From Fedora Project Wiki

No edit summary
(66 intermediate revisions by 14 users not shown)
Line 1: Line 1:
[[File:Spins-banner_security.png]]
[[File:Spins-banner_security.png]]
<!-- All fields on this form are required to be accepted by the Spins SIG
We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
= Fedora Security Spin =
= Fedora Security Spin =
{{admon/note|Wiki Page Purpose|This page follows the [[Spins_Process]]. The Development Home can be found at https://fedorahosted.org/security-spin/}}
== Summary ==
The Fedora Security Spin is a livecd based on Fedora to provide a safe test-environment for working on security-auditing, forensics and penetration-testing, coupled with all the Fedora-Security features and tools.
== Owner(s) ==
* Owners: [[User:Jsimon | Joerg Simon]], [[User:fab | Fabian Affolter]]


== Goals ==
* Quality Assurance: [[User:Athmane | Athmane Madjoudj ]]
* To provide a fully functional livecd based on Fedora for use in security auditing, forensics, and penetration testing.
* Tentatively becoming an official Fedora Spin by Fedora 12 Release


== Features ==
* Former Owners: [[User:Lmacken | Luke Macken]], [[User:Maxamillion | Adam John Miller]], [[User:Cwickert | Christoph Wickert]], [[User:Hiemanshu | Hiemanshu Sharma]]
* All of the security [[Security/Features| features]] and tools Fedora has to offer
* Ability to install directly to hard disk or usb drives
* Read-write rootfs so it's possible to install software while the livecd is running
* Minimal openbox desktop, with a customized menu ([http://lewk.org/img/securityspin.png Screenshot])


== Spinning your own ==
== Detailed Description ==
https://fedorahosted.org/security-spin/browser/fedora-livecd-security.ks
The spin is maintained by a community of Security Testers and Developers. It comes with the clean and fast Xfce Desktop Enviroment and a customized menu to have all the instruments one may need to follow a proper test-path on security testing[https://fedorahosted.org/security-spin/wiki/availableApps]or to rescue a broken system. With the read-write rootfs, it is possible to install software while the livecd is running. The Fedora liveusb-creator provides an overlay feature to put the security-spin on an usb-stick so that the user can install and update software - and can save his test-results permanently.


== Contributing ==
== Benefit to Fedora ==
You can help with this project by writing RPMS for packages in the Wishlist, reviewing existing new package reports, tweaking the livecd configuration, among many other things.
* covered by the above Description
* A stable platform for teaching security along Security Classes in Universities and Organisations like the [http://www.isecom.org ISECOM]
** People learn about Fedora through these Classes
* Showcase for all Security-Features
* A Toolset for proper Security-Testing
* a complete  Repair/Rescue System - with tools not contained on the other LiveCD's to rescue your System
* gather interested People to package new upstreams for this spin
** see [https://fedorahosted.org/security-spin/wiki/Wishlist Wishlist]
* Cool Marketing Instrument!
* There are Industry Partners who are interested to contribute
* and also contained in this presentation [http://jsimon.fedorapeople.org/fedora_osstmm_secspinv5.pdf SecuritySpin and the OSSTMM]


Send patches, suggestions, etc to [[User:Lmacken]].
== Kickstart File ==


* http://git.fedorahosted.org/cgit/spin-kickstarts.git/tree/fedora-livecd-security.ks?h=master


'''Contributors:'''
== ISO Name / FS Label ==
----
* ISO name: Fedora-$release-$arch-LiveSecurity
* FS-Label: Fedora-$release-$arch-Security


[[User:Maxamillion]]<br />
== Dependencies ==
[[JoergSimon]]
* security-menus
** <s>https://bugzilla.redhat.com/show_bug.cgi?id=548824#c17</s> DONE


== Software ==
== Testing / QA ==
=== Available ===
* Run [[JeremyKatz/SpinChecklist#Testing_of_the_Spin| basic spin testing]]
The following packages currently exist in Fedora and are on the Security LiveCD.
* Test installs from livecd and usb, test livecd-creator
{| border="1"
* Persistence of Security Menu after installations
|- style="color: white; background-color: #3074c2; font-weight: bold"
* How do the [https://fedorahosted.org/security-spin/wiki/availableApps available applications] work?
| '''Software''' || '''Description'''
* [https://fedoraproject.org/wiki/Category:Security_Lab Current security lab applications test-cases]
|- ||style="color: black; background-color: #eeeff1"
* As of Fedora 16, Security Lab release validation test events are available.
| ''Reconnaissance''
|-
| [http://ettercap.sourceforge.net ettercap] || Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
|-
| [http://monkey.org/~dugsong/dsniff/ dsniff]  || dsniff is a collection of tools for network auditing and penetration testing.
|-
|[http://www.hping.org/ hping3] || TCP/IP stack auditing and much more
|-
| [http://iptraf.seul.org iptraf] || IPTraf is a console-based network monitoring utility.
|-
|[http://www.deepspace6.net/projects/netcat6.html nc6]  || Netcat with IPv6 Support
|-
|[http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/ nc]  || Reads and writes data across network connections using TCP or UDP
|-
|[http://www.nessus.org nessus] || Remote vulnerability scanner
|-
|[http://ngrep.sourceforge.net/  ngrep] || Network layer grep tool
|-
|[http://www.insecure.org/nmap/ nmap] || Network exploration tool and security scanner
|-
|[http://lcamtuf.coredump.cx/p0f.shtml p0f]  || Versatile passive OS fingerprinting tool
|-
|[http://monkey.org/~provos/scanssh scanssh]  || Fast SSH server and open proxy scanner
|-
|[http://www.dest-unreach.org/socat socat] || Bidirectional data relay between two data channels ('netcat++')
|-
|[http://www.tcpdump.org tcpdump]  || A network traffic monitoring tool
|-
|[http://www.nongnu.org/tiger/ tiger] || Security auditing on UNIX systems
|-
|[http://www.wireshark.org/ wireshark]  || Network traffic analyzer
|-
|[http://www.sys-security.com/index.php?page=xprobe xprobe2] || An active operating system fingerprinting tool
|-
|[http://www.inetcat.net/software/nbtscan.html nbtscan] || Tool to gather NetBIOS info from Windows networks
|-
| [http://tcpxtract.sourceforge.net/ tcpxtract]  || Tool for extracting files from network traffic based on file signatures
|-
| [http://www.packetfactory.net/projects/firewalk/ firewalk]  || Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a  given IP forwarding device will pass.
|-
| [http://www.academicunderground.org/examiner/ examiner]  || The Examiner is an application that utilizes the objdump command to disassemble and comment foreign executable binaries
|-
| [http://lin.fsid.cvut.cz/~kra/index.html hunt]  || Tool for demonstrating well known weaknesses in the TCP/IP protocol suite
|-
| [http://www.rootkit.nl/projects/lynis.html Lynis] || Security and system auditing tool
|-
| [http://halberd.superadditive.com halberd]  || Tool to discover HTTP load balancers
|-
| [http://qosient.com/argus/ argus] || Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream.
|-
| [http://www.eff.org/testyourisp/pcapdiff/ pcapdiff] || Compares packet captures, detects forged, dropped or mangled packets
|-
|[http://www.wallinfire.net/picviz picviz] || Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly.  Its primary goal is to graph data in order to be able to quickly analyze problems and find correlations among variables. With security analysis in mind, the program has been designed to be very flexible, able to graph millions of events.  The language is designed to be close to the graphviz graph description language.
|-
| [http://etherape.sourceforge.net/ etherape] || EtherApe is a graphical network monitor modeled after etherman.
|- ||style="color: black; background-color: #eeeff1"
| ''Forensics''
|-
|[http://www.chkrootkit.org chkrootkit] || Tool to locally check for signs of a rootkit
|-
| [http://www.security-projects.com/?Unhide Unhide] || tool for searching hidden processes
|-
|[http://www.clamav.net clamav] || Clam Antivirus
|-
|[http://dc3dd.sourceforge.net/ dc3dd] || Patched version of GNU dd for use in computer forensics
|-
|[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue] || Fault tolerant "dd" utility for rescuing data from bad media
|-
|[http://www.sleuthkit.org sleuthkit] || The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems
|-
|[http://www.brzitwa.de/mb/gpart/index.html gpart]  || A program for recovering corrupt partition tables
|-
|[http://merd.sourceforge.net/pixel/hexedit.html hexedit] ||  A hexadecimal file viewer and editor
|-
|[http://prelude-ids.org/ prelude] || Log analyzer
|-
|[http://www.cgsecurity.org/wiki/TestDisk testdisk]  || Tool to check and undelete partition
|-
|[http://foremost.sf.net foremost]  || Recover files by "carving" them from a raw disk
|-
| [http://fedorahosted.org/sectool sectool] || A security audit system and intrusion detection system
|-
| [http://www.rootkit.nl/projects/rootkit_hunter.html rkhunter] || A host-based tool to scan for rootkits, backdoors and local exploits
|-
| [http://taviso.decsystem.org/scanmem.html scanmem]  || scanmem is a simple interactive debugging utility, used to locate the address of a variable in an executing process. This can be used for the analysis or modification of a hostile process on a compromised machine, reverse engineering, or as a "pokefinder" to cheat at video games.
|- ||style="color: black; background-color: #eeeff1"
| ''Wireless''
|-
|[http://www.aircrack-ng.org aircrack-ng] || aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
|-
|[http://airsnort.shmoo.com/ airsnort]  || Wireless LAN (WLAN) tool which recovers encryption keys
|-
|[http://www.kismetwireless.net kismet] || WLAN detector, sniffer and IDS
|- ||style="color: black; background-color: #eeeff1"
| ''Code Analysis''
|-
|[http://www.striker.ottawa.on.ca/~aland/pscan pscan]  || Limited problem scanner for C source files
|-
|[http://www.splint.org/ splint]  || A tool for statically checking C programs for coding errors and security vulnerabilities
|-
|[http://www.fortifysoftware.com/security-resources/rats.jsp rats] || RATS scans through code, finding potentially dangerous function calls. The goal of this tool is not to definitively find bugs (yet). The current goal is to provide a reasonable starting point for performing manual security audits.  The initial vulnerability database is taken directly from things that could be easily found when starting with the forthcoming book, "Building Secure Software" by Viega and McGraw.
|-
| [http://www.dwheeler.com/flawfinder flawfinder]  || Examines C/C++ source code for security flaws
|- ||style="color: black; background-color: #eeeff1"
| ''Intrusion Detection''
|-
|[http://sourceforge.net/projects/aide aide] || Intrusion detection environment
|-
|[http://www.prelude-ids.org prewikka] || Graphical front-end analysis console for the Prelude Hybrid IDS Framework
|-
|[http://www.prelude-ids.org prelude-manager] || Prelude Manager is the main program of the Prelude Hybrid IDS suite. It is a multithreaded server which handles connections from the Prelude sensors. It is able to register local or remote sensors, let the operator configure them remotely, receive alerts, and store alerts in a database or any format supported by reporting plugins, thus providing centralized logging and analysis. It also provides relaying capabilities for failover and replication. The IDMEF standard is used for alert representation. Support for filtering plugins allows you to hook in different places in the Manager to define custom criteria for alert relaying and logging.
|-
|[http://www.www.prelude-ids.com prelude-notify] ||  Prelude-notify is a desktop oriented application that works as a monitoring tool that capture events from prelude manager using the prelude connection pool event checker. Its purpose is to help security managers and/or administrators to see in real time what's going on in their network.
|-
|[http://www.snort.org snort]  || Intrusion detection system
|-
|[http://www.tripwire.org/ tripwire] || IDS (Intrusion Detection System)
|-
|[http://sourceforge.net/projects/labrea/ labrea] || Intrusion detection "sticky" honey pot technology using virtual servers to detect and trap worms, hackers, and other malware.
|-
|[http://passive.sourceforge.net/ pads] || PADS is a libpcap based detection engine used to passively detect network assets.  It is designed to complement IDS technology by providing context to IDS alerts. When new assets are found, it can send IDMEF alerts via prelude.
|-
|[http://www.honeyd.org/ honeyd] || Honeyd is a small daemon that creates virtual hosts on a network.  The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation.
|-
| [http://nebula.mwcollect.org/ Nebula] || Intrusion signature generator
|- ||style="color: black; background-color: #eeeff1"
| ''Password Tools''
|-
|[http://www.openwall.com/john john] || John the Ripper password cracker
|-
| [http://ophcrack.sourceforge.net/ ophcrack] || Ophcrack is a free Windows password cracker based on rainbow tables.
|-||style="color: black; background-color: #eeeff1"
| ''Anonymity''
|-
| [http://tor.eff.org tor] || Anonymizing overlay network for TCP (The onion router)
|}


=== Wishlist ===
Please track your checks on the relevant release in the [https://fedoraproject.org/wiki/Category:Security_Lab_Testing Security Lab Testing category]
Note: the software listed below has not yet been verified to make sure the licenses meet our [[Packaging/Guidelines|  Guidelines]] .  Please see the [[Extras/NewPackageProcess|  NewPackageProcess]]  to help get these packages into Fedora.
{| border="1"
|- style="color: white; background-color: #3074c2; font-weight: bold"
| '''Software''' || '''Description''' || '''Notes'''
|-
| [http://airsnarf.shmoo.com/ airsnarf]  || A rogue AP setup utility ||
|-
| [http://www.rfxnetworks.com/apf.php apf]  || PF is a policy based iptables firewall system designed for ease of use and configuration ||Packager unfriendly. Upstream contacted with no response
|-
| [http://www.sleuthkit.org/autopsy/ autopsy]  || The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. || Under [https://bugzilla.redhat.com/show_bug.cgi?id=487067 review (Bug #487067)] ||
|-
| [http://farm9.org/Cryptcat/ cryptcat]  || Cryptcat is the standard netcat enhanced with twofish encryption. || kashyapc is looking this
|-
| [http://www.thc.org/thc-hydra/ hydra]  ||  A very fast network logon cracker which support many different services || Under [https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=461385 review (#Bug 461385)]
|-
| [http://sourceforge.net/projects/iisemul8/ iisemulator]  || The goal of this project is to create a functioning web server which is indistinguishable from Microsoft's IIS product at a topical level. ||
|-
| [http://www.metasploit.com/ metasploit]  || The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code.
|-
| [http://directory.fsf.org/security/misc/TCT.html tct]  || Tools for analyzing a system after a break-in || Deprecated (See TSK above)
|-
| [http://sourceforge.net/projects/cowpatty/ cowpatty]  || Audit Wpa pre-shared keys || Under [https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231011 review (#Bug 231011)]
|-
| [http://directory.fsf.org/sdd.html sdd]  || 'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understoon than those from 'dd'. Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.  || rakesh (looking at it, needs smake for build)
|-
| [http://www.truecrypt.org/downloads.php TrueCrypt]  || Free open-source disk encryption software for Windows Vista/XP/2000 and Linux || Questionable license.  See [http://lists.freedesktop.org/archives/distributions/2008-October/000273.html this thread] for more details.
|-
| [http://arpon.sourceforge.net arpon] || ArpON (Arp handler inspectiON) is a portable handler daemon with some nice tools to handle all ARP aspects. ||
|-
| [http://www.openvas.org OpenVAS] || The Open Vulnerability Assessment System is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications. || huzaifas will do it ||
|-
| [http://www-arc.com/sara/ SARA] || Security Auditor's Research Assistant || rakesh doing ||
|-
| [http://tools.netsa.cert.org/silk/ SiLK] || Security analysis tool for network developed by CERT ||
|-
| [http://arpon.sourceforge.net/ ArpON] || Detects and blocks all ARP poisoning/spoofing attacks. ||
|-
|[http://www.beholderwireless.org/ Bh (Beholder)] || IDS for wireless networks. || rakesh (dropped mail to author for license queries) ||
|-
|[https://i72projekte.tm.uka.de/trac/Distack Distack] ||  Framework for attack detection which allows for an integration of various detection methods as lightweight modules. ||
|-
|[http://ttyrpld.sourceforge.net/ Ttyrpld] || Multi-os kernel-level tty logger ||
|-
|[http://www.torproject.org/vidalia Vidalia]|| controller-GUI for Tor || available in Fedora >=10
|-
|}


== References ==
== Spins Page ==
See https://fedorahosted.org/security-spin/wiki/spinspage


* http://lwn.net/Articles/225215/. Maybe provide this extension by default?
Spins Page is set up https://labs.fedoraproject.org/security/
* http://knoppix-std.org/tools.html


[[Category:Spins_Fedora_23]]
[[Category:Spins_Fedora_22]]
[[Category:Spins_Fedora_21]]
[[Category:Spins_Fedora_20]]
[[Category:Spins_Fedora_19]]
[[Category:Spins_Fedora_18]]
[[Category:Spins_Fedora_17]]
[[Category:Spins_Fedora_16]]
[[Category:Spins_Fedora_15]]
[[Category:Spins_Fedora_14]]
[[Category:Spins_Fedora_13]]
[[Category:Security Lab]]
[[Category:Spins]]
[[Category:Spins]]
[[Category:Spins in Development]]

Revision as of 19:42, 12 December 2015

Spins-banner security.png

Fedora Security Spin

Note.png
Wiki Page Purpose
This page follows the Spins_Process. The Development Home can be found at https://fedorahosted.org/security-spin/

Summary

The Fedora Security Spin is a livecd based on Fedora to provide a safe test-environment for working on security-auditing, forensics and penetration-testing, coupled with all the Fedora-Security features and tools.

Owner(s)

Detailed Description

The spin is maintained by a community of Security Testers and Developers. It comes with the clean and fast Xfce Desktop Enviroment and a customized menu to have all the instruments one may need to follow a proper test-path on security testing[1]or to rescue a broken system. With the read-write rootfs, it is possible to install software while the livecd is running. The Fedora liveusb-creator provides an overlay feature to put the security-spin on an usb-stick so that the user can install and update software - and can save his test-results permanently.

Benefit to Fedora

  • covered by the above Description
  • A stable platform for teaching security along Security Classes in Universities and Organisations like the ISECOM
    • People learn about Fedora through these Classes
  • Showcase for all Security-Features
  • A Toolset for proper Security-Testing
  • a complete Repair/Rescue System - with tools not contained on the other LiveCD's to rescue your System
  • gather interested People to package new upstreams for this spin
  • Cool Marketing Instrument!
  • There are Industry Partners who are interested to contribute
  • and also contained in this presentation SecuritySpin and the OSSTMM

Kickstart File

ISO Name / FS Label

  • ISO name: Fedora-$release-$arch-LiveSecurity
  • FS-Label: Fedora-$release-$arch-Security

Dependencies

Testing / QA

Please track your checks on the relevant release in the Security Lab Testing category

Spins Page

See https://fedorahosted.org/security-spin/wiki/spinspage

Spins Page is set up https://labs.fedoraproject.org/security/