Security testing

Adam Williamson awilliam at redhat.com
Thu Aug 4 03:27:25 UTC 2011 

On Wed, 2011-08-03 at 23:09 -0400, Steve Grubb wrote:
> On Wednesday, August 03, 2011 03:29:00 PM Adam Williamson wrote:
> > > I just wanted to let everyone know that I've made a number of tests
> > > available for  assessing security of the distribution. It is by no means
> > > a comprehensive auditing tool, but the scripts definitely find problems.
> > >
> > > http://people.redhat.com/sgrubb/security/
> > >
> > > On this list, the rpm-chksec program is the one that I am most interested
> > > in people  using right now. For Fedora 16, we have updated the policy to
> > > recommend all packages be compiled with partial RELRO and important
> > > programs have full RELRO enabled. This script can check individual rpms
> > > or the whole distribution at once for compliance.
> > >
> > > I have text explaining what each test does. If anyone finds problems with
> > > a script,  please let me know. I will be adding more scripts as I find
> > > problems that need widespread attention.
> > >
> > > Hope this helps find and fix problems...
> > 
> > Looks like interesting stuff. Would any of these be appropriate to be
> > integrated into AutoQA so they could be run regularly?
> 
> Honestly, I don't know. On the one hand, I have some scripts that are good for fedora 
> QE in general. For example, the shell error test...why would anyone purposely write 
> shell script that does not work? This can always be fixed before a release. Some tests 
> are still under development like the ELF binary well known tmp file test. This can make 
> some false positives, but there are enough good things in it to start asking real 
> questions about packages...like.../home/cagney/tmp/a.out...why is that in any program? 
> But the chroot tests are solid. As are the exec stack tests. So, yes there are things 
> that can be automated so problems are not shipped.

Awesome. CCing autoqa-devel on the reply, then; is anyone from AutoQA
willing to work with Steve to take a look at his tests and identify good
candidates for bringing into AutoQA? Thanks!
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the test mailing list