Expanding the list of "Hardened Packages"
Reindl Harald
h.reindl at thelounge.net
Sat Apr 13 17:51:35 UTC 2013
Am 13.04.2013 19:46, schrieb Steve Grubb:
> http://people.redhat.com/sgrubb/files/rpm-chksec
>
> To check a typical install and only get the packages that do not meet policy,
> ./rpm-chksec --all | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | egrep -w 'no|PACKAGE'
>
> A small sample on F18:
>
> PACKAGE RELRO PIE CLASS
> abrt-addon-ccpp.x86_64 yes no setuid
> abrt.x86_64 yes no daemon
> accountsservice.x86_64 yes no daemon
> acpid.x86_64 yes no daemon
> agave.x86_64 no yes exec
> akonadi.x86_64 yes no network-local
> alsa-lib.x86_64 yes no network-ip
> alsa-utils.x86_64 yes no network-ip
> apg.x86_64 yes no daemon
> arpwatch.x86_64 yes no daemon
>
> But it should be noted that the script does not identify parsers of untrusted
> media. This would be stuff like: gnash, ooffice, evince, poppler, firefox,
> konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how
> to automate that
which raises the question again:
would it be not the better way to build the whole distribution hardened
by expierience that nearly anything is exploitable over the long and
performance comes after security
performance would be increaded by many developers learning what to do to
prevent wasting ressources much more as do not ANY technique to make
things more secure security is a concept of many pieces and each piece
makes the overall system better
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130413/726e74bf/attachment.sig>
More information about the devel
mailing list