User:Misc/Hardening checklist: Difference between revisions

List of check for security hardening of a package

• check %global hardened build ( https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags )

• inspect service file ( http://0pointer.de/blog/projects/security.html )
  • private tmp, ( PrivateTmp=true )
  • private network ( PrivateNetwork= )
  • block syscall ( SystemCallFilter= )
  • block device ( DeviceAllow= )
  • block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= )
  • block the number of process to run ( LimitNPROC=1 )

• check if a daemon do not have a selinux policy or not
  • check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain

• inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version )
  • check of initgroups/setuid/setgroup order
  • check for chdir before chroot
  • check for compile flags properly added

• check if daemon is run as root with ps fax

• check if daemon drop caps, with pscap, if run as root
  • use CapabilityBoundingSet= in service file to reduce them if possible

• security review ( http://people.redhat.com/sgrubb/security/ )
  • tmp file usage

• check if started by default if network facing

• check if package is up to date

• check file permission
  • check log file permission ( read )
  • check where the service can write
  • check if password are not readable

• check if the service can work in a hardened setup ( http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html )
  • activate fs.protected_symlinks and see if it break
  • activate fs.protected_hardlinks and see if it break