On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote:
On Sat, Apr 13, 2013 at 11:33 AM, Steve Grubb wrote:
I don't think there is any need to extend the set of packages that _should_ get hardening. The current guidelines are sufficient. What is not happening is the packages that have apps that fit the need to be hardened are not getting the proper hardening. I have opened dozens of bugs on the "core" packages that matter, but even those bz are still not complete.
Is there a tracker bug? Proven packagers can help
I have a tracker bug for issues identified on the core set of packages that would be part of a common criteria certification:
https://bugzilla.redhat.com/show_bug.cgi?id=853068
which then shows: dbus https://bugzilla.redhat.com/show_bug.cgi?id=853152 NetworkManager https://bugzilla.redhat.com/show_bug.cgi?id=853199
I have not run the script that checks a distribution on F19 yet, so maybe there are more?
http://people.redhat.com/sgrubb/files/rpm-chksec
To check a typical install and only get the packages that do not meet policy, do this:
./rpm-chksec --all | sed -r "s/\x1B[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | egrep -w 'no|PACKAGE'
A small sample on F18:
PACKAGE RELRO PIE CLASS abrt-addon-ccpp.x86_64 yes no setuid abrt.x86_64 yes no daemon accountsservice.x86_64 yes no daemon acpid.x86_64 yes no daemon agave.x86_64 no yes exec akonadi.x86_64 yes no network-local alsa-lib.x86_64 yes no network-ip alsa-utils.x86_64 yes no network-ip apg.x86_64 yes no daemon arpwatch.x86_64 yes no daemon
But it should be noted that the script does not identify parsers of untrusted media. This would be stuff like: gnash, ooffice, evince, poppler, firefox, konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how to automate that.
-Steve