On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote: > On Sat, Apr 13, 2013 at 11:33 AM, Steve Grubb wrote: > > I don't think there is any need to extend the set of packages that > > _should_ > > get hardening. The current guidelines are sufficient. What is not > > happening is > > the packages that have apps that fit the need to be hardened are not > > getting > > the proper hardening. I have opened dozens of bugs on the "core" packages > > that > > matter, but even those bz are still not complete. > > Is there a tracker bug? Proven packagers can help I have a tracker bug for issues identified on the core set of packages that would be part of a common criteria certification: https://bugzilla.redhat.com/show_bug.cgi?id=853068 which then shows: dbus https://bugzilla.redhat.com/show_bug.cgi?id=853152 NetworkManager https://bugzilla.redhat.com/show_bug.cgi?id=853199 I have not run the script that checks a distribution on F19 yet, so maybe there are more? http://people.redhat.com/sgrubb/files/rpm-chksec To check a typical install and only get the packages that do not meet policy, do this: ./rpm-chksec --all | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | egrep -w 'no|PACKAGE' A small sample on F18: PACKAGE RELRO PIE CLASS abrt-addon-ccpp.x86_64 yes no setuid abrt.x86_64 yes no daemon accountsservice.x86_64 yes no daemon acpid.x86_64 yes no daemon agave.x86_64 no yes exec akonadi.x86_64 yes no network-local alsa-lib.x86_64 yes no network-ip alsa-utils.x86_64 yes no network-ip apg.x86_64 yes no daemon arpwatch.x86_64 yes no daemon But it should be noted that the script does not identify parsers of untrusted media. This would be stuff like: gnash, ooffice, evince, poppler, firefox, konqueror, xchat, wireshark, eog, kmail, evolution, rpm, etc. I don't know how to automate that. -Steve -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
