Expanding the list of "Hardened Packages"
Michael Scherer
misc at zarb.org
Mon Apr 1 08:23:24 UTC 2013
Le lundi 01 avril 2013 à 12:29 +0530, Dhiru Kholia a écrit :
> On 03/29/13 at 08:47pm, Björn Persson wrote:
> > > 2. An alternate approach is to come up with an expanded list of packages
> > > which should be hardened.
> >
> > Since FESCo maintains a list, I suppose anyone can propose specific
> > programs to be added to the list, but it seems pointless to explicitly
> > list programs that are already covered by the first three criteria.
> >
>
> I agree that it seems pointless (and tedious) to explicitly list
> programs which are already covered.
>
> However many packages (like PostgreSQL, Dovecot and MongoDB) meet the
> criteria but still are not getting hardened. I am not sure about the
> underlying reasons (oversight / performance concerns / etc.).
>
> What would be a good way to solve this problem in your opinion?
> (File bugs / Explicitly list such packages / Turn on hardening by default)
I would file bugs, and list those that were checked on a wiki page,
along a link to the bug and a date, and revisit the reason on a regular
basis.
> It would be great to have some sort of automated method to find if
> hardening criteria applies to a particular package. Ideas are welcome!
You can take a look on http://people.redhat.com/sgrubb/security/ , there
is a script rpm-chksec to verify that.
--
Michael Scherer
More information about the devel
mailing list