Expanding the list of "Hardened Packages"
Steve Grubb
sgrubb at redhat.com
Sat Apr 13 17:46:12 UTC 2013
On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote:
> On Sat, Apr 13, 2013 at 11:33 AM, Steve Grubb wrote:
> > I don't think there is any need to extend the set of packages that
> > _should_
> > get hardening. The current guidelines are sufficient. What is not
> > happening is
> > the packages that have apps that fit the need to be hardened are not
> > getting
> > the proper hardening. I have opened dozens of bugs on the "core" packages
> > that
> > matter, but even those bz are still not complete.
>
> Is there a tracker bug? Proven packagers can help
I have a tracker bug for issues identified on the core set of packages that
would be part of a common criteria certification:
https://bugzilla.redhat.com/show_bug.cgi?id=853068
which then shows:
dbus https://bugzilla.redhat.com/show_bug.cgi?id=853152
NetworkManager https://bugzilla.redhat.com/show_bug.cgi?id=853199
I have not run the script that checks a distribution on F19 yet, so maybe
there are more?
http://people.redhat.com/sgrubb/files/rpm-chksec
To check a typical install and only get the packages that do not meet policy,
do this:
./rpm-chksec --all | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | egrep -w 'no|PACKAGE'
A small sample on F18:
PACKAGE RELRO PIE CLASS
abrt-addon-ccpp.x86_64 yes no setuid
abrt.x86_64 yes no daemon
accountsservice.x86_64 yes no daemon
acpid.x86_64 yes no daemon
agave.x86_64 no yes exec
akonadi.x86_64 yes no network-local
alsa-lib.x86_64 yes no network-ip
alsa-utils.x86_64 yes no network-ip
apg.x86_64 yes no daemon
arpwatch.x86_64 yes no daemon
But it should be noted that the script does not identify parsers of untrusted
media. This would be stuff like: gnash, ooffice, evince, poppler, firefox,
konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how
to automate that.
-Steve
More information about the devel
mailing list