Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Mar 2013 16:19:07 +0000
From: Tim Brown <>
To: Steve Grubb <>
 Corey Bryant <>
Subject: Re: Re: [kernel-hardening] Security vulnerability tools

On Thursday 28 Mar 2013 15:58:32 Steve Grubb wrote:
> On Wednesday, March 27, 2013 05:51:19 PM Corey Bryant wrote:
> > Thanks Tim.  Sounds nice.  This is the first security audit tool on the
> > list so if we could add more in this category that would be nice.
> There is also openscap if you are wanting security auditing.

I've already said this to Corey but it bares repeating...

Having a background in UNIX SecOps, I do a lot of system audits in my current 
role and whilst I understand the business driver, I really don't like the 
term.  The main gist is, CIS style audits are worthy but they won't effectively 
test your controls.

upc is an offensive tool to help identify escalation of privilege vectors 
(especially on large multi-user system), (there is of course a degree of 
overlap with a traditional audit).  It started off focussing on the quick wins 
but it's developing in a more rounded attack tool.  As an example, the trunk 
version of upc contains plugins to pull up (amongst other things) compiler flag 
misuse, insecure API usage and other SDL violations, not something a 
traditional audit would cover but which are pretty useful when you land on a 
random system and want additional privileges.  Users of upc should not be 
afraid to write code, or fire up a debugger in the pursuit of root.

If you wanted to use it in a more systemic fashion, it might be interesting to 
run it (for example) pre and post package upgrade or as part of distro QA etc 
- but that's certainly not why we use/develop it (unless maybe we're doing a 
product assessment where I might use it to model the authorised users attack 
surface).  I'm sure if people wanted to develop it in that direction, any 
submitted patches would be looked upon favourably though :).

Tim Brown

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.