This posts summarizes the options to be enabled from meta-security in the distribution.
Main layer (as of dunfell)
- Busybox - enables extended head option (for tests)
- images - support for dm-verity, which could be used for verification of integrity of the booted image
- initrdscripts - adds dmverity support in the initramfs rootfs
More about intrusion detection: Wikipedia on HIDS (Host-based Intrustion Detection)
- samhain - a system integrity checking and intrusion detection tool. Can be configured either as standalone, or client/server. Outdated version in dunfell
- suricata - Suricata intrusion detection system. Outdated version in dunfell
- tripwire - Open Source Tripwire integrity monitoring tool. Seems abandoned since late 2018
- Adds apparmor, smack, dm-verity
Includes recipes for Mandatory Access Control (MAC) tools. SELinux tools are in a separate layer.
The recipes include tools, but seem not to have example policies.
- AppArmor - tools for the AppArmor
- ccs-tools (tomoyo) - tools for tomoyo
- smack - tools for smack
- Adds libwhisker2 (a library for HTTP testing)
- arpwatch - a tool for monitoring IP/MAC pairing in a network, can send notifications for new/changed pairs
- buck-security - a security scanner checking file permissions, uneeded packages etc. Seems unsupported, last version from 2013
- checksec - a tool for checking executables parameters. The output needs to be postprocessed to correlate with the distibution’s compiler options. Seems active, old version in dunfell
- checksecurity - a tool for periodical basic tests of the system: setuid, open ports, empty passwords, filesystems nearly full etc.
- clamav - an antivirus and malware detection tool
- rootkits (chkrootkit) - checking for rootkits
- aircrack-ng - a WiFi auditing tool
- bastille - a hardening tool. Unsupported, last version from 2005
- ecryptfs-utils - an encrypted file system, storing metadata in file headers. Active
- fail2ban - in case of too many access failures, bans the offending IP address. Active
- fscryptctl - a tool to handle keys in embedded systems with encrypted filesystem, when fscrypt is not available
- google-authenticator-libpam - an example PAM module for two-factor authentication when logging for example by SSH
- images - scripts to build example security images
- isic - a tool for stress testing a network stack. Unmaintained, last version in 2006
- libdhash - dynamic hash library. Last version from 2017
- libgssglue - a library implementing GSS-API. GSS-API notable use is Kerberos.
- libmhash - a library implementing hashes. Unmaintained, last version from 2008
- libmspack - a library for handling Microsoft compression formats, like CAB.
- libseccomp - a userspace library for seccomp
- ncrack - a network password audit tool. Supports MQTT.
- nikto - a web server scanner
- packagegroup - Security package definitions for poky
- paxctl - tools for PaX
- redhat-security - RedHat security scripts. Last update in 2013
- scapy - packet creation/manipulation tool in Python
- sssd - a system security services daemon handling authentication by different means like LDAP or Kerberos
A layer containing security auditing and compliance tools.
- lynis - a security auditing tool, checking permissions, login possibilities etc
- openembedded-release - adding /etc/openembedded-release file
- os-release - adding CPE to the /etc/os-release
- oe-scap - OpenEmbedded SCAP helper files
- openscap - OpenSCAP tool for checking system according to the NIST SCAP standard
- openscap-daemon - OpenSCAP service running in the background
- scap-security-guide - OpenSCAP security profiles for various distributions
A layer for Image Security Analyser Framework (GitHub - intel/isafw). The project has been archived in 2016
Images recipes for the TPM.
Kernel options for TPMs.
Recipes for TPM software
Recipes for TPM2.0 software