Date: Thu, 28 Mar 2013 16:19:07 +0000 From: Tim Brown <tmb@...35.com> To: Steve Grubb <sgrubb@...hat.com> Cc: oss-security@...ts.openwall.com, Corey Bryant <coreyb@...ux.vnet.ibm.com> Subject: Re: Re: [kernel-hardening] Security vulnerability tools On Thursday 28 Mar 2013 15:58:32 Steve Grubb wrote: > On Wednesday, March 27, 2013 05:51:19 PM Corey Bryant wrote: > > Thanks Tim. Sounds nice. This is the first security audit tool on the > > list so if we could add more in this category that would be nice. > > There is also openscap if you are wanting security auditing. > http://www.open-scap.org/page/Main_Page I've already said this to Corey but it bares repeating... Having a background in UNIX SecOps, I do a lot of system audits in my current role and whilst I understand the business driver, I really don't like the term. The main gist is, CIS style audits are worthy but they won't effectively test your controls. upc is an offensive tool to help identify escalation of privilege vectors (especially on large multi-user system), (there is of course a degree of overlap with a traditional audit). It started off focussing on the quick wins but it's developing in a more rounded attack tool. As an example, the trunk version of upc contains plugins to pull up (amongst other things) compiler flag misuse, insecure API usage and other SDL violations, not something a traditional audit would cover but which are pretty useful when you land on a random system and want additional privileges. Users of upc should not be afraid to write code, or fire up a debugger in the pursuit of root. If you wanted to use it in a more systemic fashion, it might be interesting to run it (for example) pre and post package upgrade or as part of distro QA etc - but that's certainly not why we use/develop it (unless maybe we're doing a product assessment where I might use it to model the authorised users attack surface). I'm sure if people wanted to develop it in that direction, any submitted patches would be looked upon favourably though :). Tim -- Tim Brown <mailto:tmb@...35.com> Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.