mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-12 03:10:13 +00:00
273 lines
13 KiB
Plaintext
273 lines
13 KiB
Plaintext
Meta-security
|
|
=============
|
|
|
|
This layer provides security tools, hardening tools for Linux kernels
|
|
and libraries for implementing security mechanisms.
|
|
|
|
Dependencies
|
|
============
|
|
|
|
This layer depends on:
|
|
|
|
URI: git://git.openembedded.org/openembedded-core
|
|
branch: master
|
|
revision: HEAD
|
|
prio: default
|
|
|
|
URI: git://git.openembedded.org/meta-openembedded/meta-oe
|
|
branch: master
|
|
revision: HEAD
|
|
prio: default
|
|
|
|
URI: git://git.openembedded.org/meta-openembedded/meta-perl
|
|
branch: master
|
|
revision: HEAD
|
|
prio: default
|
|
|
|
URI: git://git.openembedded.org/meta-openembedded/meta-networking
|
|
branch: master
|
|
revision: HEAD
|
|
prio: default
|
|
|
|
Adding the security layer to your build
|
|
========================================
|
|
|
|
In order to use this layer, you need to make the build system aware of
|
|
it.
|
|
|
|
Assuming the security layer exists at the top-level of your
|
|
yocto build tree, you can add it to the build system by adding the
|
|
location of the security layer to bblayers.conf, along with any
|
|
other layers needed. e.g.:
|
|
|
|
BBLAYERS ?= " \
|
|
/path/to/oe-core/meta \
|
|
/path/to/meta-openembedded/meta-oe \
|
|
/path/to/meta-openembedded/meta-perl \
|
|
/path/to/meta-openembedded/meta-python \
|
|
/path/to/meta-openembedded/meta-networking \
|
|
/path/to/layer/meta-security \
|
|
|
|
Contents and Help
|
|
=================
|
|
|
|
In this section the contents of the layer is listed, along with a short
|
|
help for each package.
|
|
|
|
== bastille ==
|
|
|
|
Bastille is a system hardening / lockdown program which enhances the
|
|
security of a Unix host. It configures daemons, system settings and
|
|
firewalls to be more secure. It can shut off unneeded services
|
|
like rcp and rlogin, and helps create "chroot jails" that help limit the
|
|
vulnerability of common Internet services like Web services and DNS.
|
|
|
|
usage : The functionality of Bastille which is available is
|
|
restricted to a purely informational one. The command:
|
|
bastille -c --os Yocto
|
|
will cause a series of menus containing security questions
|
|
about the system to be displayed to the user. For each
|
|
question, a default response, specified in the configuration
|
|
file which is installed with Bastille, will be selected.
|
|
The user may select an alternate response. When the user
|
|
has completed the sequence of menus Bastille saves the
|
|
responses to the configuration file.
|
|
|
|
The command:
|
|
bastille -l lists the configuration files that Bastille
|
|
is able to locate.
|
|
|
|
The other functionality which Bastille is intended to provide
|
|
is actually unavailable. This is not due to errors in poky
|
|
installation or configuration of the application. The Bastille
|
|
distribution is no longer supported. Significant modifications
|
|
would be required to make it possible to make use of the
|
|
functionality which is currently unavailable.
|
|
|
|
|
|
Additional information about Bastille can be found in the package
|
|
README file and other documentation.
|
|
|
|
Alternatives to Bastille include buck-security and checksecurity,
|
|
described elsewhere in this file.
|
|
|
|
|
|
== redhat-security ==
|
|
|
|
Sometimes you want to check different aspects of a distribution for security problems.
|
|
This can be anything from file permissions to correctness of code. This is a collection of those tools.
|
|
Depending on what information the tool has to access, it may need to be run as root.
|
|
|
|
- rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
|
|
to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
|
|
It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
|
|
In this mode it will only give a summary result for the package. To find which files don't comply,
|
|
re-run using just the package name.
|
|
|
|
!!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
|
|
IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image
|
|
IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
|
|
|
|
- find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
|
|
and GID without also calling setgroups or initgroups.
|
|
|
|
- rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
|
|
|
|
- find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
|
|
Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
|
|
|
|
- find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
|
|
|
|
- find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
|
|
This means that if the program has another vulnerablity such as stack buffer overflow,
|
|
any code the attacker places there is executable. Any program found must be fixed.
|
|
|
|
- find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
|
|
Anything found must be investigated since its highly unusual for executables to be hidden.
|
|
|
|
- find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
|
|
It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
|
|
|
|
- selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
|
|
Anything found by this test should be reported so that selinux policy can be fixed.
|
|
This test is very hardware specific, so to be effective a lot of people with different hardware
|
|
should run this test each upstream kernel version release.
|
|
|
|
- selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd.
|
|
These both mean that there are daemons that do not have policy and are therefore running unconfined.
|
|
These should be reported as SE Linux policy problems. Because it checks currently running daemons,
|
|
the more you have running, the better the test is.
|
|
|
|
- find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
|
|
instead of obscure ones created by something like mktemp.
|
|
|
|
- find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
|
|
it also looks to see if any of the known good random name generator functions is called by looking
|
|
at the symbol table. If not, it will output the string.
|
|
|
|
- lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
|
|
The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
|
|
Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
|
|
|
|
|
|
usage : simply invoke the script name in the terminal.
|
|
|
|
|
|
== pax-utils ==
|
|
|
|
( This package can be found in oe-core )
|
|
|
|
pax-utils is a small set of various PaX aware and related utilities for
|
|
ELF binaries.
|
|
|
|
- scanelf : With this application you can print out information specific to the ELF structure of a binary.
|
|
For more help please consult the man pages or the readme file.
|
|
|
|
- pspax : is a user-space utility that scans the proc directory and list
|
|
ELF types, as well as their respective PaX flags and filenames and
|
|
attributes. Depending on build options, it may additionaly display the
|
|
process running set of capabilities.
|
|
|
|
- scanmacho : is a user-space utility to quickly scan given
|
|
Mach-Os, directories, or common system paths for different information. This
|
|
may include Mach-O types, their install_names, etc.
|
|
|
|
- dumpelf : is a user-space utility to dump all of the internal
|
|
ELF structures into the equivalent C structures for fun debugging and/or
|
|
reference purposes.
|
|
|
|
|
|
usage : simply invoke the script name in the terminal.
|
|
|
|
|
|
== buck-security ==
|
|
|
|
Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
|
|
system. This enables you to quickly overview the security status of your Linux system.
|
|
|
|
usage : !!! before starting to use this tool please run the following command: !!!
|
|
|
|
export GPG_TTY=`tty`
|
|
|
|
This command is needed for the usage of the comand --make-checksum, which creates
|
|
a checksum for the files in the system.
|
|
|
|
switch to directory /usr/local/buck-security.
|
|
before running the script, you should check the activated checks in conf/buck-security.conf file.
|
|
after altering the changes, save the file and simply run :
|
|
|
|
./buck-security
|
|
|
|
you can choose between different outputs : 1, 2(default) or 3.
|
|
|
|
More detailed usage can be found typing ./buck-security --help
|
|
|
|
|
|
== libseccomp ==
|
|
|
|
The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
|
|
The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
|
|
function-call based filtering interface that should be familiar to, and easily adopted by application developers.
|
|
|
|
usage : More detailed usage can be found in the man pages and README file of the package.
|
|
|
|
|
|
|
|
== checksecurity ==
|
|
|
|
checksecurity is a simple package which will scan your system for several simple security holes.
|
|
It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
|
|
|
|
|
|
usage : To start checksecurity simply write in the terminal :
|
|
|
|
checksecurity
|
|
|
|
More detailed usage can be found in the man pages and README file of the package.
|
|
|
|
|
|
== nikto ==
|
|
|
|
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
|
|
including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
|
|
problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
|
|
HTTP server options, and will attempt to identify installed web servers and software.
|
|
|
|
usage : To start nikto simply write in the terminal :
|
|
|
|
nikto
|
|
|
|
More detailed usage can be found in the man pages and README file of the package.
|
|
|
|
|
|
== nmap ==
|
|
|
|
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
|
|
Many systems and network administrators also find it useful for tasks such as network inventory,
|
|
managing service upgrade schedules, and monitoring host or service uptime.
|
|
|
|
usage : To start nikto simply write in the terminal :
|
|
|
|
nmap
|
|
|
|
More detailed usage can be found in the man pages and README file of the package.
|
|
|
|
Maintenance
|
|
-----------
|
|
|
|
Send pull requests, patches, comments or questions to yocto@yoctoproject.org
|
|
|
|
When sending single patches, please using something like:
|
|
'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
|
|
|
|
Maintainers: Saul Wold <sgw@linux.intel.com>
|
|
Armin Kuster <akuster@mvista.com>
|
|
|
|
|
|
License
|
|
=======
|
|
|
|
All metadata is MIT licensed unless otherwise stated. Source code included
|
|
in tree for individual recipes is under the LICENSE stated in each recipe
|
|
(.bb file) unless otherwise stated.
|