Le lundi 01 avril 2013 à 12:29 +0530, Dhiru Kholia a écrit :
On 03/29/13 at 08:47pm, Björn Persson wrote:
> > 2. An alternate approach is to come up with an expanded list of packages
> > which should be hardened.
> Since FESCo maintains a list, I suppose anyone can propose specific
> programs to be added to the list, but it seems pointless to explicitly
> list programs that are already covered by the first three criteria.
I agree that it seems pointless (and tedious) to explicitly list
programs which are already covered.
However many packages (like PostgreSQL, Dovecot and MongoDB) meet the
criteria but still are not getting hardened. I am not sure about the
underlying reasons (oversight / performance concerns / etc.).
What would be a good way to solve this problem in your opinion?
(File bugs / Explicitly list such packages / Turn on hardening by default)
I would file bugs, and list those that were checked on a wiki page,
along a link to the bug and a date, and revisit the reason on a regular
It would be great to have some sort of automated method to find if
hardening criteria applies to a particular package. Ideas are welcome!
You can take a look on http://people.redhat.com/sgrubb/security/
is a script rpm-chksec to verify that.