Security testing

Steve Grubb sgrubb at redhat.com
Thu Aug 4 03:09:44 UTC 2011


On Wednesday, August 03, 2011 03:29:00 PM Adam Williamson wrote:
> > I just wanted to let everyone know that I've made a number of tests
> > available for  assessing security of the distribution. It is by no means
> > a comprehensive auditing tool, but the scripts definitely find problems.
> >
> > http://people.redhat.com/sgrubb/security/
> >
> > On this list, the rpm-chksec program is the one that I am most interested
> > in people  using right now. For Fedora 16, we have updated the policy to
> > recommend all packages be compiled with partial RELRO and important
> > programs have full RELRO enabled. This script can check individual rpms
> > or the whole distribution at once for compliance.
> >
> > I have text explaining what each test does. If anyone finds problems with
> > a script,  please let me know. I will be adding more scripts as I find
> > problems that need widespread attention.
> >
> > Hope this helps find and fix problems...
> 
> Looks like interesting stuff. Would any of these be appropriate to be
> integrated into AutoQA so they could be run regularly?

Honestly, I don't know. On the one hand, I have some scripts that are good for fedora 
QE in general. For example, the shell error test...why would anyone purposely write 
shell script that does not work? This can always be fixed before a release. Some tests 
are still under development like the ELF binary well known tmp file test. This can make 
some false positives, but there are enough good things in it to start asking real 
questions about packages...like.../home/cagney/tmp/a.out...why is that in any program? 
But the chroot tests are solid. As are the exec stack tests. So, yes there are things 
that can be automated so problems are not shipped.

-Steve


More information about the test mailing list