Blame - meta-security/docs/overview.txt - mdmillerii/openbmc

Brad Bishop

1a4b7ee

2018-12-16 17:11:34 -0800

[diff] [blame]

Meta-security Docs

=============

In this section the contents of the layer is listed, along with a short

5

help for each package.

== bastille ==

Bastille is a system hardening / lockdown program which enhances the

10

security of a Unix host. It configures daemons, system settings and

11

firewalls to be more secure. It can shut off unneeded services

12

like rcp and rlogin, and helps create "chroot jails" that help limit the

13

vulnerability of common Internet services like Web services and DNS.

14

15

usage : The functionality of Bastille which is available is

16

restricted to a purely informational one. The command:

17

bastille -c --os Yocto

18

will cause a series of menus containing security questions

19

about the system to be displayed to the user. For each

20

question, a default response, specified in the configuration

21

file which is installed with Bastille, will be selected.

22

The user may select an alternate response. When the user

23

has completed the sequence of menus Bastille saves the

24

responses to the configuration file.

25

26

The command:

27

bastille -l lists the configuration files that Bastille

28

is able to locate.

29

30

The other functionality which Bastille is intended to provide

31

is actually unavailable. This is not due to errors in poky

32

installation or configuration of the application. The Bastille

33

distribution is no longer supported. Significant modifications

34

would be required to make it possible to make use of the

35

functionality which is currently unavailable.

36

37

38

Additional information about Bastille can be found in the package

39

README file and other documentation.

40

41

Alternatives to Bastille include buck-security and checksecurity,

42

described elsewhere in this file.

43

44

45

== redhat-security ==

46

47

Sometimes you want to check different aspects of a distribution for security problems.

48

This can be anything from file permissions to correctness of code. This is a collection of those tools.

49

Depending on what information the tool has to access, it may need to be run as root.

50

51

- rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags

52

to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.

53

It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.

54

In this mode it will only give a summary result for the package. To find which files don't comply,

55

re-run using just the package name.

56

57

!!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:

58

IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image

59

IMAGE_FEATURES += "package management" - for the correct output of rpm -qa

60

61

- find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID

62

and GID without also calling setgroups or initgroups.

63

64

- rpm-drop-groups.sh : Same as above, but takes an rpm name instead.

65

66

- find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.

67

Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.

68

69

- find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.

70

71

- find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.

72

This means that if the program has another vulnerablity such as stack buffer overflow,

73

any code the attacker places there is executable. Any program found must be fixed.

74

75

- find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.

76

Anything found must be investigated since its highly unusual for executables to be hidden.

77

78

- find-sh4errors.sh : This program scans the whole file system looking for shell scripts.

79

It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.

80

81

- selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.

82

Anything found by this test should be reported so that selinux policy can be fixed.

83

This test is very hardware specific, so to be effective a lot of people with different hardware

84

should run this test each upstream kernel version release.

85

86

- selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd.

87

These both mean that there are daemons that do not have policy and are therefore running unconfined.

88

These should be reported as SE Linux policy problems. Because it checks currently running daemons,

89

the more you have running, the better the test is.

90

91

- find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names

92

instead of obscure ones created by something like mktemp.

93

94

- find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,

95

it also looks to see if any of the known good random name generator functions is called by looking

96

at the symbol table. If not, it will output the string.

97

98

- lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.

99

The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.

100

Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.

101

102

103

usage : simply invoke the script name in the terminal.

== pax-utils ==

( This package can be found in oe-core )

109

110

pax-utils is a small set of various PaX aware and related utilities for

111

ELF binaries.

112

113

- scanelf : With this application you can print out information specific to the ELF structure of a binary.

114

For more help please consult the man pages or the readme file.

115

116

- pspax : is a user-space utility that scans the proc directory and list

117

ELF types, as well as their respective PaX flags and filenames and

118

attributes. Depending on build options, it may additionaly display the

119

process running set of capabilities.

120

121

- scanmacho : is a user-space utility to quickly scan given

122

Mach-Os, directories, or common system paths for different information. This

123

may include Mach-O types, their install_names, etc.

124

125

- dumpelf : is a user-space utility to dump all of the internal

126

ELF structures into the equivalent C structures for fun debugging and/or

reference purposes.

usage : simply invoke the script name in the terminal.

== buck-security ==

Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux

136

system. This enables you to quickly overview the security status of your Linux system.

137

138

usage : !!! before starting to use this tool please run the following command: !!!

export GPG_TTY=`tty`

This command is needed for the usage of the comand --make-checksum, which creates

143

a checksum for the files in the system.

144

145

switch to directory /usr/local/buck-security.

146

before running the script, you should check the activated checks in conf/buck-security.conf file.

147

after altering the changes, save the file and simply run :

./buck-security

you can choose between different outputs : 1, 2(default) or 3.

152

153

More detailed usage can be found typing ./buck-security --help

== libseccomp ==

The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.

159

The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional

160

function-call based filtering interface that should be familiar to, and easily adopted by application developers.

161

162

usage : More detailed usage can be found in the man pages and README file of the package.

== checksecurity ==

checksecurity is a simple package which will scan your system for several simple security holes.

169

It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.

170

171

172

usage : To start checksecurity simply write in the terminal :

checksecurity

More detailed usage can be found in the man pages and README file of the package.

== nikto ==

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,

182

including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific

183

problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,

184

HTTP server options, and will attempt to identify installed web servers and software.

185

186

usage : To start nikto simply write in the terminal :

nikto

More detailed usage can be found in the man pages and README file of the package.

License

=======

All metadata is MIT licensed unless otherwise stated. Source code included

196

in tree for individual recipes is under the LICENSE stated in each recipe

197

(.bb file) unless otherwise stated.