mirror of
https://git.yoctoproject.org/meta-security
synced 2026-06-04 02:00:24 +00:00
mulhern
594e95f052
buck-security hard-codes a number of file locations for the target system on
which it operates and also its own dependencies. These hard-coded dependencies
have been parameterized and a few other related changes have been made. The
changes are more fully explained below.
buck-security.bb:
* The RDEPENDS_${PN} variable has been made more orderly in anticipation of
subsequent changes. It also includes a few other perl modules required by
the changes to the application.
* The functionality.patch file has been removed and superseded by the
take_root_dir.patch patch.
* The definition of S is parameterized on BPN not PN; they are different if the
package has a native option.
* The install step replaces the use directives and an assignment in the
buck-security script in a more general way than previously.
* The recipes now allows the package to have a native version.
take_root_dir.patch:
* buck-security
* An additional flag, sysroot, that specifies the sysroot of the filesystem
that the buck-security utility inspects is added. If the sysroot can not
be located the script fails gracefully.
* An additional flag, no-sudo, which prevents the script from exiting
if it is not run by root is added.
* An additional flag, disable-checks, which accepts a comma-separated list
of checks to be disabled is added.
* The script checks whether there has been an error in parsing the
command-line arguments and fails with a usage message if there has.
* The log flag now optionally takes a log file name.
* The location of the configuration file is calculated relative to the
location of the main script and if it can not be found the script fails
gracefully.
* The various file locations specified in the buck-security configuration
file are made relative to the location of the buck-security script or the
sysroot as appropriate.
* If a log file has been specified the log is not also printed to stdout.
* The command actually executed is printed in the log.
* Some checks for mutually exclusive options are added.
* Output level 3 is now meaningless, so it has been removed.
* Various changes have been made to the report format.
* Results are sorted lexicographically and, if abspath, do not include
the sysroot.
* checks/*.pm files
* Wherever a directory had been hard-coded it is now parameterized on the
sysroot.
* In some cases, a test that had previously been run as a bash test was
converted to a perl test to allow better handling of results and errors.
* The output parameter is no longer accepted by the check procedure since
this value is global.
* All check procedures now accept an output_type parameter.
* The dangling URLs are removed from the help text.
* checks/lib/check.pm
* The CheckBash and CheckPerl functions have been adapted so that the
the filepaths are not hard-coded and so that the actual command is made
available to the logging component.
* A parameter indicating the outcome type is accepted and passed to the
exception checker.
* Error output is clearly distinguished from regular output.
* A failure in a test is clearly distinguished from an insecure result.
* The output is no longer formatted in the check functions.
* checks/lib/mkchecksum.pm
* The command no longer is run on non-existent directories.
* checks/lib/exceptions.pm
* The exception file path is located relative to the buck-security script.
* If the exceptions are pathnames, the sysroot is prepended.
* Correct wildcard semantics is observed.
* checks/lib/users.pm
* The passwd files are located relative to the sysroot.
* Reading from the password file is made more principle.
* The test experiences an error if files can not be found rather than
the script terminating.
* Some dead code is eliminated.
* conf/buck-security.conf
* The checksum_dir variable is a list instead of a string for easier
manipulation.
* The new configuration variable sysdir is added and the default is /.
* The ssh_config variable is added.
* All tests are included in the checks variable.
* checks/sshd.pm
* The ssh config file is set in the buck-security configuration file
instead of hard-coded here.
* checks/nopasswd.pm
* This is a duplicate of emptypasswd, so it is removed.
* RDEPENDS_${PN}_class-native variable is added as some tasks make no
sense when run externally. Since they will not be run, there is no point
Meta-security
=============
This layer provides security tools, hardening tools for Linux kernels
and libraries for implementing security mechanisms.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
branch: master
revision: HEAD
prio: default
Adding the security layer to your build
========================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the security layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the security layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/layer/meta-security \
Contents and Help
=================
In this section the contents of the layer is listed, along with a short
help for each package.
== bastille ==
Bastille is a system hardening / lockdown program which enhances the
security of a Unix host. It configures daemons, system settings and
firewalls to be more secure. It can shut off unneeded services
like rcp and rlogin, and helps create "chroot jails" that help limit the
vulnerability of common Internet services like Web services and DNS.
usage : The functionality of Bastille which is available is
restricted to a purely informational one. The command:
bastille -c --os Yocto
will cause a series of menus containing security questions
about the system to be displayed to the user. For each
question, a default response, specified in the configuration
file which is installed with Bastille, will be selected.
The user may select an alternate response. When the user
has completed the sequence of menus Bastille saves the
responses to the configuration file.
The command:
bastille -l lists the configuration files that Bastille
is able to locate.
The other functionality which Bastille is intended to provide
is actually unavailable. This is not due to errors in poky
installation or configuration of the application. The Bastille
distribution is no longer supported. Significant modifications
would be required to make it possible to make use of the
functionality which is currently unavailable.
Additional information about Bastille can be found in the package
README file and other documentation.
Alternatives to Bastille include buck-security and checksecurity,
described elsewhere in this file.
== redhat-security ==
Sometimes you want to check different aspects of a distribution for security problems.
This can be anything from file permissions to correctness of code. This is a collection of those tools.
Depending on what information the tool has to access, it may need to be run as root.
- rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
In this mode it will only give a summary result for the package. To find which files don't comply,
re-run using just the package name.
!!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image
IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
- find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
and GID without also calling setgroups or initgroups.
- rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
- find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
- find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
- find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
This means that if the program has another vulnerablity such as stack buffer overflow,
any code the attacker places there is executable. Any program found must be fixed.
- find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
Anything found must be investigated since its highly unusual for executables to be hidden.
- find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
- selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
Anything found by this test should be reported so that selinux policy can be fixed.
This test is very hardware specific, so to be effective a lot of people with different hardware
should run this test each upstream kernel version release.
- selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd.
These both mean that there are daemons that do not have policy and are therefore running unconfined.
These should be reported as SE Linux policy problems. Because it checks currently running daemons,
the more you have running, the better the test is.
- find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
instead of obscure ones created by something like mktemp.
- find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
it also looks to see if any of the known good random name generator functions is called by looking
at the symbol table. If not, it will output the string.
- lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
usage : simply invoke the script name in the terminal.
== pax-utils ==
( This package can be found in oe-core )
pax-utils is a small set of various PaX aware and related utilities for
ELF binaries.
- scanelf : With this application you can print out information specific to the ELF structure of a binary.
For more help please consult the man pages or the readme file.
- pspax : is a user-space utility that scans the proc directory and list
ELF types, as well as their respective PaX flags and filenames and
attributes. Depending on build options, it may additionaly display the
process running set of capabilities.
- scanmacho : is a user-space utility to quickly scan given
Mach-Os, directories, or common system paths for different information. This
may include Mach-O types, their install_names, etc.
- dumpelf : is a user-space utility to dump all of the internal
ELF structures into the equivalent C structures for fun debugging and/or
reference purposes.
usage : simply invoke the script name in the terminal.
== buck-security ==
Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
system. This enables you to quickly overview the security status of your Linux system.
usage : !!! before starting to use this tool please run the following command: !!!
export GPG_TTY=`tty`
This command is needed for the usage of the comand --make-checksum, which creates
a checksum for the files in the system.
switch to directory /usr/local/buck-security.
before running the script, you should check the activated checks in conf/buck-security.conf file.
after altering the changes, save the file and simply run :
./buck-security
you can choose between different outputs : 1, 2(default) or 3.
More detailed usage can be found typing ./buck-security --help
== libseccomp ==
The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
function-call based filtering interface that should be familiar to, and easily adopted by application developers.
usage : More detailed usage can be found in the man pages and README file of the package.
== checksecurity ==
checksecurity is a simple package which will scan your system for several simple security holes.
It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
usage : To start checksecurity simply write in the terminal :
checksecurity
More detailed usage can be found in the man pages and README file of the package.
== nikto ==
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
HTTP server options, and will attempt to identify installed web servers and software.
usage : To start nikto simply write in the terminal :
nikto
More detailed usage can be found in the man pages and README file of the package.
== nmap ==
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
Many systems and network administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service uptime.
usage : To start nikto simply write in the terminal :
nmap
More detailed usage can be found in the man pages and README file of the package.
License
=======
All metadata is MIT licensed unless otherwise stated. Source code included
in tree for individual recipes is under the LICENSE stated in each recipe
(.bb file) unless otherwise stated.