Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.
If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.
Thanks Troy Dawson
Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.
If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.
Thanks Troy Dawson
The hardening-check perl-script from http://packages.debian.org/sid/hardening-includes sources might work in fedora as well...
Am Donnerstag, den 06.06.2013, 22:43 +0200 schrieb Björn Esser:
Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.
If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.
Thanks Troy Dawson
The hardening-check perl-script from http://packages.debian.org/sid/hardening-includes sources might work in fedora as well...
I did some tests with hardening-check perl-script from debian and it works well in fedora and el. So I pkged into a rpm: https://bugzilla.redhat.com/show_bug.cgi?id=971836
If someone wants to review (a quick one, just a noarch perl-script, manpage and usual %doc)...
Cheers, Björn
On Thu, Jun 6, 2013 at 2:36 PM, Troy Dawson tdawson@redhat.com wrote:
If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.
This was mentioned: http://people.redhat.com/sgrubb/files/rpm-chksec. Also see http://lwn.net/Articles/454532/. Regards, -- Jerry James http://www.jamezone.org/
On Thu, 6 Jun 2013, Troy Dawson wrote:
Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I use https://nohats.ca/checksec.sh
Paul
On Fri, Jun 7, 2013 at 2:06 AM, Troy Dawson tdawson@redhat.com wrote:
Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.
Were you trying to use https://github.com/kholia/checksec ?
checksec is dependant on python-libarchive and pyelftools packages which haven't been packaged for Fedora so far.
The following steps should suffice to get checksec working on Fedora systems,
$ sudo yum install libarchive-devel python-virtualenv $ virtualenv --system-site-packages ~/venv $ source ~/venv/bin/activate (venv) $ pip install python-libarchive pyelftools (venv) $ cd ~/checksec # the git clone (venv) $ ./checksec.py /usr/bin/mongod
You can also run scanner.py on the MongoDB rpm directly (without installing it).
...
Can we please get python-libarchive and pyelftools packaged for Fedora?
On 06/06/2013 03:36 PM, Troy Dawson wrote:
Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.
If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.
Thanks Troy Dawson
Hi, Thanks for all the suggestions and help. Since there were a couple of threads that came off of this, I'm going to give a summary here.
Programs: http://people.redhat.com/sgrubb/files/rpm-chksec (what I ended up using) http://packages.debian.org/sid/hardening-includes (packaged into rpm, see below) https://nohats.ca/checksec.sh (works) https://github.com/kholia/checksec (had fedora dependency problems that are being worked on)
rpm: hardening-check - http://koji.fedoraproject.org/koji/packageinfo?packageID=16362
Articles: http://lwn.net/Articles/454532/
Summary: I ended up using rpm-chksec because it did everything I needed and all it's requirements were already installed on my machine. Why I chose that? While the other would check files, rpm-chksec took an rpm as an argument and then checked all the binaries in it, giving a nice output.
Again, thanks to everyone who replied. I am glad I checked it. The mongodb scons stuff wasn't accepting arguments as I originally thought, and I found out that I hadn't really hardened mongodb. I'm still working on it. My next patch hardens it, but fails on a few platforms in ways I'm totally not expecting. So, the work goes on, but having a check helps.
Thanks Troy
Am Montag, den 10.06.2013, 09:32 -0500 schrieb Troy Dawson:
On 06/06/2013 03:36 PM, Troy Dawson wrote:
Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.
I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.
If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.
Thanks Troy Dawson
Hi, Thanks for all the suggestions and help. Since there were a couple of threads that came off of this, I'm going to give a summary here.
Programs: http://people.redhat.com/sgrubb/files/rpm-chksec (what I ended up using) http://packages.debian.org/sid/hardening-includes (packaged into rpm, see below) https://nohats.ca/checksec.sh (works) https://github.com/kholia/checksec (had fedora dependency problems that are being worked on)
rpm: hardening-check - http://koji.fedoraproject.org/koji/packageinfo?packageID=16362
Articles: http://lwn.net/Articles/454532/
Summary: I ended up using rpm-chksec because it did everything I needed and all it's requirements were already installed on my machine. Why I chose that? While the other would check files, rpm-chksec took an rpm as an argument and then checked all the binaries in it, giving a nice output.
Again, thanks to everyone who replied. I am glad I checked it. The mongodb scons stuff wasn't accepting arguments as I originally thought, and I found out that I hadn't really hardened mongodb. I'm still working on it. My next patch hardens it, but fails on a few platforms in ways I'm totally not expecting. So, the work goes on, but having a check helps.
Thanks Troy
checksec is available as rpm now, too: https://koji.fedoraproject.org/koji/packageinfo?packageID=16388
If you want to give some karma: https://admin.fedoraproject.org/updates/checksec-1.5-1.fc19 https://admin.fedoraproject.org/updates/checksec-1.5-1.el6 https://admin.fedoraproject.org/updates/checksec-1.5-1.el5
karma for hardening-check: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10405/hardening-che...
Cheers, Björn