From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
** block syscall | ** block syscall | ||
** block device | ** block device | ||
** block path ( like /home ) | ** block path ( like /home ) ( ReadOnlyDirectories= ) | ||
** block the number of process to run ( LimitNPROC=1 ) | |||
* check if a daemon do not have a selinux policy or not | * check if a daemon do not have a selinux policy or not | ||
| Line 26: | Line 27: | ||
* check if started by default if network facing | * check if started by default if network facing | ||
* check if package is up to date | |||
* check file permission, especially log | |||
Revision as of 08:24, 3 March 2013
List of check for security hardening of a package
- check %global hardened build ( https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags )
- inspect service file ( http://0pointer.de/blog/projects/security.html )
- PrivateTmp
- PrivateNetwork
- block syscall
- block device
- block path ( like /home ) ( ReadOnlyDirectories= )
- block the number of process to run ( LimitNPROC=1 )
- check if a daemon do not have a selinux policy or not
- inspect rpmlint error about insecure file usage, insecure API
- check of initgroups/setuid/setgroup order
- check for chdir before chroot
- check for compile flags properly added
- check if daemon is run as root with ps fax
- check if daemon drop caps, with pscap
- security review ( http://people.redhat.com/sgrubb/security/ )
- tmp usage
- check if started by default if network facing
- check if package is up to date
- check file permission, especially log