Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.

I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.

If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.

Thanks Troy Dawson

The hardening-check perl-script from http://packages.debian.org/sid/hardening-includes sources might work in fedora as well...

On Thu, Jun 6, 2013 at 2:36 PM, Troy Dawson tdawson@redhat.com wrote:

If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.

This was mentioned: http://people.redhat.com/sgrubb/files/rpm-chksec. Also see http://lwn.net/Articles/454532/. Regards, -- Jerry James http://www.jamezone.org/

On Fri, Jun 7, 2013 at 2:06 AM, Troy Dawson tdawson@redhat.com wrote:

Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.

I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.

Were you trying to use https://github.com/kholia/checksec ?

checksec is dependant on python-libarchive and pyelftools packages which haven't been packaged for Fedora so far.

The following steps should suffice to get checksec working on Fedora systems,

$ sudo yum install libarchive-devel python-virtualenv $ virtualenv --system-site-packages ~/venv $ source ~/venv/bin/activate (venv) $ pip install python-libarchive pyelftools (venv) $ cd ~/checksec # the git clone (venv) $ ./checksec.py /usr/bin/mongod

You can also run scanner.py on the MongoDB rpm directly (without installing it).

...

Can we please get python-libarchive and pyelftools packaged for Fedora?

On 06/06/2013 03:36 PM, Troy Dawson wrote:

Hi, Is there an official Fedora way for telling is something is hardened correctly? I'm working on hardening mongodb, and I think I have it right, but I'd really like to check.

I was given a couple of scripts, which had dependencies not in Fedora, which then had dependencies not in Fedora, and so forth. At the third level of dependencies, I figured there had to be a more official way.

If I missed a Fedora web page on it, or it was in the recent hardening discussion, feel free to point me to it.

Thanks Troy Dawson

Hi, Thanks for all the suggestions and help. Since there were a couple of threads that came off of this, I'm going to give a summary here.

Programs: http://people.redhat.com/sgrubb/files/rpm-chksec (what I ended up using) http://packages.debian.org/sid/hardening-includes (packaged into rpm, see below) https://nohats.ca/checksec.sh (works) https://github.com/kholia/checksec (had fedora dependency problems that are being worked on)

rpm: hardening-check - http://koji.fedoraproject.org/koji/packageinfo?packageID=16362

Articles: http://lwn.net/Articles/454532/

Summary: I ended up using rpm-chksec because it did everything I needed and all it's requirements were already installed on my machine. Why I chose that? While the other would check files, rpm-chksec took an rpm as an argument and then checked all the binaries in it, giving a nice output.

Again, thanks to everyone who replied. I am glad I checked it. The mongodb scons stuff wasn't accepting arguments as I originally thought, and I found out that I hadn't really hardened mongodb. I'm still working on it. My next patch hardens it, but fails on a few platforms in ways I'm totally not expecting. So, the work goes on, but having a check helps.

Thanks Troy