On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote:
On Sat, Apr 13, 2013 at 11:33 AM, Steve Grubb wrote:
> I don't think there is any need to extend the set of packages that
> _should_
> get hardening. The current guidelines are sufficient. What is not
> happening is
> the packages that have apps that fit the need to be hardened are not
> getting
> the proper hardening. I have opened dozens of bugs on the "core" packages
> that
> matter, but even those bz are still not complete.
Is there a tracker bug? Proven packagers can help
I have a tracker bug for issues identified on the core set of packages that
would be part of a common criteria certification:
https://bugzilla.redhat.com/show_bug.cgi?id=853068
which then shows:
dbus
https://bugzilla.redhat.com/show_bug.cgi?id=853152
NetworkManager
https://bugzilla.redhat.com/show_bug.cgi?id=853199
I have not run the script that checks a distribution on F19 yet, so maybe
there are more?
http://people.redhat.com/sgrubb/files/rpm-chksec
To check a typical install and only get the packages that do not meet policy,
do this:
./rpm-chksec --all | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" |
egrep -w 'no|PACKAGE'
A small sample on F18:
PACKAGE RELRO PIE CLASS
abrt-addon-ccpp.x86_64 yes no setuid
abrt.x86_64 yes no daemon
accountsservice.x86_64 yes no daemon
acpid.x86_64 yes no daemon
agave.x86_64 no yes exec
akonadi.x86_64 yes no network-local
alsa-lib.x86_64 yes no network-ip
alsa-utils.x86_64 yes no network-ip
apg.x86_64 yes no daemon
arpwatch.x86_64 yes no daemon
But it should be noted that the script does not identify parsers of untrusted
media. This would be stuff like: gnash, ooffice, evince, poppler, firefox,
konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how
to automate that.
-Steve