User:Misc/Hardening checklist

From FedoraProject

< User:Misc(Difference between revisions)
Jump to: navigation, search
Line 8: Line 8:
 
** block syscall
 
** block syscall
 
** block device
 
** block device
** block path ( like /home )
+
** block path ( like /home ) ( ReadOnlyDirectories= )
 +
** block the number of process to run ( LimitNPROC=1 )
  
 
* check if a daemon do not have a selinux policy or not
 
* check if a daemon do not have a selinux policy or not
Line 26: Line 27:
  
 
* check if started by default if network facing
 
* check if started by default if network facing
 +
 +
* check if package is up to date
 +
 +
* check file permission, especially log

Revision as of 08:24, 3 March 2013

List of check for security hardening of a package

  • check if a daemon do not have a selinux policy or not
  • inspect rpmlint error about insecure file usage, insecure API
    • check of initgroups/setuid/setgroup order
    • check for chdir before chroot
    • check for compile flags properly added
  • check if daemon is run as root with ps fax
  • check if daemon drop caps, with pscap


  • check if started by default if network facing
  • check if package is up to date
  • check file permission, especially log