From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
* inspect service file ( http://0pointer.de/blog/projects/security.html ) | * inspect service file ( http://0pointer.de/blog/projects/security.html ) | ||
** PrivateTmp | ** private tmp, ( PrivateTmp=true ) | ||
** PrivateNetwork | ** private network ( PrivateNetwork= ) | ||
** block syscall | ** block syscall ( SystemCallFilter= ) | ||
** block device | ** block device ( DeviceAllow= ) | ||
** block path ( like /home ) ( ReadOnlyDirectories= ) | ** block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= ) | ||
** block the number of process to run ( LimitNPROC=1 ) | ** block the number of process to run ( LimitNPROC=1 ) | ||
* check if a daemon do not have a selinux policy or not | * check if a daemon do not have a selinux policy or not | ||
** check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain | |||
* inspect rpmlint error about insecure file usage | * inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version ) | ||
** check of initgroups/setuid/setgroup order | ** check of initgroups/setuid/setgroup order | ||
** check for chdir before chroot | ** check for chdir before chroot | ||
| Line 21: | Line 22: | ||
* check if daemon drop caps, with pscap | * check if daemon drop caps, with pscap | ||
** use CapabilityBoundingSet= in service file to reduce them if possible | |||
* security review ( http://people.redhat.com/sgrubb/security/ ) | * security review ( http://people.redhat.com/sgrubb/security/ ) | ||
** tmp usage | ** tmp file usage | ||
* check if started by default if network facing | * check if started by default if network facing | ||
| Line 30: | Line 31: | ||
* check if package is up to date | * check if package is up to date | ||
* check file permission | * check file permission | ||
** check log file permission ( read ) | |||
** check where the service can write | |||
* check if the service can work in a hardened setup ( http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html ) | |||
** activate fs.protected_symlinks and see if it break | |||
** activate fs.protected_hardlinks and see if it break | |||
Revision as of 09:32, 3 March 2013
List of check for security hardening of a package
- check %global hardened build ( https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags )
- inspect service file ( http://0pointer.de/blog/projects/security.html )
- private tmp, ( PrivateTmp=true )
- private network ( PrivateNetwork= )
- block syscall ( SystemCallFilter= )
- block device ( DeviceAllow= )
- block path ( like /home ) ( ReadOnlyDirectories= , InaccessibleDirectories= )
- block the number of process to run ( LimitNPROC=1 )
- check if a daemon do not have a selinux policy or not
- check with ps faxZ if run with "system_u:system_r:initrc_t:s0" domain
- inspect rpmlint error about insecure file usage & insecure API ( need git HEAD version )
- check of initgroups/setuid/setgroup order
- check for chdir before chroot
- check for compile flags properly added
- check if daemon is run as root with ps fax
- check if daemon drop caps, with pscap
- use CapabilityBoundingSet= in service file to reduce them if possible
- security review ( http://people.redhat.com/sgrubb/security/ )
- tmp file usage
- check if started by default if network facing
- check if package is up to date
- check file permission
- check log file permission ( read )
- check where the service can write
- check if the service can work in a hardened setup ( http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html )
- activate fs.protected_symlinks and see if it break
- activate fs.protected_hardlinks and see if it break