User:Misc/Hardening checklist

From FedoraProject

< User:Misc(Difference between revisions)
Jump to: navigation, search
Line 4: Line 4:
  
 
* inspect service file ( http://0pointer.de/blog/projects/security.html )
 
* inspect service file ( http://0pointer.de/blog/projects/security.html )
** PrivateTmp
+
** private tmp, ( PrivateTmp=true )
** PrivateNetwork
+
** private network ( PrivateNetwork= )
** block syscall
+
** block syscall ( SystemCallFilter= )
** block device
+
** block device ( DeviceAllow= )
** block path ( like /home ) ( ReadOnlyDirectories= )
+
** block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= )
 
** block the number of process to run ( LimitNPROC=1 )
 
** block the number of process to run ( LimitNPROC=1 )
  
 
* check if a daemon do not have a selinux policy or not
 
* check if a daemon do not have a selinux policy or not
 +
** check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain
 
    
 
    
* inspect rpmlint error about insecure file usage, insecure API
+
* inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version )
 
** check of initgroups/setuid/setgroup order
 
** check of initgroups/setuid/setgroup order
 
** check for chdir before chroot
 
** check for chdir before chroot
Line 21: Line 22:
  
 
* check if daemon drop caps, with pscap
 
* check if daemon drop caps, with pscap
 +
** use CapabilityBoundingSet= in service file to reduce them if possible
  
 
* security review ( http://people.redhat.com/sgrubb/security/ )
 
* security review ( http://people.redhat.com/sgrubb/security/ )
** tmp usage
+
** tmp file usage
 
+
  
 
* check if started by default if network facing
 
* check if started by default if network facing
Line 30: Line 31:
 
* check if package is up to date
 
* check if package is up to date
  
* check file permission, especially log
+
* check file permission
 +
** check log file permission ( read )
 +
** check where the service can write
 +
 
 +
* check if the service can work in a hardened setup ( http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html )
 +
** activate fs.protected_symlinks and see if it break
 +
** activate fs.protected_hardlinks and see if it break

Revision as of 09:32, 3 March 2013

List of check for security hardening of a package

  • inspect service file ( http://0pointer.de/blog/projects/security.html )
    • private tmp, ( PrivateTmp=true )
    • private network ( PrivateNetwork= )
    • block syscall ( SystemCallFilter= )
    • block device ( DeviceAllow= )
    • block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= )
    • block the number of process to run ( LimitNPROC=1 )
  • check if a daemon do not have a selinux policy or not
    • check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain
  • inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version )
    • check of initgroups/setuid/setgroup order
    • check for chdir before chroot
    • check for compile flags properly added
  • check if daemon is run as root with ps fax
  • check if daemon drop caps, with pscap
    • use CapabilityBoundingSet= in service file to reduce them if possible
  • check if started by default if network facing
  • check if package is up to date
  • check file permission
    • check log file permission ( read )
    • check where the service can write