Am 13.04.2013 19:46, schrieb Steve Grubb:
http://people.redhat.com/sgrubb/files/rpm-chksec
To check a typical install and only get the packages that do not meet policy, ./rpm-chksec --all | sed -r "s/\x1B[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | egrep -w 'no|PACKAGE'
A small sample on F18:
PACKAGE RELRO PIE CLASS abrt-addon-ccpp.x86_64 yes no setuid abrt.x86_64 yes no daemon accountsservice.x86_64 yes no daemon acpid.x86_64 yes no daemon agave.x86_64 no yes exec akonadi.x86_64 yes no network-local alsa-lib.x86_64 yes no network-ip alsa-utils.x86_64 yes no network-ip apg.x86_64 yes no daemon arpwatch.x86_64 yes no daemon
But it should be noted that the script does not identify parsers of untrusted media. This would be stuff like: gnash, ooffice, evince, poppler, firefox, konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how to automate that
which raises the question again:
would it be not the better way to build the whole distribution hardened by expierience that nearly anything is exploitable over the long and performance comes after security
performance would be increaded by many developers learning what to do to prevent wasting ressources much more as do not ANY technique to make things more secure security is a concept of many pieces and each piece makes the overall system better