Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Mar 2013 16:19:07 +0000
From: Tim Brown <tmb@...35.com>
To: Steve Grubb <sgrubb@...hat.com>
Cc: oss-security@...ts.openwall.com,
 Corey Bryant <coreyb@...ux.vnet.ibm.com>
Subject: Re: Re: [kernel-hardening] Security vulnerability tools

On Thursday 28 Mar 2013 15:58:32 Steve Grubb wrote:
> On Wednesday, March 27, 2013 05:51:19 PM Corey Bryant wrote:
> > Thanks Tim.  Sounds nice.  This is the first security audit tool on the
> > list so if we could add more in this category that would be nice.
> 
> There is also openscap if you are wanting security auditing.
> http://www.open-scap.org/page/Main_Page

I've already said this to Corey but it bares repeating...

Having a background in UNIX SecOps, I do a lot of system audits in my current 
role and whilst I understand the business driver, I really don't like the 
term.  The main gist is, CIS style audits are worthy but they won't effectively 
test your controls.

upc is an offensive tool to help identify escalation of privilege vectors 
(especially on large multi-user system), (there is of course a degree of 
overlap with a traditional audit).  It started off focussing on the quick wins 
but it's developing in a more rounded attack tool.  As an example, the trunk 
version of upc contains plugins to pull up (amongst other things) compiler flag 
misuse, insecure API usage and other SDL violations, not something a 
traditional audit would cover but which are pretty useful when you land on a 
random system and want additional privileges.  Users of upc should not be 
afraid to write code, or fire up a debugger in the pursuit of root.

If you wanted to use it in a more systemic fashion, it might be interesting to 
run it (for example) pre and post package upgrade or as part of distro QA etc 
- but that's certainly not why we use/develop it (unless maybe we're doing a 
product assessment where I might use it to model the authorised users attack 
surface).  I'm sure if people wanted to develop it in that direction, any 
submitted patches would be looked upon favourably though :).

Tim
-- 
Tim Brown
<mailto:tmb@...35.com>

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.