Hardened checking - how?
Björn Esser
bjoern.esser at gmail.com
Wed Jun 12 08:04:26 UTC 2013
Am Montag, den 10.06.2013, 09:32 -0500 schrieb Troy Dawson:
> On 06/06/2013 03:36 PM, Troy Dawson wrote:
> > Hi,
> > Is there an official Fedora way for telling is something is hardened
> > correctly?
> > I'm working on hardening mongodb, and I think I have it right, but I'd
> > really like to check.
> >
> > I was given a couple of scripts, which had dependencies not in Fedora,
> > which then had dependencies not in Fedora, and so forth. At the third
> > level of dependencies, I figured there had to be a more official way.
> >
> > If I missed a Fedora web page on it, or it was in the recent hardening
> > discussion, feel free to point me to it.
> >
> > Thanks
> > Troy Dawson
>
> Hi,
> Thanks for all the suggestions and help. Since there were a couple of
> threads that came off of this, I'm going to give a summary here.
>
> Programs:
> http://people.redhat.com/sgrubb/files/rpm-chksec
> (what I ended up using)
> http://packages.debian.org/sid/hardening-includes
> (packaged into rpm, see below)
> https://nohats.ca/checksec.sh
> (works)
> https://github.com/kholia/checksec
> (had fedora dependency problems that are being worked on)
>
> rpm:
> hardening-check -
> http://koji.fedoraproject.org/koji/packageinfo?packageID=16362
>
> Articles:
> http://lwn.net/Articles/454532/
>
> Summary:
> I ended up using rpm-chksec because it did everything I needed and all
> it's requirements were already installed on my machine.
> Why I chose that?
> While the other would check files, rpm-chksec took an rpm as an argument
> and then checked all the binaries in it, giving a nice output.
>
> Again, thanks to everyone who replied. I am glad I checked it. The
> mongodb scons stuff wasn't accepting arguments as I originally thought,
> and I found out that I hadn't really hardened mongodb.
> I'm still working on it. My next patch hardens it, but fails on a few
> platforms in ways I'm totally not expecting. So, the work goes on, but
> having a check helps.
>
> Thanks
> Troy
checksec is available as rpm now, too:
https://koji.fedoraproject.org/koji/packageinfo?packageID=16388
If you want to give some karma:
https://admin.fedoraproject.org/updates/checksec-1.5-1.fc19
https://admin.fedoraproject.org/updates/checksec-1.5-1.el6
https://admin.fedoraproject.org/updates/checksec-1.5-1.el5
karma for hardening-check:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10405/hardening-check-2.3-2.el6
Cheers,
Björn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130612/37617eb4/attachment.sig>
More information about the devel
mailing list