From Fedora Project Wiki
No edit summary
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
List of check for security hardening of a package
List of check for security hardening of a package


* check %global hardened build ( https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags )
* check %global _hardened_build ( https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags )


* inspect service file ( http://0pointer.de/blog/projects/security.html )
* inspect service file ( http://0pointer.de/blog/projects/security.html )
** PrivateTmp
** private tmp ( PrivateTmp=true )
** PrivateNetwork
** private network ( PrivateNetwork= )
** block syscall
** block syscall ( SystemCallFilter= )
** block device
** block device ( DeviceAllow= )
** block path ( like /home )
** block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= )
** limit the number of process to run ( LimitNPROC=1 ), prevent exploit from running another process
** block capability to regain privileges ( NoNewPrivileges= )


* check if a daemon do not have a selinux policy or not
* check if a daemon do not have a selinux policy or not
** check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain
    
    
* inspect rpmlint error about insecure file usage, insecure API
* inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version )
** check of initgroups/setuid/setgroup order
** check of initgroups/setuid/setgroup order
** check for chdir before chroot
** check for chdir before chroot
Line 19: Line 22:
* check if daemon is run as root with ps fax
* check if daemon is run as root with ps fax


* check if daemon drop caps, with pscap
* check if daemon drop caps, with pscap, if run as root
** use CapabilityBoundingSet= in service file to reduce them if possible


* security review ( http://people.redhat.com/sgrubb/security/ )
* security review ( http://people.redhat.com/sgrubb/security/ )
** tmp usage
** tmp file usage


* check if started by default if network facing
* check if package is up to date
* check file permission
** check log file permission ( read )
** check where the service can write
** check if password are not readable


* check if started by default if network facing
* check if the service can work in a hardened setup ( http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html )
** activate fs.protected_symlinks and see if it break
** activate fs.protected_hardlinks and see if it break

Latest revision as of 13:15, 3 March 2013

List of check for security hardening of a package

  • inspect service file ( http://0pointer.de/blog/projects/security.html )
    • private tmp ( PrivateTmp=true )
    • private network ( PrivateNetwork= )
    • block syscall ( SystemCallFilter= )
    • block device ( DeviceAllow= )
    • block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= )
    • limit the number of process to run ( LimitNPROC=1 ), prevent exploit from running another process
    • block capability to regain privileges ( NoNewPrivileges= )
  • check if a daemon do not have a selinux policy or not
    • check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain
  • inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version )
    • check of initgroups/setuid/setgroup order
    • check for chdir before chroot
    • check for compile flags properly added
  • check if daemon is run as root with ps fax
  • check if daemon drop caps, with pscap, if run as root
    • use CapabilityBoundingSet= in service file to reduce them if possible
  • check if started by default if network facing
  • check if package is up to date
  • check file permission
    • check log file permission ( read )
    • check where the service can write
    • check if password are not readable
Retrieved from "https://fedoraproject.org/w/index.php?title=User:Misc/Hardening_checklist&oldid=325026"