sgrubb at redhat.com
Thu Aug 4 03:09:44 UTC 2011
On Wednesday, August 03, 2011 03:29:00 PM Adam Williamson wrote:
> > I just wanted to let everyone know that I've made a number of tests
> > available for assessing security of the distribution. It is by no means
> > a comprehensive auditing tool, but the scripts definitely find problems.
> > http://people.redhat.com/sgrubb/security/
> > On this list, the rpm-chksec program is the one that I am most interested
> > in people using right now. For Fedora 16, we have updated the policy to
> > recommend all packages be compiled with partial RELRO and important
> > programs have full RELRO enabled. This script can check individual rpms
> > or the whole distribution at once for compliance.
> > I have text explaining what each test does. If anyone finds problems with
> > a script, please let me know. I will be adding more scripts as I find
> > problems that need widespread attention.
> > Hope this helps find and fix problems...
> Looks like interesting stuff. Would any of these be appropriate to be
> integrated into AutoQA so they could be run regularly?
Honestly, I don't know. On the one hand, I have some scripts that are good for fedora
QE in general. For example, the shell error test...why would anyone purposely write
shell script that does not work? This can always be fixed before a release. Some tests
are still under development like the ELF binary well known tmp file test. This can make
some false positives, but there are enough good things in it to start asking real
questions about packages...like.../home/cagney/tmp/a.out...why is that in any program?
But the chroot tests are solid. As are the exec stack tests. So, yes there are things
that can be automated so problems are not shipped.
More information about the test