Content Of Security Audit Reports
- Requestor(s)
- Auditor(s)
- Request date
- Delivery date
Target of evaluation
- Project name
- Project content ((S)RPM package or URL to version control system)
- Version (RPM version, upstream version or version control revision)
- Summarize the scope of the audit and, if possible, aspects of the threat model.
Basic information
- Main programming language(s)
- Approximate lines of codes (sloccount)
- Contains example code (yes/no)
- Contains test suite (yes/no)
- Specific functionality (yes/no)
- Handles authentication
- Network access
- File system access
- D-Bus access
- Process environment access
- Listens on network
- Provides D-Bus service
- Registers MIME types or file extensions
- Installs browser plug-ins
- setuid executable
- Uses fork
- Uses threads
- Thread-safe
Dependencies
- Required libraries
Build options
- Builds compiled code (yes/no)
- Builds managed code (yes/no)
- Builds one or more libraries (yes/no)
- Builds one or more executables (yes/no)
- Uses recommend Defensive Coding code generation/linking options (yes/no)
- Uses Defensive Coding warning flags (yes/no)
- Produces compiler warnings (yes/no)
Assumptions
List all assumptions, such as correct use of APIs. Not all such aspects can be covered in an audit, especially if they require lots of domain-specific knowledge.
Compiler warnings
Note relevant compiler warnings, possibly after changing the compiler invocation to show more warnings. (This may include warnings from non-production compilers/compiler versions).
Banned APIs
Note usage of APIs which are impossible to use correctly (gets
, getwd
, readdir_r
etc.).
Dangerous APIs
Note usage of dangerous APIs (certain C string functions, incorrect temporary files, process environment access from libraries, many forms of serialization).
Definite problems
List issues known to be present in the code base. Mark each one as security-relevant or non-relevant. This includes API misuse such as missing return value checks from malloc
or setuid
/setgid
. This may include dead code (especially conditionally compiled code).
Possible problems
The same list, but this time for issues which are likely, but not definitely present in the source code.
Recommendations
Give recommendations based on the observations which do not fit in the previous categories.