Meta-security options enabling

This posts summarizes the options to be enabled from meta-security in the distribution.

Main layer (as of dunfell)

recipes-core

  • Busybox - enables extended head option (for tests)
  • images - support for dm-verity, which could be used for verification of integrity of the booted image
  • initrdscripts - adds dmverity support in the initramfs rootfs

recipes-ids

More about intrusion detection: Wikipedia on HIDS (Host-based Intrustion Detection)

  • samhain - a system integrity checking and intrusion detection tool. Can be configured either as standalone, or client/server. Outdated version in dunfell
  • suricata - Suricata intrusion detection system. Outdated version in dunfell
  • tripwire - Open Source Tripwire integrity monitoring tool. Seems abandoned since late 2018

recipes-kernel

  • Adds apparmor, smack, dm-verity

recipes-mac

Includes recipes for Mandatory Access Control (MAC) tools. SELinux tools are in a separate layer.

The recipes include tools, but seem not to have example policies.

  • AppArmor - tools for the AppArmor
  • ccs-tools (tomoyo) - tools for tomoyo
  • smack - tools for smack

recipes-perl

  • Adds libwhisker2 (a library for HTTP testing)

recipes-scanners

  • arpwatch - a tool for monitoring IP/MAC pairing in a network, can send notifications for new/changed pairs
  • buck-security - a security scanner checking file permissions, uneeded packages etc. Seems unsupported, last version from 2013
  • checksec - a tool for checking executables parameters. The output needs to be postprocessed to correlate with the distibution’s compiler options. Seems active, old version in dunfell
  • checksecurity - a tool for periodical basic tests of the system: setuid, open ports, empty passwords, filesystems nearly full etc.
  • clamav - an antivirus and malware detection tool
  • rootkits (chkrootkit) - checking for rootkits

recipes-security

  • aircrack-ng - a WiFi auditing tool
  • bastille - a hardening tool. Unsupported, last version from 2005
  • ecryptfs-utils - an encrypted file system, storing metadata in file headers. Active
  • fail2ban - in case of too many access failures, bans the offending IP address. Active
  • fscryptctl - a tool to handle keys in embedded systems with encrypted filesystem, when fscrypt is not available
  • google-authenticator-libpam - an example PAM module for two-factor authentication when logging for example by SSH
  • images - scripts to build example security images
  • isic - a tool for stress testing a network stack. Unmaintained, last version in 2006
  • libdhash - dynamic hash library. Last version from 2017
  • libgssglue - a library implementing GSS-API. GSS-API notable use is Kerberos.
  • libmhash - a library implementing hashes. Unmaintained, last version from 2008
  • libmspack - a library for handling Microsoft compression formats, like CAB.
  • libseccomp - a userspace library for seccomp
  • ncrack - a network password audit tool. Supports MQTT.
  • nikto - a web server scanner
  • packagegroup - Security package definitions for poky
  • paxctl - tools for PaX
  • redhat-security - RedHat security scripts. Last update in 2013
  • scapy - packet creation/manipulation tool in Python
  • sssd - a system security services daemon handling authentication by different means like LDAP or Kerberos

meta-security-compliance

A layer containing security auditing and compliance tools.

recipes-auditors:

  • lynis - a security auditing tool, checking permissions, login possibilities etc

recipes-core:

  • openembedded-release - adding /etc/openembedded-release file
  • os-release - adding CPE to the /etc/os-release

recipes-openscap:

  • oe-scap - OpenEmbedded SCAP helper files
  • openscap - OpenSCAP tool for checking system according to the NIST SCAP standard
  • openscap-daemon - OpenSCAP service running in the background
  • scap-security-guide - OpenSCAP security profiles for various distributions

meta-security-isafw

A layer for Image Security Analyser Framework (GitHub - intel/isafw). The project has been archived in 2016

meta-tpm

A layer for TPM For information about the differences between TPM1 and 2, and the Linux support see: TPM2 and Linux | James Bottomley's random Pages

recipes-core

Images recipes for the TPM.

recipes-kernel

Kernel options for TPMs.

recipes-tpm

Recipes for TPM software

recipes-tpm2

Recipes for TPM2.0 software

Recommendations:

  • dm-verity: include in the secure boot work
  • samhain: add (and test) as an option for the end user
  • kernel MAC modules and tools: to be added with application sandboxing
  • checksec: add in release hardening
  • clamav: as a supported option if user wants it
  • encryptfs and fscrypts: to be investigated with filesystem encryption
  • libseccomp: to be added in application sandboxing
  • ncrack: add as option for testing (gateway)
  • lynis: add to the test image for release, run report
  • openembedded-release/os-release: add it, will need to change the CPE
  • SCAP: if required by a user
  • tpm: add in secure boot

Next step: check what to backport from master/next releases