User:Misc/Hardening checklist

This page was last edited on 3 March 2013, at 08:24.

From Fedora Project Wiki

Revision as of 08:24, 3 March 2013 by Misc (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

List of check for security hardening of a package

check %global hardened build ( https://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags )

inspect service file ( http://0pointer.de/blog/projects/security.html )
- PrivateTmp
- PrivateNetwork
- block syscall
- block device
- block path ( like /home ) ( ReadOnlyDirectories= )
- block the number of process to run ( LimitNPROC=1 )

check if a daemon do not have a selinux policy or not

inspect rpmlint error about insecure file usage, insecure API
- check of initgroups/setuid/setgroup order
- check for chdir before chroot
- check for compile flags properly added

check if daemon is run as root with ps fax

check if daemon drop caps, with pscap

security review ( http://people.redhat.com/sgrubb/security/ )
- tmp usage

check if started by default if network facing

check if package is up to date

check file permission, especially log

Retrieved from "https://fedoraproject.org/w/index.php?title=User:Misc/Hardening_checklist&oldid=325016"

Copyright © 2025 Red Hat, Inc. and others. All Rights Reserved. For comments or queries, please contact us.

The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community maintained site. Red Hat is not responsible for content.