291 question, answer N.</para>
292 </listitem>
293
294 <listitem>
295 <para>SECURITY_CAPABILITIES</para>
296
297 <itemizedlist>
298 <listitem>
299 <para>Kernel Version(s): 2.6.15.6</para>
300 </listitem>
301
302 <listitem>
303 <para>(on/off/module) Default Linux Capabilities</para>
304 </listitem>
305
306 <listitem>
307 <para>Depends on SECURITY</para>
308 </listitem>
309 </itemizedlist>
310
311 <para>This enables the "default" Linux capabilities
312 functionality.</para>
313 </listitem>
314
315 <listitem>
316 <para>SECURITY_ROOTPLUG</para>
317
318 <itemizedlist>
319 <listitem>
320 <para>Kernel Version(s): 2.6.15.6</para>
321 </listitem>
322
323 <listitem>
324 <para>(on/off/module) Root Plug Support</para>
325 </listitem>
326
327 <listitem>
328 <para>depends on USB &amp;&amp; SECURITY</para>
329 </listitem>
330 </itemizedlist>
331
332 <para>This is a sample LSM module that should only be used as such.
333 It prevents any programs running with <command>egid == 0</command>
334 if a specific USB device is not present in the system.</para>
335 </listitem>
336
337 <listitem>
338 <para>SECURITY_SECLVL</para>
339
340 <itemizedlist>
341 <listitem>
342 <para>Kernel Version(s): 2.6.15.6</para>
343 </listitem>
344
345 <listitem>
346 <para>(on/off/module) BSD Secure Levels</para>
347 </listitem>
348
349 <listitem>
350 <para>Depends on SECURITY</para>
351 </listitem>
352
353 <listitem>
354 <para>select CRYPTO</para>
355 </listitem>
356
357 <listitem>
358 <para>select CRYPTO_SHA1</para>
359 </listitem>
360 </itemizedlist>
361
362 <para>Implements BSD Secure Levels as an LSM. See file
363 <command>Documentation/seclvl.txt</command> for instructions on how
364 to use this module.</para>
365 </listitem>
366 </itemizedlist>
367 </section>
368
369 <section id="config_stackprotector">
370 <title>Stack Protector (-fstack-protector GCC feature)</title>
371
372 <para><programlisting>CONFIG_CC_STACKPROTECTOR
373CONFIG_CC_STACKPROTECTOR_REGULAR
374CONFIG_CC_STACKPROTECTOR_STRONG</programlisting>This option turns on the
375 <command>-fstack-protector</command> GCC feature. This feature inserts a
376 canary value on the stack just before the return address, and validates
377 the value just before returning. Stack based buffer overflows (that need
378 to overwrite this return address) will now also overwrite the canary,
379 which gets detected and the attack is then neutralized via a kernel
380 panic. This feature requires gcc version 4.2 or above.</para>
381
382 <itemizedlist>
383 <listitem>
384 <para>prompt: Enable -fstack-protector buffer overflow detection
385 (EXPERIMENTAL)</para>
386 </listitem>
387
388 <listitem>
389 <para>type: bool</para>
390 </listitem>
391
392 <listitem>
393 <para>depends on: (none)</para>
394 </listitem>
395
396 <listitem>
397 <para>defined in arch/arm/Kconfig</para>
398 </listitem>
399
400 <listitem>
401 <para>found in Linux kernels: 2.6.36&ndash;2.6.39,
402 3.0&ndash;3.13</para>
403 </listitem>
404 </itemizedlist>
405
406 <para>Currently these configurations are not set in the Intel kernel in
407 Enea NFV Access:<programlisting>tmp/deploy/images/inteld1521/config-inteld1521.config
408
409CONFIG_CC_STACKPROTECTOR is not set
410CONFIG_CC_STACKPROTECTOR_REGULAR is not set
411CONFIG_CC_STACKPROTECTOR_STRONG is not set</programlisting></para>
412 </section>
413
414 <section id="config-freelist-random">
415 <title>CONFIG_FREELIST_RANDOM</title>
416
417 <para>An optional config to randomize the SLAB freelist (heap freelist).
418 SLAB is a memory management mechanism intended for the efficient memory
419 allocation of kernel objects. SLAB displays the desirable property of
420 eliminating fragmentation caused by allocations and
421 deallocations.</para>
422
423 <para>This security feature reduces the predictability of the kernel
424 slab allocator against heap overflows.</para>
425 </section>
426
427 <section id="config_page_poisoning">
428 <title>CONFIG_PAGE_POISONING</title>
429
430 <para>This feature fills the pages with poison patterns after
431 <literal>free_pages()</literal> and verifies the patterns before
432 <literal>alloc_pages()</literal>. This results in a large slowdown, but
433 helps to find certain types of memory corruption.</para>
434
435 <para>This option cannot be enabled in combination with hibernation as
436 that would result in incorrect warnings of memory corruption after a
437 resume, since free pages are not saved to the suspend image. Poison
438 pages after freeing are found in
439 <literal>mm/Kconfig.debug</literal>.</para>
440
441 <para>The configuration item CONFIG_PAGE_POISONING:</para>
442
443 <itemizedlist>
444 <listitem>
445 <para>prompt: Poison pages after freeing</para>
446 </listitem>
447
448 <listitem>
449 <para>type: bool</para>
450 </listitem>
451
452 <listitem>
453 <para>depends on: (none)</para>
454 </listitem>
455
456 <listitem>
457 <para>defined in <ulink
458 url="https://github.com/torvalds/linux/tree/master/mm/Kconfig.debug">mm/Kconfig.debug</ulink></para>
459 </listitem>
460
461 <listitem>
462 <para>found in Linux kernels: 4.6&ndash;4.12, 4.13-rc+HEAD</para>
463 </listitem>
464 </itemizedlist>
465 </section>
466
467 <section id="config_hardened_usercopy">
468 <title>CONFIG_HARDENED_USERCOPY</title>
469
470 <para><programlisting>CONFIG_HARDENED_USERCOPY
471CONFIG_HARDENED_USERCOPY_PAGESPAN</programlisting>This configuration checks
472 that objects being copied to/from user space meet certain
473 criteria.</para>
474 </section>
475
476 <section id="config_stackprotector_strong">
477 <title>CONFIG_CC_STACKPROTECTOR_STRONG</title>
478
479 <para><command>CONFIG_CC_STACKPROTECTOR_STRONG=y</command>, is a more
480 powerful stack canary checking method supported by GCC versions 4.9 and
481 later. On an x86 "defconfig" build, this feature adds canary checks to
482 about 20% of all kernel functions, which increases the kernel code size
483 by about 2%.</para>
484
485 <para>More info about this feature can be found at <ulink
486 url="https://lwn.net/Articles/584278/">https://lwn.net/Articles/584278/</ulink>.</para>
487 </section>
488
489 <section id="config_randomize_base">
490 <title>CONFIG_RANDOMIZE_BASE</title>
491
492 <para><command>CONFIG_RANDOMIZE_BASE</command> with physical memory
493 randomization, extends kernel image physical address randomization to
494 addresses larger than 4GB, among other improvements.</para>
495 </section>
496
497 <section id="config_randomize_memory">
498 <title>CONFIG_RANDOMIZE_MEMORY</title>
499
500 <para><command>CONFIG_RANDOMIZE_MEMORY</command> randomizes the virtual
501 addresses of memory sections, including physical memory mappings:
502 <command>vmalloc</command>, and <command>vemmap</command>. As with other
503 memory randomization routines, by randomizing the virtual address space
504 of kernel memory sections, the goal is to mitigate predictable memory
505 locations.</para>
506 </section>
507 </section>
508
509 <section id="os_hardening">
510 <title>OS Hardening</title>
511
512 <para>The sections below detail various ways in which a developer can
513 effectively secure their operating system(s).</para>
514
515 <section id="removing_root_account">
516 <title>Remove root account</title>
517
518 <para>Create a default user with <command>su</command> access and then
519 use <literal>sudo</literal> to delegate administrative access.</para>
520 </section>
521
522 <section id="syslog-rsyslog">
523 <title>Rsyslog, Syslog, Syslogng Service</title>
524
525 <para>Rsyslog is the default logging program on several Linux
526 distributions. Apart from implementing the syslog protocol, rsyslog adds
527 additional features such as content-based filtering and also uses TCP
528 for transporting, providing many configuration options. Further reading
529 is available at <ulink
530 url="https://linux-audit.com/central-audit-logging-configuration-collecting-linux-audit-events/">https://linux-audit.com/central-audit-logging-configuration-collecting-linux-audit-events/</ulink>.</para>
531 </section>
532
533 <section id="unnecessary_packages">
534 <title>Removing unnecessary Packages</title>
535
536 <para>Enea provides a minimum set of packages in release images. All
537 extra packages should be available in the Enea source repository so
538 users can get when needed.</para>
539
540 <remark>Ask Sona/Casc for details on what should be definitively written
541 in this section</remark>
542 </section>
543
544 <section id="disk-iso-prot">
545 <title>Disk Isolation and Protection</title>
546
547 <para>Critical systems should be separated into different partitions. An
548 example to start from would be:</para>
549
550 <para><programlisting>/
551/boot
552/usr
553/home
554/tmp
555/var</programlisting></para>
556
557 <para>Create a separate volume with the <command>nodev</command>,
558 <command>nosuid</command>, and <command>noexec</command> options set for
559 <command>/tmp</command>. <command>/tmp</command> is intended to be
560 globally writable, creating a separate partition for it can prevent
561 resource exhaustion.</para>
562
563 <para>Setting <command>nodev</command> prevents users from creating or
564 using block or special character devices. Setting
565 <command>noexec</command> prevents users from running binary executables
566 from /tmp. Setting <command>nosuid</command> prevents users from
567 creating set userid files in /tmp.</para>
568 </section>
569
570 <section id="unwanted_suid_sgid">
571 <title>Disable unwanted SUID and SGID Binaries</title>
572
573 <para>There are 3 special permissions available for executable files and
574 directories:</para>
575
576 <itemizedlist>
577 <listitem>
578 <para>SUID permission</para>
579 </listitem>
580
581 <listitem>
582 <para>SGID permission</para>
583 </listitem>
584
585 <listitem>
586 <para>Sticky bit</para>
587 </listitem>
588 </itemizedlist>
589
590 <section id="suid_sgid">
591 <title>SUID/SGID</title>
592
593 <para>To better understand, check the permissions of the
594 <command>/usr/bin/passwd</command> command: <programlisting># ls -lrt /usr/bin/passwd
595-r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd</programlisting>There
596 are 2 S&rsquo;s in the permission field, the first &rdquor;s&rdquo;
597 stands for the SUID and the second for SGID. When a command or script
598 set with SUID bit is run, its effective UID becomes that of the owner
599 of the file, rather than of the user who is running it.</para>
600
601 <para>If there are files with all SUID/SGID bits enabled, said files
602 can be misused if the SUID/SGID executable has a security problem or
603 bug. All local or remote users can access/use the file, which may
604 prove dangerous. It's a good idea to find all such files and this can
605 be done using the <command>find</command> command:</para>
606
607 <para><programlisting>#See all set user id files:
608 find / -perm +4000
609
610# See all group id files
611 find / -perm +2000
612
613# Or combine both in a single command
614 find / \( -perm -4000 -o -perm -2000 \) -print
615 find / -path -prune -o -type f -perm +6000 -ls</programlisting>You
616 need to investigate each reported file. See reported file(s) man page
617 for further details.</para>
618 </section>
619
620 <section id="sticky_bit">
621 <title>Sticky Bit</title>
622
623 <para>The Sticky Bit is primarily used on shared directories. It's
624 useful for shared directories such as <command>/var/tmp</command> and
625 <command>/tmp</command> because users can create files, read and
626 execute files owned by other users, but are not allowed to remove
627 files owned by other users.</para>
628
629 <para>For example, if user Bob creates a file named /tmp/bob, user Tom
630 cannot delete this file even when the /tmp directory has permission
631 777. If Sticky Bit is not set, then Tom can delete /tmp/bob, since the
632 file inherits the parent directory permissions. The root users and
633 file owners can remove their own files.</para>
634
635 <para>Example:<programlisting># ls -ld /var/tmp
636drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp</programlisting>T refers
637 to when the execute permissions are off and t refers to when they are
638 on.</para>
639 </section>
640 </section>
641
642 <section id="secure_boot_dir">
643 <title>Secure boot directory</title>
644
645 <para>The boot directory contains important files related to the Linux
646 kernel, make sure that this directory is locked down with read-only
647 permissions. You can set the owner and group of
648 <filename>/etc/grub.conf</filename> to the root user like so:</para>
649
650 <programlisting>#chown root:root /etc/fstab
651#chown root:root /etc/grub.conf
652
653EX: ls -ld /boot/* &lt;&lt;&lt;&lt; root only
654
655lrwxrwxrwx 1 root root 32 Aug 7 13:07 /boot/bzImage -&gt; /
656bzImage-4.9.30-intel-pk-standard
657-rw-r--r-- 1 root root 7860816 Jun 8 10:55 /boot/bzImage-4.9.20-yocto-standard
658-rw-r--r-- 1 root root 4624464 Aug 7 12:48 /boot/bzImage-4.9.30-intel-pk-standard</programlisting>
659 </section>
660 </section>
661
662 <section id="netsecure_remoteacc">
663 <title>Network Security &amp; Remote Access</title>
664
665 <para>The networking stack includes IPsec, which provides confidentiality,
666 authenticity, and integrity protection of IP networking. It can be used to
667 implement VPNs, and also point to point security.</para>
668
669 <section id="encrypt_datacoms">
670 <title>Encrypt Data Communication</title>
671
672 <para>All data transmitted over a network is open to monitoring. Encrypt
673 transmitted data whenever possible with passwords or by using
674 keys/certificates.</para>
675
676 <para>Below are several methods and tools that facilitate
677 encryption:</para>
678
679 <orderedlist>
680 <listitem>
681 <para>Use <command>scp</command>, <command>ssh</command>,
682 <command>rsync</command>, or <command>sftp</command> for file
683 transfers. You can also mount a remote server file system or your
684 own home directory using special <command>sshfs</command> and fuse
685 tools.</para>
686 </listitem>
687
688 <listitem>
689 <para>GnuPG allows you to encrypt and sign your data and
690 communication, features a versatile key management system as well as
691 access modules for all kind of public key directories.</para>
692 </listitem>
693
694 <listitem>
695 <para>OpenVPN is a cost-effective, lightweight SSL VPN.</para>
696
697 <para>Another option to try out is <command>tinc</command>, which
698 uses tunneling and encryption to create a secure private network
699 between hosts, on the Internet or on a private insecure LAN.</para>
700 </listitem>
701
702 <listitem>
703 <para>Lighttpd SSL (Secure Server Layer) HTTPS Configuration and
704 Installation.</para>
705 </listitem>
706
707 <listitem>
708 <para>Apache SSL (Secure Server Layer) HTTPS (mod_ssl) Configuration
709 and Installation.</para>
710 </listitem>
711
712 <listitem>
713 <para>Configure Nginx with free Let&rsquo;s Encrypt SSL certificate
714 on Debian or Ubuntu Linux.</para>
715 </listitem>
716 </orderedlist>
717 </section>
718
719 <section id="ssh_service">
720 <title>SSH service</title>
721
722 <para>SSH is secure by default but its services need to be hardened as
723 well. Open <command>/etc/ssh/sshd_config</command> and change the
724 default configuration:</para>
725
726 <itemizedlist>
727 <listitem>
728 <para>Change the default port number 22 to something else, e.g.
729 99.<programlisting>root@inteld1521:~# xxxxx</programlisting></para>
730 </listitem>
731
732 <listitem>
733 <para>Disable ssh login for root<programlisting>ssh root@172.24.12.73
734root@inteld1521:~#</programlisting></para>
735 </listitem>
736
737 <listitem>
738 <para>Make sure following configuration is set for the SSH
739 server:</para>
740
741 <itemizedlist>
742 <listitem>
743 <para>Protocol version is set to 2</para>
744 </listitem>
745
746 <listitem>
747 <para>LogLevel is set to INFO</para>
748 </listitem>
749
750 <listitem>
751 <para>PermitEmptyPasswords</para>
752 </listitem>
753
754 <listitem>
755 <para>IgnoreRhosts to yes</para>
756 </listitem>
757
758 <listitem>
759 <para>HostbasedAuthentication no</para>
760 </listitem>
761
762 <listitem>
763 <para>PermitEmptyPasswords no</para>
764 </listitem>
765
766 <listitem>
767 <para>X11Forwarding no</para>
768 </listitem>
769
770 <listitem>
771 <para>MaxAuthTries 5</para>
772 </listitem>
773
774 <listitem>
775 <para>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</para>
776 </listitem>
777
778 <listitem>
779 <para>ClientAliveInterval 900</para>
780 </listitem>
781
782 <listitem>
783 <para>ClientAliveCountMax 0</para>
784 </listitem>
785
786 <listitem>
787 <para>UsePAM yes</para>
788 </listitem>
789 </itemizedlist>
790
791 <para>These settings use the default set on most platforms, setting
792 them to other values impacts the security of the SSH server.</para>
793 </listitem>
794 </itemizedlist>
795
796 <para>The SSH connection to a server can be controlled by using the
797 following files: <filename>/etc/hosts.allow</filename> and
798 <filename>/<filename>etc/hosts.deny</filename></filename>. Set the
799 permissions on the <filename>sshd_config</filename> file so that only
800 root users can change its contents like so: <programlisting>#chown root:root /etc/ssh/sshd_config
801#chmod 600 /etc/ssh/sshd_config</programlisting></para>
802 </section>
803
804 <section id="check_open_ports">
805 <title>Check for open ports</title>
806
807 <para>Identifying open connections to the internet is a critical
808 mission. In Kali Linux, the following command can be used to spot any
809 hidden open ports:</para>
810
811 <programlisting>root@172:~# netstat -ral -tuwx -en
812
813Kernel IP routing table
814Destination Gateway Genmask Flags Metric Ref Use Iface
8150.0.0.0 172.24.15.254 0.0.0.0 UG 0 0 0 eth1
816172.24.12.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1</programlisting>
817 </section>
818
819 <section id="no_legacyservices">
820 <title>Legacy services and Unencrypted Authentication</title>
821
822 <para>Disable legacy services that rely on unencrypted authentication
823 such as: <emphasis role="bold">telnet&shy;server, rsh, rlogin, rcp,
824 ypserv, ypbind, tftp, tftp&shy;server, talk</emphasis> and <emphasis
825 role="bold">talk&shy;server.</emphasis></para>
826
827 <para>Use instead<emphasis role="bold"> <ulink
828 url="https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html">OpenSSH</ulink>
829 , </emphasis><ulink
830 url="https://www.cyberciti.biz/tips/configure-vsfptd-secure-connections-via-ssl-tls.html"><emphasis
831 role="bold">SFTP</emphasis> or <emphasis
832 role="bold">FTPS</emphasis></ulink> (<emphasis
833 role="bold">FTP</emphasis> over <emphasis role="bold">SSL</emphasis>),
834 which adds SSL or TLS encryption to FTP.</para>
835 </section>
836
837 <section>
838 <title>Disable unnecessary Services</title>
839
840 <para>Disabling unused services will reduce the attack surface. Examples
841 of such services include: <emphasis role="bold">FTP, DNS, LDAP, SMB,
842 DHCP, NFS, SNMP</emphasis>, etc.</para>
843 </section>
844
845 <section>
846 <title>Firewall</title>
847
848 <para>Firewalls are an important tool and act as a barrier between a
849 trusted and an untrusted network. <emphasis
850 role="bold">Iptables</emphasis> is a firewall (user space application)
851 which allows users to configure the <emphasis
852 role="bold">Netfilter</emphasis> provided by the Linux kernel. Netfilter
853 hooks packets which pass into, through and from the system. Kernel-level
854 modules may hook into this framework to examine packets and make
855 security decisions about them.</para>
856
857 <para><emphasis role="bold">Iptables</emphasis> contains five
858 tables:</para>
859
860 <itemizedlist>
861 <listitem>
862 <para><emphasis role="bold">Raw</emphasis> is used only for
863 configuring packets to be exempt from connection tracking.</para>
864 </listitem>
865
866 <listitem>
867 <para><emphasis role="bold">Filter</emphasis> is the default table,
868 where all the actions typically associated with a firewall take
869 place.</para>
870 </listitem>
871
872 <listitem>
873 <para><emphasis role="bold">NAT</emphasis> is used for network
874 address translation (e.g. port forwarding).</para>
875 </listitem>
876
877 <listitem>
878 <para><emphasis role="bold">Mangle</emphasis> is used for
879 specialized packet alterations.</para>
880 </listitem>
881
882 <listitem>
883 <para><emphasis role="bold">Security</emphasis> is used for
884 Mandatory Access Control networking rules (e.g. SELinux).</para>
885 </listitem>
886 </itemizedlist>
887
888 <para>Filter and NAT are the most common use cases. The other tables are
889 aimed at complex configurations involving multiple routers and routing
890 decisions, and are beyond the scope of these introductory
891 remarks.</para>
892
893 <para>Here are some important features to consider for securing a host
894 network (these kernel parameters are set in
895 <filename>/etc/sysctl.conf</filename>):</para>
896
897 <para><emphasis role="bold">Disable</emphasis>:</para>
898
899 <itemizedlist>
900 <listitem>
901 <para>IP forwarding</para>
902 </listitem>
903
904 <listitem>
905 <para>send packet redirects</para>
906 </listitem>
907
908 <listitem>
909 <para>source routed packet acceptance</para>
910 </listitem>
911
912 <listitem>
913 <para>ICMP redirect acceptance</para>
914 </listitem>
915 </itemizedlist>
916
917 <para><emphasis role="bold">Enable</emphasis>:</para>
918
919 <itemizedlist>
920 <listitem>
921 <para>Ignore Broadcast Requests</para>
922 </listitem>
923
924 <listitem>
925 <para>Bad Error Message Protection</para>
926 </listitem>
927
928 <listitem>
929 <para>TCP/SYN cookies</para>
930 </listitem>
931 </itemizedlist>
932
933 <para>iptables is a systemd service. However, the service won't start
934 unless it finds a <filename>/etc/iptables/iptables.rules</filename>
935 file. To start the service for the first time edit:</para>
936
937 <para><programlisting># vi /etc/iptables/iptables.rules</programlisting>or<programlisting># cp /etc/iptables/empty.rules /etc/iptables/iptables.rules &lt;&lt;&lt; no empty.rules
938root@inteld1521:~# ls /usr/sbin/iptables
939iptables iptables-restore iptables-save</programlisting></para>
940
941 <para>Then start the <literal>iptables.service</literal> unit. As with
942 other services, if you want iptables to be loaded automatically on boot,
943 you must enable it.</para>
944
945 <para>Iptables rules for IPv6 are, by default, stored in
946 <filename>/etc/iptables/ip6tables.rules</filename>, which is read by
947 <literal>ip6tables.service</literal>. You can start it the same way as
948 shown above. After adding rules via command-line as shown below, save
949 the configuration file manually: <programlisting># iptables-save &gt; /etc/iptables/iptables.rules</programlisting></para>
950 </section>
951 </section>
952</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml
new file mode 100644
index 0000000..bbf203f
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml
@@ -0,0 +1,127 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="overview">
5 <title>Overview</title>
6
7 <para>This document describes the activities needed for securing/hardening
8 Enea NFV Access platform by ESRT/ developers in order to fulfill the
9 security requirements specified in <ulink
10 url="https://eneaissues.enea.com/browse/CPDX-2632">CPDX-2632</ulink> (see
11 the Security section under Pre-Study).</para>
12
13 <section id="intro">
14 <title>Introduction</title>
15
16 <para>This document contains a checklist to use when hardening Enea NFV
17 Access. Please read <ulink
18 url="https://eneadoc.enea.com/idc/idcplg?IdcService=GET_FILE&amp;dDocName=055550&amp;Rendition=Primary&amp;RevisionSelectionMethod=Latest"><trademark
19 class="registered">Enea</trademark> NFV Access User's Hardening
20 Guide</ulink> for further information about the hardening features
21 available.</para>
22
23 <section id="rev-hist">
24 <title>Revision History</title>
25
26 <table>
27 <tgroup cols="4">
28 <colspec align="center" />
29
30 <thead>
31 <row>
32 <entry align="center">Revision</entry>
33
34 <entry align="center">Author</entry>
35
36 <entry align="center">Date</entry>
37
38 <entry align="center">Purpose for Revision</entry>
39 </row>
40 </thead>
41
42 <tbody>
43 <row>
44 <entry>4</entry>
45
46 <entry>Sona Sarmadi</entry>
47
48 <entry>2017-09-07</entry>
49
50 <entry>Added Appendix, sec 4.</entry>
51 </row>
52
53 <row>
54 <entry>3</entry>
55
56 <entry>Sona Sarmadi</entry>
57
58 <entry>2017-09-05</entry>
59
60 <entry>Added introduction to the tools in the Open Embedded
61 meta-security layer Fixed 1.1 Revision History.</entry>
62 </row>
63
64 <row>
65 <entry>2</entry>
66
67 <entry>Sona Sarmadi</entry>
68
69 <entry>2017-08-30</entry>
70
71 <entry>Made this document as a guideline for Enea NFV Access
72 developers. Moved section 2 and 3 to a new document (a guideline
73 only for users).</entry>
74 </row>
75
76 <row>
77 <entry>1</entry>
78
79 <entry>Sona Sarmadi</entry>
80
81 <entry>2017-08-20</entry>
82
83 <entry>Initial Revision</entry>
84 </row>
85 </tbody>
86 </tgroup>
87 </table>
88 </section>
89
90 <section id="references">
91 <title>References</title>
92
93 <itemizedlist>
94 <listitem>
95 <para><ulink
96 url="https://www.sans.org/reading-room/whitepapers/linux/linux-kernel-hardening-1294">SANS
97 linux-kernel-hardening-1294</ulink></para>
98 </listitem>
99
100 <listitem>
101 <para><ulink
102 url="https://lwn.net/Articles/705262/">lwn.net/Articles/705262/</ulink></para>
103 </listitem>
104
105 <listitem>
106 <para><ulink
107 url="https://eneadoc.enea.com/idc/idcplg?IdcService=GET_FILE&amp;dDocName=055550&amp;Rendition=Primary&amp;RevisionSelectionMethod=Latest">Hardening
108 Guide for Users of Enea NFV Access</ulink><remark>Not sure if this
109 should remain an ulink to eneadoc or be changed to an olink to the
110 guide in question.</remark></para>
111 </listitem>
112 </itemizedlist>
113 </section>
114
115 <section id="def_acro">
116 <title>Definitions and Acronyms</title>
117
118 <para>Definitions</para>
119
120 <para>[FIXME]</para>
121
122 <para>Acronyms</para>
123
124 <para>[FIXME]</para>
125 </section>
126 </section>
127</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml
new file mode 100644
index 0000000..63c1225
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml
@@ -0,0 +1,465 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="metasecure_tools">
3 <title>Introduction to Meta-Security Layer Tools</title>
4
5 <section id="summary">
6 <title>Summary of tools supported in the Meta-Security layer</title>
7
8 <informaltable>
9 <tgroup cols="2">
10 <tbody>
11 <row>
12 <entry>Afflib</entry>
13
14 <entry>On-disk format for storing computer forensic
15 information</entry>
16 </row>
17
18 <row>
19 <entry>Aircrack-ng</entry>
20
21 <entry>A set of tools for auditing wireless networks</entry>
22 </row>
23
24 <row>
25 <entry>AppArmor</entry>
26
27 <entry>A MAC control system</entry>
28 </row>
29
30 <row>
31 <entry>Bastille</entry>
32
33 <entry>Linux hardening tool</entry>
34 </row>
35
36 <row>
37 <entry>Buck-security</entry>
38
39 <entry>Linux security scanner</entry>
40 </row>
41
42 <row>
43 <entry>TOMOYO</entry>
44
45 <entry>A Mandatory Access Control (MAC) implementation for
46 Linux</entry>
47 </row>
48
49 <row>
50 <entry>checksec</entry>
51
52 <entry>Program randominization</entry>
53 </row>
54
55 <row>
56 <entry>checksecurity</entry>
57
58 <entry>Basic system security checks</entry>
59 </row>
60
61 <row>
62 <entry>ClamAV</entry>
63
64 <entry>Anti-virus utility for command-line interface</entry>
65 </row>
66
67 <row>
68 <entry>ecryptfs-utils</entry>
69
70 <entry>The eCryptfs mount helper and support libraries</entry>
71 </row>
72
73 <row>
74 <entry>freediameter</entry>
75
76 <entry>Platform for deploying a Diameter network for
77 Authentication, Authorization and Accounting.</entry>
78 </row>
79
80 <row>
81 <entry>ISIC</entry>
82
83 <entry>IP Stack Integrity Checker</entry>
84 </row>
85
86 <row>
87 <entry>keynote</entry>
88
89 <entry>Linux Key Management Utilities</entry>
90 </row>
91
92 <row>
93 <entry>keyutils</entry>
94
95 <entry>Linux Key Management Utilities</entry>
96 </row>
97
98 <row>
99 <entry>libdhash</entry>
100
101 <entry>Library of hashing algorithms</entry>
102 </row>
103
104 <row>
105 <entry>libgssglue</entry>
106
107 <entry>Exports a gssapi interface which calls other gssapi
108 libraries</entry>
109 </row>
110
111 <row>
112 <entry>libmhash</entry>
113
114 <entry>Library of hashing algorithms</entry>
115 </row>
116
117 <row>
118 <entry>Libmspack</entry>
119
120 <entry>A library for Microsoft compression formats</entry>
121 </row>
122
123 <row>
124 <entry>Libseccomp</entry>
125
126 <entry>The libseccomp library provides an easy to use, platform
127 independent, interface to the Linux Kernel's syscall filtering
128 mechanism: seccomp.</entry>
129 </row>
130
131 <row>
132 <entry>Nikto</entry>
133
134 <entry>Web server scanner</entry>
135 </row>
136
137 <row>
138 <entry>Nmap</entry>
139
140 <entry>Network auditing tool</entry>
141 </row>
142
143 <row>
144 <entry>Paxctl</entry>
145
146 <entry>A tool that allows PaX flags to be modified on a per-binary
147 basis</entry>
148 </row>
149
150 <row>
151 <entry>redhat-security</entry>
152
153 <entry>redhat security tools</entry>
154 </row>
155
156 <row>
157 <entry>samhain</entry>
158
159 <entry>Samhain is an integrity checker and host intrusion
160 detection system that can be used on single hosts as well as large
161 ones.</entry>
162 </row>
163
164 <row>
165 <entry>Scapy</entry>
166
167 <entry>Network scanning and manipulation tool</entry>
168 </row>
169
170 <row>
171 <entry>Smack</entry>
172
173 <entry>A simplified Mandatory Access Control</entry>
174 </row>
175
176 <row>
177 <entry>sssd</entry>
178
179 <entry>Selection of tools for developers working with
180 Smack</entry>
181 </row>
182
183 <row>
184 <entry>Suricata</entry>
185
186 <entry>The Suricata Engine is an Open Source Next Generation
187 Intrusion Detection and Prevention Engine</entry>
188 </row>
189
190 <row>
191 <entry>Tripwire</entry>
192
193 <entry>A system integrity assessment tool (IDS)</entry>
194 </row>
195
196 <row>
197 <entry>xmlsec1</entry>
198
199 <entry>XML Security Library is a C library based on
200 LibXML2</entry>
201 </row>
202 </tbody>
203 </tgroup>
204 </informaltable>
205 </section>
206
207 <section id="run_tools">
208 <title>How to configure, build and run the tools</title>
209
210 <para>In order to use this layer, you need to make the build system aware
211 of it. To do so, first clone the layer located at the address:
212 http://git.enea.com/cgit/linux/meta-security.git, then add the following
213 lines to the files below.</para>
214
215 <itemizedlist>
216 <listitem>
217 <para>In <literal>bblayers.conf</literal>:</para>
218
219 <para><programlisting>BBLAYERS ?= " \
220/path/to/oe-core/meta \
221/path/to/meta-openembedded/meta-oe \
222/path/to/meta-openembedded/meta-perl \
223/path/to/meta-openembedded/meta-gnome \
224/path/to/meta-openembedded/meta-xfce \
225/path/to/meta-openembedded/meta-python \
226/path/to/meta-openembedded/meta-networking \
227/path/to/layer/meta-security \</programlisting></para>
228 </listitem>
229
230 <listitem>
231 <para>In <literal>local.conf</literal>:</para>
232
233 <para><programlisting>IMAGE_INSTALL_append = "aircrack-ng buck-security checksecurity freediameter /
234keynote libgssglue libseccomp samhain-client samhain-server samhain-standalone /
235sssd xmlsec1 clamav keyutils libmhash nikto paxctl scapy suricata bastille /
236checksec ecryptfs-utils isic libmspack nmap redhat-security smack tripwire"</programlisting></para>
237 </listitem>
238
239 <listitem>
240 <para><programlisting>poky/build $ bitbake enea-hardend-image-virtualization-host</programlisting></para>
241
242 <remark>Need clarification here on a possible intro or specified
243 action/file as noted above.</remark>
244 </listitem>
245 </itemizedlist>
246
247 <section id="apparmor">
248 <title>AppArmor</title>
249
250 <para>AppArmor, like most other LSMs, supplements rather than replaces
251 the default Discretionary Access Control (DAC). As such, it's impossible
252 to grant a process more privileges than it had in the first place. When
253 AppArmor is active for an application, the operating system allows the
254 application to access only those files and folders that are mentioned in
255 its security profile. Thus, with a well-planned security profile, even
256 if the application is compromised during an attack, it won't be able to
257 do much harm.</para>
258
259 <para>Before compiling the kernel, set the following
260 options:<programlisting>CONFIG_SECURITY_APPARMOR=y
261CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
262CONFIG_DEFAULT_SECURITY_APPARMOR=y
263CONFIG_AUDIT=y</programlisting>Alternatively, instead of setting
264 <literal>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE</literal> and
265 <literal>CONFIG_DEFAULT_SECURITY_APPARMOR</literal>, you can set the
266 <ulink
267 url="https://wiki.archlinux.org/index.php/Kernel_parameters">kernel boot
268 parameters</ulink> in this manner: <literal>apparmor=1
269 security=apparmor</literal>. For those new or altered variables to not
270 get overridden, place them at the bottom of the config file or adjust
271 the previous invocations accordingly.</para>
272
273 <para>For further information see <ulink
274 url="https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04">https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04</ulink>.</para>
275
276 <para>To put the profile in enforce mode, use the
277 <literal>aa-enforce</literal>:</para>
278
279 <para><programlisting>sudo apparmor_status
280sudo aa-enforce nginx</programlisting>It is recommended that you reload all
281 profiles and restart Nginx to be sure that the latest changes are in
282 effect: <programlisting>sudo /etc/init.d/apparmor reload
283sudo service nginx restart</programlisting>Enable complain mode with the
284 <literal>aa-complain</literal> command. It is recommended that you wait
285 several days before running the <literal>aa-logprof</literal> command,
286 to give the system time to log more common actions for the application
287 if you are going to create a profile that will be used in production
288 systems.</para>
289 </section>
290
291 <section id="isic">
292 <title>ISIC - IP Stack Integrity Checker</title>
293
294 <para><emphasis role="bold">ISIC</emphasis> is a suite of utilities
295 meant to exercise the stability of an IP Stack and its component stacks
296 (TCP, UDP, ICMP et. al.). It generates many pseudo-random packets of the
297 target protocol, which are given tendancies to conform to. For example:
298 50% of the packets generated can have IP Options, and 25% of the packets
299 can be IP fragments, the percentages are arbitrary however, and most of
300 the packet fields have a configurable tendancy. <programlisting>root@qemux86:~# esic -i eth0 -s 52:54:00:12:34:0A -p rand -m 5000</programlisting><remark>what
301 does this programlisting detail exactly, is it an example or something
302 more directly concrete?</remark></para>
303 </section>
304
305 <section id="nikto">
306 <title>Nikto Web Vulnerability Scanner</title>
307
308 <para>Nikto is a web vulnerability scanner, a security testing tool that
309 scans web servers for vulnerabilities and other known issues.</para>
310 </section>
311
312 <section id="nmap">
313 <title>Nmap Network Exploration Tool</title>
314
315 <para>Nmap (Network Mapper), is an open source security scanner for
316 network exploration and security auditing. It is used to discover hosts
317 and services on a network, essentially creating a "map" of the network.
318 Nmap sends specially crafted packets to the target host(s), then
319 analyzes the responses.</para>
320
321 <para>Nmap uses raw IP packets in novel ways to determine what hosts are
322 available on the network, what services (application name and version)
323 those hosts are offering, what operating systems (and OS versions) they
324 are running, what type of packet filters/firewalls are in use, and
325 dozens of other characteristics. While Nmap is commonly used for
326 security audits, many systems and network administrators find it useful
327 for routine tasks such as network inventory, managing service upgrade
328 schedules, and monitoring host or service uptime. See a few examples of
329 options to use below:</para>
330
331 <para><programlisting>nmap -v -A scanme.nmap.org
332nmap -v -sn 192.168.0.0/16 10.0.0.0/8
333nmap -v -iR 10000 -Pn -p 80</programlisting>For more info see <ulink
334 url="https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/">https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/</ulink>.</para>
335 </section>
336
337 <section id="paxctl">
338 <title>Paxctl</title>
339
340 <para>A tool that allows PaX flags to be modified on a per-binary basis.
341 PaX provides various types of protection against abuses of memory, some
342 of which can only be enabled or disabled by (re)configuring the kernel
343 and recompiling/rebooting it.</para>
344
345 <para>Several important types (PAGEEXEC, EMUTRAMP, MPROTECT, RANDMMAP
346 and SEGMEXEC) can be tweaked when the system is up and running by
347 marking the PaX flags on the ELF objects of the program you want to run.
348 Since some programs need to use memory in a way normally forbidden by
349 PaX, some restrictions may have to be relaxed on a per program basis.
350 For more informations see: <ulink
351 url="https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX">https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX</ulink>.</para>
352
353 <para>Example:<programlisting>root #paxctl-ng -v /bin/*</programlisting></para>
354 </section>
355
356 <section id="samhin">
357 <title>Samhin</title>
358
359 <para><emphasis>Samhain</emphasis> is a host-based intrusion detection
360 system (HIDS) which provides integrity checking and log file
361 monitoring/analysis, as well as 4.1detection, port monitoring, detection
362 of rogue SUID executables, and hidden processes. It's main features
363 include:</para>
364
365 <itemizedlist>
366 <listitem>
367 <para>Complete integrity check</para>
368
369 <para>Uses cryptographic checksums of files to detect modifications.
370 It can find rogue SUID executables anywhere on disk.</para>
371 </listitem>
372
373 <listitem>
374 <para>Centralized monitoring</para>
375
376 <para>Native support for logging to a central server via encrypted
377 and authenticated connections.</para>
378 </listitem>
379
380 <listitem>
381 <para>Tamper resistance</para>
382
383 <para>Database and configuration files can be signed log file
384 entries. E-mail reports are signed support for stealth
385 operations.</para>
386 </listitem>
387 </itemizedlist>
388 </section>
389
390 <section id="smack">
391 <title>Smack</title>
392
393 <para>A simplified Mandatory Access Control.</para>
394 </section>
395
396 <section id="suricata">
397 <title>Suricata</title>
398
399 <para>The Suricata Engine is an Open Source Next Generation <emphasis
400 role="bold">Intrusion Detection and Prevention Engine.</emphasis></para>
401 </section>
402
403 <section id="tomoyo">
404 <title>TOMOYO</title>
405
406 <para><ulink
407 url="http://tomoyo.sourceforge.jp/1.8/index.html.en">TOMOYO</ulink> is
408 an alternative (pathname-based) Mandatory Access Control (MAC)
409 implementation for Linux that can be used to increase the security of a
410 system, while also being useful purely as a system analysis tool. The
411 main features of TOMOYO Linux include:</para>
412
413 <itemizedlist>
414 <listitem>
415 <para>System analysis</para>
416 </listitem>
417
418 <listitem>
419 <para>Increased security through Mandatory Access Control</para>
420 </listitem>
421
422 <listitem>
423 <para>Tools to aid in policy generation</para>
424 </listitem>
425
426 <listitem>
427 <para>Simple syntax</para>
428 </listitem>
429
430 <listitem>
431 <para>Easy to use</para>
432 </listitem>
433
434 <listitem>
435 <para>Very few dependencies</para>
436 </listitem>
437
438 <listitem>
439 <para>Requires no modification of existing binaries</para>
440 </listitem>
441 </itemizedlist>
442
443 <para>To start via command line add:<programlisting>"security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd"</programlisting>To
444 initialize:<programlisting>/usr/lib/ccs/init_policy
445DISTRO_FEATURES_append = " tomoyo"</programlisting></para>
446 </section>
447
448 <section id="tripwire">
449 <title>Tripwire</title>
450
451 <para>Tripwire is an intrusion detection system (IDS), which constantly
452 and automatically, keeps your critical system files and reports under
453 control if they have been destroyed or modified by a hacker (or by
454 mistake). It allows the system administrator to know immediately what
455 was compromised and fix it. For more information see: <ulink
456 url="http://www.linuxjournal.com/article/8758">http://www.linuxjournal.com/article/8758</ulink>.</para>
457 </section>
458
459 <section id="xmlsec1">
460 <title>xmlsec1</title>
461
462 <para>XML Security Library is a C library based on LibXML2.</para>
463 </section>
464 </section>
465</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk b/doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk
new file mode 100644
index 0000000..6f0889c
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk
@@ -0,0 +1,10 @@
1# Component build specification
2
3# Version of THIS book
4BOOK_VER ?= $(REL_VER)-dev
5
6DOCBOOK_SRC := $(COMP)/swcomp.mk $(COMP)/doc/book.xml $(shell find $(COMP)/doc -type f \( -name "*.xml" -o -name "*.svg" -o -name "*.png" \) ! -name "book.xml" -print)
7
8BOOKPACKAGES := book-enea-nfv-access-dev-hardening-guide
9BOOKDESC_$(BOOKPACKAGES) := "Enea NFV Access $(PROD_VER) Developer's Hardening Guide"
10BOOKDEFAULTCONDITION := $(DEFAULTCONDITIONS)
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml
new file mode 100644
index 0000000..fe6b11f
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml
@@ -0,0 +1,18 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4<!ENTITY % local.common.attrib "xml:base CDATA #IMPLIED">
5]>
6<book id="book_enea_nfv_access_user_hardening_guide">
7 <title><trademark class="registered">Enea</trademark> NFV Access User's Hardening Guide</title>
8
9 <subtitle>Release Version <xi:include href="eltf_params_updated.xml"
10 xmlns:xi="http://www.w3.org/2001/XInclude"
11 xpointer="element(EneaLinux_REL_VER/1)" /></subtitle>
12 <!-- OLINKDBPATH_USED_BY_XMLMIND ../../s_docbuild/olinkdb -->
13 <xi:include href="../../s_docbuild/template/docsrc_common/bookinfo_userdoc.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
14 <xi:include href="introduction.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
15 <xi:include href="intro_info_security.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
16 <xi:include href="guidelines_hardening_linux.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
17 <xi:include href="intro_hardentools_tech.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
18</book> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml
new file mode 100644
index 0000000..eaa7ebd
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml
@@ -0,0 +1,151 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<section id="eltf_created_params">
5 <title>File with Parameters in the Book Auto-updated by ELFT</title>
6
7 <note>
8 <para>See the <emphasis
9 role="bold">eltf_params_updated_template_howto_use.txt</emphasis> text
10 file for description of how to create the final <emphasis
11 role="bold">eltf_params_updated.xml</emphasis> from this template and for
12 all <emphasis role="bold">REQUIREMENTS</emphasis>. Use the command
13 "<emphasis role="bold">make eltf</emphasis>" to extract a full list of all
14 ELTF variables, which always begins with ELTF_ and don't only rely on the
15 howto text file list! The plan is that ELTF will auto-update this when
16 needed.</para>
17 </note>
18
19 <section id="host_prereq">
20 <title>Common Parameters</title>
21
22 <bridgehead>A programlisting, ID
23 "eltf-prereq-apt-get-commands-host"</bridgehead>
24
25 <para id="eltf-prereq-apt-get-commands-host"><programlisting>ELTF_PL_HOST_PREREQ</programlisting></para>
26
27 <bridgehead>A programlisting, ID
28 "eltf-getting-repo-install-command"</bridgehead>
29
30 <para id="eltf-getting-repo-install-command"><programlisting>ELTF_PL_GET_REPO</programlisting></para>
31
32 <bridgehead>Several phrase elements, various IDs. Ensure EL_REL_VER is
33 correct also compared to the "previous" REL VER in pardoc-distro.xml
34 "prev_baseline".</bridgehead>
35
36 <para id="EneaLinux_REL_VER"><phrase>ELTF_EL_REL_VER</phrase></para>
37
38 <para id="Yocto_VER"><phrase>ELTF_YOCTO_VER</phrase></para>
39
40 <para id="Yocto_NAME"><phrase>ELTF_YOCTO_NAME</phrase></para>
41
42 <para id="ULINK_YOCTO_PROJECT_DOWNLOAD"><ulink
43 url="ELTF_YOCTO_PROJ_DOWNLOAD_URL">ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL</ulink></para>
44
45 <para id="ULINK_ENEA_LINUX_URL"><ulink
46 url="ELTF_EL_DOWNLOAD_URL">ELTF_EL_DOWNLOAD_TXTURL</ulink></para>
47
48 <bridgehead>A programlisting, ID "eltf-repo-cloning-enea-linux". Use
49 $MACHINE/default.xml as parameter, where MACHINE is one of the target
50 directory names in the manifest.</bridgehead>
51
52 <para id="eltf-repo-cloning-enea-linux"><programlisting>ELTF_PL_CLONE_W_REPO</programlisting></para>
53
54 <bridgehead>A table with ONE row, only the row with ID
55 "eltf-eclipse-version-row" is included in the book. MANUALLY BOTH in the
56 template.xml and in the updated.xml, set condition hidden on the
57 &lt;row&gt;, if eclipse is not in the release.</bridgehead>
58
59 <informaltable>
60 <tgroup cols="1">
61 <tbody>
62 <row id="eltf-eclipse-version-row">
63 <entry>Eclipse version ELTF_ECLIPSE_VERSION plus command line
64 development tools are included in this Enea NFV Access release.</entry>
65 </row>
66 </tbody>
67 </tgroup>
68 </informaltable>
69
70 <bridgehead>Below is one big section with title "Supported Targets with
71 Parameters". The entire section is included completely in the book via ID
72 "eltf-target-tables-section" and shall be LAST in the template. The
73 template contains ONE target subsection. COPY/APPEND it, if multiple
74 targets exist in the release and optionally add rows with additional
75 target parameters in each target subsection table.</bridgehead>
76 </section>
77
78 <section id="eltf-target-tables-section">
79 <title>Supported Targets with Parameters</title>
80
81 <para>The tables below describes the target(s) supported in this Enea
82 NFV Access release.</para>
83
84 <section id="eltf-target-table-ELTF_T_MANIFEST_DIR">
85 <title>MACHINE ELTF_T_MANIFEST_DIR - Information</title>
86
87 <para><informaltable>
88 <tgroup cols="2">
89 <colspec colwidth="6*" />
90
91 <colspec colwidth="9*" />
92
93 <tbody>
94 <row>
95 <entry>Target official name</entry>
96
97 <entry>ELTF_T_NAME</entry>
98 </row>
99
100 <row>
101 <entry>Architecture and Description</entry>
102
103 <entry>ELTF_T_ARC_DESC</entry>
104 </row>
105
106 <row>
107 <entry>Link to target datasheet</entry>
108
109 <entry>See <ulink
110 url="ELTF_T_DS_URL">ELTF_T_DS_TXTURL</ulink></entry>
111 </row>
112
113 <row>
114 <entry>Poky version</entry>
115
116 <entry>ELTF_T_POKY_VER</entry>
117 </row>
118
119 <row>
120 <entry>GCC version</entry>
121
122 <entry>ELTF_T_GCC_VER</entry>
123 </row>
124
125 <row>
126 <entry>Linux Kernel Version</entry>
127
128 <entry>ELTF_T_KERN_VER</entry>
129 </row>
130
131 <row>
132 <entry>Supported Drivers</entry>
133
134 <entry>ELTF_T_DRIVERS</entry>
135 </row>
136
137 <row>
138 <entry>Enea rpm folder for downloading RPM packages for this
139 target</entry>
140
141 <entry><ulink
142 url="ELTF_T_EL_RPM_URL">ELTF_T_EL_RPM_TXTURL</ulink></entry>
143 </row>
144 </tbody>
145 </tgroup>
146 </informaltable></para>
147 </section>
148
149 <!-- ELTFADD_MORE_TARGET_SECTIONS_BELOW_IF_NEEDED -->
150 </section>
151</section> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml
new file mode 100644
index 0000000..f6bd068
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml
@@ -0,0 +1,165 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<section id="eltf_created_params">
5 <title>File with Parameters in the Book Auto-updated by ELFT</title>
6
7 <note>
8 <para>See the <emphasis
9 role="bold">eltf_params_updated_template_howto_use.txt</emphasis> text
10 file for description of how to create the final <emphasis
11 role="bold">eltf_params_updated.xml</emphasis> from this template and for
12 all <emphasis role="bold">REQUIREMENTS</emphasis>. Use the command
13 "<emphasis role="bold">make eltf</emphasis>" to extract a full list of all
14 ELTF variables, which always begins with ELTF_ and don't only rely on the
15 howto text file list! The plan is that ELTF will auto-update this when
16 needed.</para>
17 </note>
18
19 <section id="host_prereq">
20 <title>Common Parameters</title>
21
22 <bridgehead>A programlisting, ID
23 "eltf-prereq-apt-get-commands-host"</bridgehead>
24
25 <para id="eltf-prereq-apt-get-commands-host"><programlisting># Host Ubuntu 14.04.5 LTS 64bit
26sudo apt-get -y update
27sudo apt-get -y install sed wget subversion git-core coreutils unzip texi2html \
28 texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \
29 make gcc build-essential xsltproc g++ desktop-file-utils chrpath \
30 libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \
31 libxml-parser-perl</programlisting></para>
32
33 <bridgehead>A programlisting, ID
34 "eltf-getting-repo-install-command"</bridgehead>
35
36 <para id="eltf-getting-repo-install-command"><programlisting>mkdir -p ~/bin
37curl https://storage.googleapis.com/git-repo-downloads/repo &gt; ~/bin/repo
38chmod a+x ~/bin/repo
39export PATH=~/bin:$PATH</programlisting></para>
40
41 <bridgehead>Several phrase elements, various IDs. Ensure EL_REL_VER is
42 correct also compared to the "previous" REL VER in pardoc-distro.xml
43 "prev_baseline".</bridgehead>
44
45 <para id="EneaLinux_REL_VER"><phrase>1.0</phrase></para>
46
47 <para id="Yocto_VER"><phrase>2.1</phrase></para>
48
49 <para id="Yocto_NAME"><phrase>krogoth</phrase></para>
50
51 <para id="ULINK_YOCTO_PROJECT_DOWNLOAD"><ulink
52 url="http://www.yoctoproject.org/downloads/core/krogoth/21">http://www.yoctoproject.org/downloads/core/krogoth/21</ulink></para>
53
54 <para id="ULINK_ENEA_LINUX_URL"><ulink
55 url="https://linux.enea.com/6">https://linux.enea.com/6</ulink></para>
56
57 <bridgehead>A programlisting, ID "eltf-repo-cloning-enea-linux". Use
58 $MACHINE/default.xml as parameter, where MACHINE is one of the target
59 directory names in the manifest.</bridgehead>
60
61 <para id="eltf-repo-cloning-enea-linux"><programlisting>mkdir enea-linux
62cd enea-linux
63repo init -u git@git.enea.com:linux/manifests/el_manifests-virtualization.git \
64 -b refs/tags/EL6 -m $MACHINE/default.xml
65repo sync</programlisting></para>
66
67 <bridgehead>A table with ONE row, only the row with ID
68 "eltf-eclipse-version-row" is included in the book. MANUALLY in book, set
69 condition hidden if eclipse is not in the release. Do this both in
70 template.xml and updated.xml.</bridgehead>
71
72 <informaltable>
73 <tgroup cols="1">
74 <tbody>
75 <row condition="hidden" id="eltf-eclipse-version-row">
76 <entry>Eclipse version 4.3 (Mars) plus command line development
77 tools are included in this Enea NFV Access release.</entry>
78 </row>
79 </tbody>
80 </tgroup>
81 </informaltable>
82
83 <bridgehead>Below is one big section with title "Supported Targets with
84 Parameters". The entire section is included completely in the book via ID
85 "eltf-target-tables-section" and shall be LAST in the template. The
86 template contains ONE target subsection. COPY/APPEND it, if multiple
87 targets exist in the release and optionally add rows with additional
88 target parameters in each target subsection table.</bridgehead>
89 </section>
90
91 <section id="eltf-target-tables-section">
92 <title>Supported Reference Boards with Parameters</title>
93
94 <para>The tables below describes the target(s) supported in this Enea NFV
95 Access release.</para>
96
97 <section id="eltf-target-table-p2041rdb">
98 <title>MACHINE p2041rdb - Information</title>
99
100 <para><informaltable>
101 <tgroup cols="2">
102 <colspec colwidth="6*" />
103
104 <colspec colwidth="9*" />
105
106 <tbody>
107 <row>
108 <entry>Target official name</entry>
109
110 <entry>P2041RDB</entry>
111 </row>
112
113 <row>
114 <entry>Architecture and Description</entry>
115
116 <entry>Power, e500mc</entry>
117 </row>
118
119 <row>
120 <entry>Link to target datasheet</entry>
121
122 <entry>See <ulink
123 url="http://www.nxp.com/products/microcontrollers-and-processors/power-architecture-processors/qoriq-power-architecture-processors/p2041-qoriq-reference-design-board:RDP2041BOARD">link
124 to NXP's datasheet</ulink></entry>
125 </row>
126
127 <row>
128 <entry>Poky version</entry>
129
130 <entry>Git-commit-id:
131 75ca53211488a3e268037a44ee2a7ac5c7181bd2</entry>
132 </row>
133
134 <row>
135 <entry>GCC version</entry>
136
137 <entry>5.3</entry>
138 </row>
139
140 <row>
141 <entry>Linux Kernel Version</entry>
142
143 <entry>3.12</entry>
144 </row>
145
146 <row>
147 <entry>Supported Drivers</entry>
148
149 <entry>Ethernet, I2C, SPI, PCI Express, USB, Flash,
150 SD/SDHC/SDXC, RTC</entry>
151 </row>
152
153 <row>
154 <entry>Enea rpm folder for downloading RPM packages for this
155 target</entry>
156
157 <entry><ulink
158 url="https://linux.enea.com/6/p2041rgb/rpm">https://linux.enea.com/6/p2041rgb/rpm</ulink></entry>
159 </row>
160 </tbody>
161 </tgroup>
162 </informaltable></para>
163 </section>
164 </section>
165</section> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt
new file mode 100644
index 0000000..87a6445
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt
@@ -0,0 +1,320 @@
1eltf_params_template_updated_howto_use.txt
2
3This is a way to collect all parameters for an Enea NFV Access release
4in one parameter file, easy to automatically update by ELTF regularly.
5
6NOTE: Both the release info AND the open source books use parameters from
7 here, but the XML file is inside the release info book directory.
8
9NOTE: The manifest_conf.mk, or overridden by the environment variable
10 MANIFESTHASH, contains the full tag (or hashvalue) for downloading
11 the manifest when the books are built. The list of target
12 directories are fetched from the manifest into the book.
13 The eltf_params_updates.xml can all the time contain
14 the final next complete tag e.g. refs/tags/EL6 or similar
15 in the ELTF_PL_CLONE_W_REPO parameter command lines.
16
17The ordinary book XML files use xi:include statements to include elements
18from this parameter file. The book XML files can thus be manually edited.
19Before editing, you must run "make init".
20Any other text in the template or updated.xml file, outside the parts that
21are included in the book, are not used but still all must be correct
22DocBook XML files.
23
24ELTF work:
25 template => ELTF replaces ALL ELTF_xxx variables => updated XML file
26 => push to git only if changed
27
28
29eltf_params_template.xml (in git)
30 File used by ELTF to autocreate/update the real parameter
31 file eltf_params_updated.xml.
32
33eltf_params_updated.xml (in git)
34 Real parameter file where ELTF has replaced all ELTF_xx variables with
35 strings, in several cases with multiline strings.
36 No spaces or linefeed allowed in beginning or end of the variable values!
37
38
39xi:include: Each parameter is xi:include'ed in various book files, using
40 the IDs existing in the parameter files.
41 In most cases the 1:st element inside an element with an ID is included
42 using a format like eltf-prereq-apt-get-commands-host/1.
43 In very few cases the element with the ID is included in the book, one
44 example is the target section which has an ID, but which contains
45 multiple subsections, one per target.
46 All IDs in a book must be unique.
47
48DocBook XML: All XML files must be correct DocBook XML files.
49
50Do NOT edit/save the real *updated.xml file with XMLmind to avoid changes
51 not done by ELTF. But it is OK to open the real file in XMLmind to
52 check that the format is correct.
53
54ELTF should autocreate a temporary "real" file but only replace
55 and push the eltf_params_updated.xml if it is changed.
56
57
58make eltf
59 This lists all ELTF_xxx variables and some rules how to treat them
60
61DocBook Format: All elements - rules:
62 Several strict generic XML rules apply for all strings:
63 1. No TABs allowed or any other control chr than "linefeed"
64 2. Only 7-bit ASCII
65 3. Any < > & must be converted to &lt; &gt; and &amp;
66 Similar for any other non-7-bit-ASCII but avoid those!
67 4. No leading spaces or linefeeds when replacing the ELTF_* variable
68 5. No trailing spaces or linefeeds when replacing the ELTF_* variable
69 6. Note: Keep existing spaces before/efter ELTF_* in a few cases.
70
71DocBook Format: <programlisting> - rules: ELTF*PL* variables
72 Several strict rules apply for the multiline string in programlisting
73 in addition to the general XML rules above:
74 7. Max line length < 80 char
75 8. Use backslash (\) to break longer lines
76 9. Use spaces (e.g. 4) to indent continuation lines in programlistings
77 10. No trailing spaces on any line
78 11. No spaces or linefeed immediately after leading <programlisting>
79 12. No spaces or linefeed before trailing </programlisting>
80
81DocBook Format: <ulink> - rules: ELTF_*URL* variables
82 13. ELTF_*URL and corresponding ELTF_*TXTURL shall be identical strings
83 14. Only if the URL is extremely long, the TXTURL can be a separate string
84
85Each target has one section with target parameters:
86 <section id="eltf-target-table-ELTF_T_MANIFEST_DIR">
87 <title>MACHINE ELTF_T_MANIFEST_DIR - Information</title>
88 ..... with many ELTF_ variables ....
89 </section>
90
91 15. If there is only one target. ELTF just replaces ELTF parameters
92
93 16. It there are multiple targets. ELTF copies the section and appends the
94 section the required number of times.
95 Each section ID will become unique: eltf-target-table-ELTF_T_MANIFEST_DIR
96 Each section title will become unique
97
98Tables with target parameters in each target section:
99 17. It is possible for ELTF to append more rows with one parameter each
100 to these tables, because the entire tables are included in the book
101
102Special - NOT YET READY DEFINED how to handle the optionally included
103 Eclipse and its version, but this is a first suggestion:
104 18. Just now ELTF can define ELFT_ECLIPSE_VERSION as a full string
105 with both version number and name,
106 19. MANUALLY if Eclipse is NOT included in the release,
107 the release manager should manually set condition="hidden" on
108 the entire section in the book XML about Eclipse
109
110
111
112BELOW WE TRY TO EXPLAIN EACH ELTF_* variable, but always check with make eltf
113if there are more new variables, missing in this description file.
114
115_____________________________________________________________________________
116ELTF_PL_HOST_PREREQ Multiline list of host prerequisites, e.g. commands
117 like sudo apt-get install xxxx or similar.
118 First line = comment with the complete host name!
119 It is possible to include multiple hosts by just
120 adding an empty line, comment with host name, etc.
121 xi:include eltf-prereq-apt-get-commands-host/1
122 This is a <programlisting>...</programlisting>
123 Example:
124# Host Ubuntu 14.04.5 LTS 64bit
125sudo apt-get update
126sudo apt-get install sed wget subversion git-core coreutils unzip texi2html \
127 texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \
128 make gcc build-essential xsltproc g++ desktop-file-utils chrpath \
129 libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \
130 libxml-parser-perl
131
132_____________________________________________________________________________
133ELTF_PL_GET_REPO Multiline commands to download the repo tool
134 xi:include eltf-getting-repo-install-command/1
135 This is a <programlisting>...</programlisting>
136 Example:
137mkdir -p ~/bin
138curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
139chmod a+x ~/bin/repo
140export PATH=~/bin:$PATH
141
142_____________________________________________________________________________
143ELTF_EL_REL_VER General parameter string: The version of this Enea
144 Linux release. Major version and optional .Minor
145 Typically created from MAJOR and MINOR in enea.conf
146 MINOR in enea.conf is empty or contains a dot+minor
147 xi_include EneaLinux_REL_VER/1
148 This is a <phrase>X.x</phrase> used in many places.
149 Examples:
1506
151 or
1526.1
153
154_____________________________________________________________________________
155ELTF_YOCTO_VER General parameter string: Yocto version, created
156 from DISTRO in poky.ent
157 xi:include Yocto_VER/1
158 This is a <phrase>X.x</phrase> used in many places.
159 Example:
1602.1
161
162_____________________________________________________________________________
163ELTF_YOCTO_NAME General parameter string: Yocto name (branch), created
164 from DISTRO_NAME_NO_CAP in poky.ent
165 xi:include Yocto_NAME/1
166 This is a <phrase>X.x</phrase> used in many places.
167 Example:
168krogoth
169
170_____________________________________________________________________________
171ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL
172ELTF_YOCTO_PROJ_DOWNLOAD_URL strings with correct Yocto version string
173 at the end, typically without "dot".
174 xi:include ULINK_YOCTO_PROJECT_DOWNLOAD/1
175 This is an <ulink url="...">...</ulink>
176 Example:
177http://www.yoctoproject.org/downloads/core/krogoth/21
178
179_____________________________________________________________________________
180ELTF_EL_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL strings
181ELTF_EL_DOWNLOAD_URL and shall be the http:/..... address where
182 Enea NFV Access can be downloaded
183 Often containing same version as in ELTF_EL_REL_VER
184 xi:include ULINK_ENEA_LINUX_URL/1
185 This is an <ulink url="...">...</ulink>
186 Example:
187http://linux.enea.com/6
188
189_____________________________________________________________________________
190ELTF_PL_CLONE_W_REPO Multiline commands to run repo to clone everything.
191 Use the variable $MACHINE/default.xml (the text in
192 the book will list the avaiable values of MACHINE,
193 taken from the manifest repository)
194 xi:include eltf-repo-cloning-enea-linux/1
195 This is a <programlisting>...</programlisting>
196 Example:
197mkdir enea-linux
198cd enea-linux
199repo init -u git://git.enea.com/linux/el_manifests-standard.git \
200 -b refs/tags/EL6 -m $MACHINE/default.xml
201repo sync
202
203_____________________________________________________________________________
204ELTF_ECLIPSE_VERSION Optional general parameter string.
205 NOT YET READY DEFINED
206 Just now a release manage must manually set
207 condition="hidden" on the Eclipse section,
208 if Eclipse is not included in the release.
209 ELTF just replaces ELTF_ECLIPSE_VERSION with a full
210 string with "X.Y (name)"
211 It includes the ID and can only be ONCE in the book.
212 xi:include eltf-eclipse-version-row
213 Example.
2144.5 (Mars)
215
216
217_____________________________________________________________________________
218ELTF_T_* All these are in each target (MACHINE) and ELTF
219 must separately replace them with strings for
220 each target
221 NOTE: All (except the MANIFEST_DIR) are in rows
222 in a table and ELTF can select to append
223 more parameters by adding more rows
224
225_____________________________________________________________________________
226ELTF_T_MANIFEST_DIR This happens to be in two places. Must be exactly
227ELTF_T_MANIFEST_DIR the directory name in the manifest, e.g. same
228 as the MACHINE names in $MACHINE/default.xml.
229 In book: a) Part of section ID
230 b) Part of section title
231 Examples:
232p2041rgb
233 or
234ls1021aiot
235 or
236qemuarm
237
238_____________________________________________________________________________
239ELTF_T_NAME Target specific: "Target Official Name"
240 NOT same as the target directory name in most cases.
241 In book: An <entry> element in a row
242 Examples:
243P2041RGB
244 or
245LS1021a-IoT
246 or
247qemuarm
248
249_____________________________________________________________________________
250ELTF_T_ARC_DESC Target specific: "Architecture and Description"
251 It can be a short identification string or
252 it can be a longer descriptive sentence.
253 In book: An <entry> element in a row
254 Examples:
255Power, e500mc
256 or
257ARM Cortex-A7
258
259_____________________________________________________________________________
260ELTF_T_DS_TXTURL Target specific: "Link to target datasheet. These
261ELTF_T_DS_URL two usually are IDENTICAL strings with correct
262 hyperlink to the target's official datasheet.
263 In book: an <ulink url="...">...</ulink>
264 Only if the link is VERY LONG, the text part shall
265 instead be a descriptive string (see 2:nd example).
266 NOTE: Also here no spaces or line-feeds!
267 Examples:
268url="http://wiki.qemu.org">http://wiki.qemu.org
269or
270url="http://www.nxp.com/products/microcontrollers-and-processors/arm-processors/qoriq-arm-processors/qoriq-ls1021a-iot-gateway-reference-design:LS1021A-IoT">link to NXP's datasheet
271
272_____________________________________________________________________________
273ELTF_T_POKY_VER Target specific: "Poky version" created either
274 from POKYVERSION in poky.ent
275 or using a hashvalue with a leading string, in
276 which case it may be different per target.
277 In book: An <entry> in a row
278 Examples:
27915.0.0
280or
281Git commit id: 75ca53211488a3e268037a44ee2a7ac5c7181bd2
282
283_____________________________________________________________________________
284ELTF_T_GCC_VER Target specific: "GCC Version". Should be in poky
285 but not easy to find among various parameters.
286 ELTF would extract it from build logs building SDK
287 and it is possibly different per target.
288 In book: An <entry> in a row
289 Example:
2905.3
291
292_____________________________________________________________________________
293ELTF_T_KERN_VER Target specific: "Linux Kernel Version". Often
294 different per target.
295 In book: An <entry> in a row
296 Example:
2973.12
298
299_____________________________________________________________________________
300ELTF_T_DRIVERS Target specific: "Supported Drivers". This is a
301 comma-separated list of driver names.
302 ELTF should create the list in same order for each
303 target, e.g. alphabetic migth be OK.
304 In book: An <entry> in a row
305 Example:
306Ethernet, I2C, SPI, PCI, USB, SD/SDHC/SDXC
307
308
309_____________________________________________________________________________
310ELTF_T_EL_RPM_TXTURL Target specific: "Enea rpm folder for downloading
311ELTF_T_EL_RPM_URL RPM packages for this target". These two are
312 INDENTICAL strings with hyperlink to the web site
313 at Enea where the customer can download RPMs
314 Note: Often the ELFT_EL_REL_VER value and
315 the ELTF_T_MANIFEST_DIR are used in the link.
316 In book: an <ulink url="...">...</ulink>
317 Example:
318url="https://linux.enea.com/6/ls1021aiot/rpm">https://linux.enea.com/6/ls1021aiot/rpm
319
320_____________________________________________________________________________
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml
new file mode 100644
index 0000000..46245da
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml
@@ -0,0 +1,212 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="linux_hardening">
5 <title>Guidelines on How to Harden a Linux System</title>
6
7 <para>In order to effectively create apt security layers to harden your
8 system correctly, you must first analyze your needs and answer several
9 ideas/questions which are detailed below.</para>
10
11 <orderedlist>
12 <listitem>
13 <para><emphasis role="bold">Analyzing and defining Roles for your
14 system</emphasis></para>
15
16 <itemizedlist>
17 <listitem>
18 <para>What purpose does the system have?</para>
19 </listitem>
20
21 <listitem>
22 <para>What security risks apply to the system?</para>
23 </listitem>
24
25 <listitem>
26 <para>Is it host/server? Does it need to do remote access? Public
27 use?</para>
28 </listitem>
29
30 <listitem>
31 <para>How hardened the system need to be? (This depends on what role
32 it has).</para>
33 </listitem>
34 </itemizedlist>
35 </listitem>
36
37 <listitem>
38 <para><emphasis role="bold">Review Policies and
39 Compliances</emphasis></para>
40
41 <para>What policies and compliances must your system adhere to? Examples
42 of possible standards and polices, among many others, are:</para>
43
44 <itemizedlist>
45 <listitem>
46 <para>PCI DSS (confidentiality of credit card consumer data)</para>
47 </listitem>
48
49 <listitem>
50 <para>HIPAA (protects patient data in health care system)</para>
51 </listitem>
52
53 <listitem>
54 <para>FISMA (Federal Information Security Management Act)</para>
55 </listitem>
56
57 <listitem>
58 <para>ISO 27001 family (Information Security Management
59 Systems)</para>
60 </listitem>
61 </itemizedlist>
62 </listitem>
63
64 <listitem>
65 <para><emphasis role="bold">Keep the Software
66 up-to-date</emphasis></para>
67
68 <para>Apply software updates and security fixes regularly. Upgrade as
69 soon a new version is available. It is easier to hack a system which is
70 running publicly known vulnerable software but this can be avoided.
71 Linux provides all necessary tools to keep the system updated. All
72 security updates should be reviewed and applied as soon as
73 possible.</para>
74 </listitem>
75
76 <listitem>
77 <para><emphasis role="bold">Mandatory Access Control
78 (MAC)</emphasis></para>
79
80 <para>SELinux, TOMOYO, SMACK (Simplified Mandatory Access Control
81 Kernel).</para>
82 </listitem>
83
84 <listitem>
85 <para><emphasis role="bold">Memory Protection and ASLR
86 </emphasis></para>
87
88 <para>There are two major mechanisms in place to protect memory access
89 which turned on by default on most x86-64 Linux systems. The first is
90 the so-called NX bit, which is a setting that gives finer-grained
91 permissions to mapped memory regions. The second is address space layout
92 randomization (ASLR) which randomizes where certain parts of a program
93 are loaded into memory. For further reading on this, see <ulink
94 url="https://eklitzke.org/memory-protection-and-aslr">here</ulink>.</para>
95 </listitem>
96
97 <listitem>
98 <para><emphasis role="bold">Block unauthorized access to a network and
99 Restrict Access</emphasis></para>
100
101 <itemizedlist>
102 <listitem>
103 <para>Enable the firewall (see what rules are already configured
104 iptables -L)</para>
105 </listitem>
106
107 <listitem>
108 <para>Use Intrusion Detection/Intrusion Prevention</para>
109 </listitem>
110
111 <listitem>
112 <para>Disable unused accounts, create user groups and domain
113 policy</para>
114 </listitem>
115
116 <listitem>
117 <para>Remove unused/unsecure/obsolete software</para>
118 </listitem>
119
120 <listitem>
121 <para>Disable unused services</para>
122 </listitem>
123
124 <listitem>
125 <para>Restrict remote access and administration</para>
126 </listitem>
127 </itemizedlist>
128 </listitem>
129
130 <listitem>
131 <para><emphasis role="bold">Use tools to detect
132 vulnerabilities</emphasis></para>
133
134 <itemizedlist>
135 <listitem>
136 <para>Vulnerability scanner, such as Nessus, SAINT, OpenVAS.</para>
137 </listitem>
138
139 <listitem>
140 <para>Network analyzer, such as Nmap, Wireshark.</para>
141 </listitem>
142
143 <listitem>
144 <para>Baseline Analyzer, such as Bastille which can view OS
145 configuration and try to optimize.</para>
146 </listitem>
147 </itemizedlist>
148 </listitem>
149
150 <listitem>
151 <para><emphasis role="bold">Create a Secure logging
152 System</emphasis></para>
153
154 <para>Create a secure Linux logging system that can be expanded to other
155 types of systems for secure logging. By using logs, data can be
156 collected in order to discern why a server crashed. If the server is
157 unrecoverable, remote logs allow you the ability to see what happened
158 prior to the crash, even without the system running. If the crash was
159 related to an intrusion, any information that describes how the system
160 was compromised can help determine new approaches so further intrusions
161 can be prevented.</para>
162 </listitem>
163
164 <listitem>
165 <para><emphasis role="bold">Backup &amp; recovery</emphasis></para>
166
167 <para>If a system is compromised, the first concern is how to recover.
168 To ensure that there is something to recove, backup the data and
169 configurations continually.</para>
170 </listitem>
171
172 <listitem>
173 <para><emphasis role="bold">Physical Security</emphasis></para>
174
175 <para>No matter how many security features may be implemented, there is
176 always a way that an attacker with physical access to the system
177 (hardware and software) may by-pass them. To make this as difficult as
178 possible, there are several actions that can be taken to provide a
179 degree of security against an attacker with physical access to the
180 machine:</para>
181
182 <itemizedlist>
183 <listitem>
184 <para>Make sure unauthorized persons don&rsquo;t have easy access to
185 the hardware and software.</para>
186 </listitem>
187
188 <listitem>
189 <para>Prevent an attacker from booting from another disk/USB.</para>
190 </listitem>
191
192 <listitem>
193 <para>Set permissions and login restrictions as well as a firmware
194 password. It is also important to set a secondary bootloader
195 password (LILO or GRUB) to prevent malicious users from
196 booting.</para>
197 </listitem>
198
199 <listitem>
200 <para>Encrypt disks before they are installed.</para>
201 </listitem>
202 </itemizedlist>
203 </listitem>
204
205 <listitem>
206 <para><emphasis role="bold">Review Process</emphasis></para>
207
208 <para>Review your security process and security policies often, and
209 continually seek to improve them.</para>
210 </listitem>
211 </orderedlist>
212</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml
new file mode 100644
index 0000000..294d67e
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml
@@ -0,0 +1,209 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="intro_hardentools_tech">
3 <title>A Brief Introduction to Hardening Tools and Technologies</title>
4
5 <para>Linux by default, is not a secure operating system however, it has
6 many features and tools that can help secure it thoroughly. Detailed below
7 are several useful tools and features available for Linux which can help
8 harden the Linux system to really high degrees.</para>
9
10 <section id="namespaces">
11 <title>Namespaces</title>
12
13 <para>Namespaces are a feature of the Linux kernel that isolate and
14 virtualize system resources for a collection of processes. Examples of
15 resources that can be virtualized are:</para>
16
17 <itemizedlist>
18 <listitem>
19 <para>Process IDs</para>
20 </listitem>
21
22 <listitem>
23 <para>Hostnames</para>
24 </listitem>
25
26 <listitem>
27 <para>User IDs</para>
28 </listitem>
29
30 <listitem>
31 <para>Network access</para>
32 </listitem>
33
34 <listitem>
35 <para>UTS</para>
36 </listitem>
37
38 <listitem>
39 <para>Control Group (cgroup)</para>
40 </listitem>
41
42 <listitem>
43 <para>Interprocess communication (IPC)</para>
44 </listitem>
45
46 <listitem>
47 <para>Filesystems (mnt)</para>
48 </listitem>
49 </itemizedlist>
50
51 <para>Namespaces are a fundamental aspect of containers on Linux. Tools
52 like Docker make isolating Linux processes into their own little system
53 environments easy. This makes it possible to run a whole range of
54 applications on a single real Linux machine and ensure that no processes
55 can interfere with each other, without having to resort to using virtual
56 machines. </para>
57 </section>
58
59 <section id="intrusion_prev_dev">
60 <title>Linux Intrusion Prevention/Detection Systems</title>
61
62 <para>An Intrusion Prevention System (IPS) and an Intrusion Detection
63 System (IDS) provide an effective layer of security. The Linux Intrusion
64 Detection System (LIDS) is a patch to the Linux kernel and associated
65 administrative tools, and enhances the kernel's security by implementing
66 Mandatory Access Control (MAC).</para>
67
68 <para>When a LIDS system is booted, file restrictions are enforced
69 immediately. Once the system has come on, the <command>lidsadm
70 -I</command> command will seal off the kernel, preventing any additional
71 kernel modules from affecting it.</para>
72 </section>
73
74 <section id="kernel_hardening">
75 <title>Kernel Hardening</title>
76
77 <para>Kernel hardening is primarily about the kernel protecting itself,
78 eliminating classes of exploits, and reducing its attack surface. Two
79 approaches to hardening the standard Linux kernel are: </para>
80
81 <itemizedlist>
82 <listitem>
83 <para>Address space (memory) protection</para>
84 </listitem>
85
86 <listitem>
87 <para>Advance Access Control System</para>
88 </listitem>
89 </itemizedlist>
90
91 <para>Buffer overflows (in languages such as C) are one of the leading
92 vulnerabilities exploited to gain control of a system. The problem arises
93 when a user can insert more data into a buffer than it was originally
94 allocated for. Restrictions however, on an application's address space
95 prevent many types of buffer overflows attacks.</para>
96 </section>
97
98 <section id="lsm">
99 <title>Linux Security Modules (LSM)</title>
100
101 <para>LSM is a framework part of the Linux kernel. LSM API implements
102 hooks at all security-critical points within the kernel. The modules
103 currently accepted in the official kernel are:</para>
104
105 <itemizedlist>
106 <listitem>
107 <para>AppArmor</para>
108 </listitem>
109
110 <listitem>
111 <para>SELinux</para>
112 </listitem>
113
114 <listitem>
115 <para>Smack</para>
116 </listitem>
117
118 <listitem>
119 <para>TOMOYO Linux</para>
120 </listitem>
121
122 <listitem>
123 <para>Yama</para>
124 </listitem>
125 </itemizedlist>
126
127 <section id="selinux">
128 <title>SELinux</title>
129
130 <para><emphasis role="bold">SELinux, Security Enhanced Linux</emphasis>
131 is a Kernel security mechanism for the supporting access control
132 security policy. SELinux has three configuration modes:</para>
133
134 <itemizedlist>
135 <listitem>
136 <para>Disabled: Turned-off</para>
137 </listitem>
138
139 <listitem>
140 <para>Permissive: Prints warnings</para>
141 </listitem>
142
143 <listitem>
144 <para>Enforcing: Policy is enforced</para>
145 </listitem>
146 </itemizedlist>
147
148 <para>Edit the selinux config file to change the
149 configuration:<programlisting># /etc/selinux/config
150SELINUX=enforcing</programlisting></para>
151 </section>
152 </section>
153
154 <section id="acl">
155 <title>POSIX Access Control Lists (ACL)</title>
156
157 <para>In addition to the file owner, the file group etc., additional users
158 and groups can be granted or denied access by using POSIX ACLs. For a
159 file, ACLs can be configured:</para>
160
161 <itemizedlist>
162 <listitem>
163 <para>Per user </para>
164 </listitem>
165
166 <listitem>
167 <para>Per group</para>
168 </listitem>
169
170 <listitem>
171 <para>Via the effective right mask</para>
172 </listitem>
173
174 <listitem>
175 <para>For users not in the user group, for the file</para>
176 </listitem>
177 </itemizedlist>
178 </section>
179
180 <section id="log_audit">
181 <title>Logging and Auditing</title>
182
183 <para>Audit logs are useful for analyzing system behavior, and may help
184 detect attempts at compromising the system. Enea Linux distributions have
185 logging mechanisms that record all system activities. The syslog service
186 manages the logs in <command>/var/log/</command>. These logs are critical
187 for troubleshooting purposes.</para>
188 </section>
189
190 <section id="secure_net_coms">
191 <title>Secure Network Communication</title>
192
193 <para>Encrypt and authenticate network communication using IPsec.</para>
194 </section>
195
196 <section id="hd_encrypting">
197 <title>Hard Disk Encryption and Disk Protection</title>
198
199 <para>Encrypt the disks before they are installed. This is a crucial step
200 as it will prevent unauthorized access to data even when the hard disk is
201 connected to a different machine.</para>
202
203 <para>Disk protection is a key step in securing data. Make sure that you
204 backup data so that situations such as a damaged system and bugs in the OS
205 updates won't affect them. The backup must be transferred offsite
206 for major servers to keep data secure during unforeseen disasters. Backup
207 management must also be well-defined.</para>
208 </section>
209</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml
new file mode 100644
index 0000000..bbc203b
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml
@@ -0,0 +1,144 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="intro_info_security">
5 <title>Introduction to Information Security</title>
6
7 <para><remark>I want to add an intro to this chapter, it's too brief and
8 vague, what is the purpose of these 3 lists, what are they intended to
9 introduce?</remark></para>
10
11 <section id="security_categories">
12 <title>Related Security Categories</title>
13
14 <itemizedlist>
15 <listitem>
16 <para>Internet Security</para>
17 </listitem>
18
19 <listitem>
20 <para>Cyberwarfare</para>
21 </listitem>
22
23 <listitem>
24 <para>Computer Security</para>
25 </listitem>
26
27 <listitem>
28 <para>Mobile Security</para>
29 </listitem>
30
31 <listitem>
32 <para>Network Security</para>
33 </listitem>
34 </itemizedlist>
35 </section>
36
37 <section id="threats">
38 <title>Threats</title>
39
40 <itemizedlist>
41 <listitem>
42 <para>Computer Crime</para>
43 </listitem>
44
45 <listitem>
46 <para>Vulnerability</para>
47 </listitem>
48
49 <listitem>
50 <para>Eavesdropping</para>
51 </listitem>
52
53 <listitem>
54 <para>Exploitation</para>
55 </listitem>
56
57 <listitem>
58 <para>Trojan Horse</para>
59 </listitem>
60
61 <listitem>
62 <para>Computer Viruses and Computer Worms</para>
63 </listitem>
64
65 <listitem>
66 <para>Denial of Service</para>
67 </listitem>
68
69 <listitem>
70 <para>Malware</para>
71 </listitem>
72
73 <listitem>
74 <para>Payload</para>
75 </listitem>
76
77 <listitem>
78 <para>Rootkit</para>
79 </listitem>
80
81 <listitem>
82 <para>Keylogger</para>
83 </listitem>
84 </itemizedlist>
85 </section>
86
87 <section id="defenses">
88 <title>Defenses</title>
89
90 <itemizedlist>
91 <listitem>
92 <para>Computer Access Control</para>
93 </listitem>
94
95 <listitem>
96 <para>Application Security</para>
97 </listitem>
98
99 <listitem>
100 <para>Antivirus Software</para>
101 </listitem>
102
103 <listitem>
104 <para>Secure Coding</para>
105 </listitem>
106
107 <listitem>
108 <para>Security by Design</para>
109 </listitem>
110
111 <listitem>
112 <para>Secure Operating Systems</para>
113 </listitem>
114
115 <listitem>
116 <para>Authentication</para>
117 </listitem>
118
119 <listitem>
120 <para>Multi-factor Authentication</para>
121 </listitem>
122
123 <listitem>
124 <para>Authorization</para>
125 </listitem>
126
127 <listitem>
128 <para>Data-centric Security</para>
129 </listitem>
130
131 <listitem>
132 <para>Firewall</para>
133 </listitem>
134
135 <listitem>
136 <para>Intrusion Detection System</para>
137 </listitem>
138
139 <listitem>
140 <para>Intrusion Prevention System</para>
141 </listitem>
142 </itemizedlist>
143 </section>
144</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml
new file mode 100644
index 0000000..af6b99d
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml
@@ -0,0 +1,102 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="overview">
5 <title>Overview</title>
6
7 <para>This document describes a set of activities needed for securing Enea
8 NFV Access by users. Most security hardening configurations and features
9 affect performance, and should only be set if more security but less
10 performance is required and acceptable. We emphasize to use layers of
11 security to get the desired degree of hardening.</para>
12
13 <section id="intro">
14 <title>Introduction</title>
15
16 <para>This document describes several hardening techniques and Open Source
17 tools available for Enea NFV Access platforms.</para>
18
19 <section id="rev-hist">
20 <title>Revision History</title>
21
22 <table>
23 <tgroup cols="4">
24 <colspec align="center" />
25
26 <thead>
27 <row>
28 <entry align="center">Revision</entry>
29
30 <entry align="center">Author</entry>
31
32 <entry align="center">Date</entry>
33
34 <entry align="center">Purpose of Revision</entry>
35 </row>
36 </thead>
37
38 <tbody>
39 <row>
40 <entry>3</entry>
41
42 <entry>Sona Sarmadi</entry>
43
44 <entry>2017-09-07</entry>
45
46 <entry>Added Introduction to Information Security, sec
47 2.</entry>
48 </row>
49
50 <row>
51 <entry>2</entry>
52
53 <entry>Sona Sarmadi</entry>
54
55 <entry>2017-09-07</entry>
56
57 <entry>Updated section 2.</entry>
58 </row>
59
60 <row>
61 <entry>1</entry>
62
63 <entry>Sona Sarmadi</entry>
64
65 <entry>2017-08-31</entry>
66
67 <entry>Initial Revision, hardening guideline for users.</entry>
68 </row>
69 </tbody>
70 </tgroup>
71 </table>
72 </section>
73
74 <section id="references">
75 <title>References</title>
76
77 <itemizedlist>
78 <listitem>
79 <para><ulink
80 url="https://www.sans.org/reading-room/whitepapers/linux/linux-kernel-hardening-1294">www.sans.org/reading-room/whitepapers/linux/linux-kernel-hardening-1294</ulink></para>
81 </listitem>
82
83 <listitem>
84 <para><ulink
85 url="https://lwn.net/Articles/705262/">lwn.net/Articles/705262/</ulink></para>
86 </listitem>
87 </itemizedlist>
88 </section>
89
90 <section id="def_acro">
91 <title>Definitions and Acronyms</title>
92
93 <para>Definitions</para>
94
95 <para>[FIXME]</para>
96
97 <para>Acronyms</para>
98
99 <para>[FIXME]</para>
100 </section>
101 </section>
102</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk b/doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk
new file mode 100644
index 0000000..2fe78b5
--- /dev/null
+++ b/doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk
@@ -0,0 +1,10 @@
1# Component build specification
2
3# Version of THIS book
4BOOK_VER ?= $(REL_VER)-dev
5
6DOCBOOK_SRC := $(COMP)/swcomp.mk $(COMP)/doc/book.xml $(shell find $(COMP)/doc -type f \( -name "*.xml" -o -name "*.svg" -o -name "*.png" \) ! -name "book.xml" -print)
7
8BOOKPACKAGES := book-enea-nfv-access-user-hardening-guide
9BOOKDESC_$(BOOKPACKAGES) := "Enea NFV Access $(PROD_VER) User's Hardening Guide"
10BOOKDEFAULTCONDITION := $(DEFAULTCONDITIONS)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-27 00:54:03 +0000