On Wednesday, April 8, 2020 11:11:36 AM EDT David Cantrell wrote: > >Just wanted to share with everyone the results of a data collection on > >various metrics of ELF files when installing just @Core group. > > > >http://people.redhat.com/sgrubb/analysis/f32-analysis.slides.html#/ > > > >I recommend clicking on the "pop out" link and then you have more room to > >see the results. To use it grab SOURCERPM and dragh it just below > >"count", then drag FILE under SOURCERPM, then grab STACK_PROT and drag it > >to the right of count. Next click on the drop down and uncheck "ok". > >Click apply. Now you have the listing of all files without the right > >stack protector hardening. > > > >Go back into the STACK_PROT, check ok, click apply. Drag STACK_PROT back > >to where it came from, grab USES_SECCOMP, drag it to the right of > >"count", click drop down, uncheck "no", click apply, now you have the > >list of programs using seccomp for confinement. > > > >Have fun playing with the data. Just remember when you subset the data, it > >stays that way until you check all boxes. In case your curious, this is > >exported from a Jupyter Notebook. > > This is a nice visual.
I'm hoping it inspires people to do some poking around to help harden the OS a little more. For example, you can click on CLASS and uncheck everything but daemons. Then go down to CHANGES_UID and make only the no checked. This is how many daemons are not changing to another account and still using root. > I'd like to ensure the check in rpminspect is doing > the same thing. What are you using to check for your STACK_PROT This is annocheck > and USES_SECCOMP? readelf -s $f 2>/dev/null | grep FUNC | egrep 'seccomp_rule_add|seccomp' This detects either direct use of seccomp or use of libseccomp. Best Regards, -Steve _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
