Hardened checking - how?
Troy Dawson
tdawson at redhat.com
Mon Jun 10 14:32:22 UTC 2013
On 06/06/2013 03:36 PM, Troy Dawson wrote:
> Hi,
> Is there an official Fedora way for telling is something is hardened
> correctly?
> I'm working on hardening mongodb, and I think I have it right, but I'd
> really like to check.
>
> I was given a couple of scripts, which had dependencies not in Fedora,
> which then had dependencies not in Fedora, and so forth. At the third
> level of dependencies, I figured there had to be a more official way.
>
> If I missed a Fedora web page on it, or it was in the recent hardening
> discussion, feel free to point me to it.
>
> Thanks
> Troy Dawson
Hi,
Thanks for all the suggestions and help. Since there were a couple of
threads that came off of this, I'm going to give a summary here.
Programs:
http://people.redhat.com/sgrubb/files/rpm-chksec
(what I ended up using)
http://packages.debian.org/sid/hardening-includes
(packaged into rpm, see below)
https://nohats.ca/checksec.sh
(works)
https://github.com/kholia/checksec
(had fedora dependency problems that are being worked on)
rpm:
hardening-check -
http://koji.fedoraproject.org/koji/packageinfo?packageID=16362
Articles:
http://lwn.net/Articles/454532/
Summary:
I ended up using rpm-chksec because it did everything I needed and all
it's requirements were already installed on my machine.
Why I chose that?
While the other would check files, rpm-chksec took an rpm as an argument
and then checked all the binaries in it, giving a nice output.
Again, thanks to everyone who replied. I am glad I checked it. The
mongodb scons stuff wasn't accepting arguments as I originally thought,
and I found out that I hadn't really hardened mongodb.
I'm still working on it. My next patch hardens it, but fails on a few
platforms in ways I'm totally not expecting. So, the work goes on, but
having a check helps.
Thanks
Troy
More information about the devel
mailing list