From 2732662269d2ca8cc700be7a397296468ec54a7f Mon Sep 17 00:00:00 2001 From: Miruna Paun Date: Tue, 19 Sep 2017 11:14:01 +0200 Subject: Created xml docs for Security Hardening for Enea NFV Access 1.1 USERDOCAP-236 Signed-off-by: Miruna Paun --- .../doc/appendix_a.xml | 70 ++ .../doc/book.xml | 29 + .../doc/eltf_params_template.xml | 151 ++++ .../doc/eltf_params_updated.xml | 165 ++++ .../eltf_params_updated_template_how_to_use.txt | 320 +++++++ .../doc/hardening_checklist.xml | 952 +++++++++++++++++++++ .../doc/introduction.xml | 127 +++ .../doc/metasecure_tools.xml | 465 ++++++++++ .../swcomp.mk | 10 + .../doc/book.xml | 18 + .../doc/eltf_params_template.xml | 151 ++++ .../doc/eltf_params_updated.xml | 165 ++++ .../eltf_params_updated_template_how_to_use.txt | 320 +++++++ .../doc/guidelines_hardening_linux.xml | 212 +++++ .../doc/intro_hardentools_tech.xml | 209 +++++ .../doc/intro_info_security.xml | 144 ++++ .../doc/introduction.xml | 102 +++ .../swcomp.mk | 10 + 18 files changed, 3620 insertions(+) create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml create mode 100644 doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml create mode 100644 doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml new file mode 100644 index 0000000..c5d9aaa --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/appendix_a.xml @@ -0,0 +1,70 @@ + + + Useful Memory Terms + + Change the title to something better + +
+ Buffer overflow + + A buffer overflow occurs when a program or process attempts to write + more data to a fixed length block of memory, or buffer, than the buffer is + allocated to hold. + + Since buffers are created to contain a defined amount of data, the + extra data can overwrite data values in memory addresses adjacent to the + destination buffer, unless the program includes sufficient bounds checking + to flag or discard data when too much is sent to a memory buffer. + Languages such Ada, C#, Haskell, Java, JavaScript, Lisp, PHP, Python, + Ruby, and Visual Basic enforce run-time checking. + + C and C++ are prone to buffer overflow attacks as they have no + built-in protection against accessing or overwriting data in any part of + their memory, and do not automatically check that data written to an array + (the built-in buffer type) is within the boundaries of that array. +
+ +
+ Security Exploit + + On many systems, the memory layout of a program, or the system as a + whole, is well defined. Exploiting the behavior of a buffer overflow is a + well-known security exploit. By sending in data designed to cause a buffer + overflow, it is possible to write into areas known to hold an executable, + and replace it with malicious code. + + Bounds checking can prevent buffer overflows, but requires + additional code and processing time. Modern operating systems use a + variety of techniques to combat malicious buffer overflows by randomizing + the layout of memory, or deliberately leaving space between buffers and + looking for actions that write into those areas "canaries". For further + reading about security exploits refer to the Exploit database. +
+ +
+ Hardware Bounds Checking + + The safety added by bounds checking costs CPU time if checking is + performed in software however, if the checks are performed by hardware + then safety can be provided "for free" with no runtime cost. + + Research was started at least as early as 2005 regarding methods to + use x86's built-in virtual memory management unit to ensure safety of + array and buffer accesses. In 2015 Intel provided their Intel MPX + extensions in their Skylake processor architecture which stores bounds in + a CPU register and table in memory. As of early 2017 GCC among others, + supports MPX extensions. +
+ +
+ Rootkit + + A rootkit is a collection of malicious software designed to enable + access to another software that would not otherwise be allowed, e.g: to an + unauthorized user, and often masks its existence or the existence of other + software. The term rootkit is a concatenation of "root" and + the word "kit", which refers to the software components that implement the + tool, and is associated with malware. +
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml new file mode 100644 index 0000000..1a75484 --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/book.xml @@ -0,0 +1,29 @@ + + +]> + + <trademark class="registered">Enea</trademark> NFV Access Developer's + Hardening Guide + + Release Version + + + + + + + + + + + + \ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml new file mode 100644 index 0000000..eaa7ebd --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_template.xml @@ -0,0 +1,151 @@ + + +
+ File with Parameters in the Book Auto-updated by ELFT + + + See the eltf_params_updated_template_howto_use.txt text + file for description of how to create the final eltf_params_updated.xml from this template and for + all REQUIREMENTS. Use the command + "make eltf" to extract a full list of all + ELTF variables, which always begins with ELTF_ and don't only rely on the + howto text file list! The plan is that ELTF will auto-update this when + needed. + + +
+ Common Parameters + + A programlisting, ID + "eltf-prereq-apt-get-commands-host" + + ELTF_PL_HOST_PREREQ + + A programlisting, ID + "eltf-getting-repo-install-command" + + ELTF_PL_GET_REPO + + Several phrase elements, various IDs. Ensure EL_REL_VER is + correct also compared to the "previous" REL VER in pardoc-distro.xml + "prev_baseline". + + ELTF_EL_REL_VER + + ELTF_YOCTO_VER + + ELTF_YOCTO_NAME + + ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL + + ELTF_EL_DOWNLOAD_TXTURL + + A programlisting, ID "eltf-repo-cloning-enea-linux". Use + $MACHINE/default.xml as parameter, where MACHINE is one of the target + directory names in the manifest. + + ELTF_PL_CLONE_W_REPO + + A table with ONE row, only the row with ID + "eltf-eclipse-version-row" is included in the book. MANUALLY BOTH in the + template.xml and in the updated.xml, set condition hidden on the + <row>, if eclipse is not in the release. + + + + + + Eclipse version ELTF_ECLIPSE_VERSION plus command line + development tools are included in this Enea NFV Access release. + + + + + + Below is one big section with title "Supported Targets with + Parameters". The entire section is included completely in the book via ID + "eltf-target-tables-section" and shall be LAST in the template. The + template contains ONE target subsection. COPY/APPEND it, if multiple + targets exist in the release and optionally add rows with additional + target parameters in each target subsection table. +
+ +
+ Supported Targets with Parameters + + The tables below describes the target(s) supported in this Enea + NFV Access release. + +
+ MACHINE ELTF_T_MANIFEST_DIR - Information + + + + + + + + + + Target official name + + ELTF_T_NAME + + + + Architecture and Description + + ELTF_T_ARC_DESC + + + + Link to target datasheet + + See ELTF_T_DS_TXTURL + + + + Poky version + + ELTF_T_POKY_VER + + + + GCC version + + ELTF_T_GCC_VER + + + + Linux Kernel Version + + ELTF_T_KERN_VER + + + + Supported Drivers + + ELTF_T_DRIVERS + + + + Enea rpm folder for downloading RPM packages for this + target + + ELTF_T_EL_RPM_TXTURL + + + + +
+ + +
+
\ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml new file mode 100644 index 0000000..f6bd068 --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated.xml @@ -0,0 +1,165 @@ + + +
+ File with Parameters in the Book Auto-updated by ELFT + + + See the eltf_params_updated_template_howto_use.txt text + file for description of how to create the final eltf_params_updated.xml from this template and for + all REQUIREMENTS. Use the command + "make eltf" to extract a full list of all + ELTF variables, which always begins with ELTF_ and don't only rely on the + howto text file list! The plan is that ELTF will auto-update this when + needed. + + +
+ Common Parameters + + A programlisting, ID + "eltf-prereq-apt-get-commands-host" + + # Host Ubuntu 14.04.5 LTS 64bit +sudo apt-get -y update +sudo apt-get -y install sed wget subversion git-core coreutils unzip texi2html \ + texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \ + make gcc build-essential xsltproc g++ desktop-file-utils chrpath \ + libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \ + libxml-parser-perl + + A programlisting, ID + "eltf-getting-repo-install-command" + + mkdir -p ~/bin +curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo +chmod a+x ~/bin/repo +export PATH=~/bin:$PATH + + Several phrase elements, various IDs. Ensure EL_REL_VER is + correct also compared to the "previous" REL VER in pardoc-distro.xml + "prev_baseline". + + 1.0 + + 2.1 + + krogoth + + http://www.yoctoproject.org/downloads/core/krogoth/21 + + https://linux.enea.com/6 + + A programlisting, ID "eltf-repo-cloning-enea-linux". Use + $MACHINE/default.xml as parameter, where MACHINE is one of the target + directory names in the manifest. + + mkdir enea-linux +cd enea-linux +repo init -u git@git.enea.com:linux/manifests/el_manifests-virtualization.git \ + -b refs/tags/EL6 -m $MACHINE/default.xml +repo sync + + A table with ONE row, only the row with ID + "eltf-eclipse-version-row" is included in the book. MANUALLY in book, set + condition hidden if eclipse is not in the release. Do this both in + template.xml and updated.xml. + + + + + + Eclipse version 4.3 (Mars) plus command line development + tools are included in this Enea NFV Access release. + + + + + + Below is one big section with title "Supported Targets with + Parameters". The entire section is included completely in the book via ID + "eltf-target-tables-section" and shall be LAST in the template. The + template contains ONE target subsection. COPY/APPEND it, if multiple + targets exist in the release and optionally add rows with additional + target parameters in each target subsection table. +
+ +
+ Supported Reference Boards with Parameters + + The tables below describes the target(s) supported in this Enea NFV + Access release. + +
+ MACHINE p2041rdb - Information + + + + + + + + + + Target official name + + P2041RDB + + + + Architecture and Description + + Power, e500mc + + + + Link to target datasheet + + See link + to NXP's datasheet + + + + Poky version + + Git-commit-id: + 75ca53211488a3e268037a44ee2a7ac5c7181bd2 + + + + GCC version + + 5.3 + + + + Linux Kernel Version + + 3.12 + + + + Supported Drivers + + Ethernet, I2C, SPI, PCI Express, USB, Flash, + SD/SDHC/SDXC, RTC + + + + Enea rpm folder for downloading RPM packages for this + target + + https://linux.enea.com/6/p2041rgb/rpm + + + + +
+
+
\ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt new file mode 100644 index 0000000..87a6445 --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt @@ -0,0 +1,320 @@ +eltf_params_template_updated_howto_use.txt + +This is a way to collect all parameters for an Enea NFV Access release +in one parameter file, easy to automatically update by ELTF regularly. + +NOTE: Both the release info AND the open source books use parameters from + here, but the XML file is inside the release info book directory. + +NOTE: The manifest_conf.mk, or overridden by the environment variable + MANIFESTHASH, contains the full tag (or hashvalue) for downloading + the manifest when the books are built. The list of target + directories are fetched from the manifest into the book. + The eltf_params_updates.xml can all the time contain + the final next complete tag e.g. refs/tags/EL6 or similar + in the ELTF_PL_CLONE_W_REPO parameter command lines. + +The ordinary book XML files use xi:include statements to include elements +from this parameter file. The book XML files can thus be manually edited. +Before editing, you must run "make init". +Any other text in the template or updated.xml file, outside the parts that +are included in the book, are not used but still all must be correct +DocBook XML files. + +ELTF work: + template => ELTF replaces ALL ELTF_xxx variables => updated XML file + => push to git only if changed + + +eltf_params_template.xml (in git) + File used by ELTF to autocreate/update the real parameter + file eltf_params_updated.xml. + +eltf_params_updated.xml (in git) + Real parameter file where ELTF has replaced all ELTF_xx variables with + strings, in several cases with multiline strings. + No spaces or linefeed allowed in beginning or end of the variable values! + + +xi:include: Each parameter is xi:include'ed in various book files, using + the IDs existing in the parameter files. + In most cases the 1:st element inside an element with an ID is included + using a format like eltf-prereq-apt-get-commands-host/1. + In very few cases the element with the ID is included in the book, one + example is the target section which has an ID, but which contains + multiple subsections, one per target. + All IDs in a book must be unique. + +DocBook XML: All XML files must be correct DocBook XML files. + +Do NOT edit/save the real *updated.xml file with XMLmind to avoid changes + not done by ELTF. But it is OK to open the real file in XMLmind to + check that the format is correct. + +ELTF should autocreate a temporary "real" file but only replace + and push the eltf_params_updated.xml if it is changed. + + +make eltf + This lists all ELTF_xxx variables and some rules how to treat them + +DocBook Format: All elements - rules: + Several strict generic XML rules apply for all strings: + 1. No TABs allowed or any other control chr than "linefeed" + 2. Only 7-bit ASCII + 3. Any < > & must be converted to < > and & + Similar for any other non-7-bit-ASCII but avoid those! + 4. No leading spaces or linefeeds when replacing the ELTF_* variable + 5. No trailing spaces or linefeeds when replacing the ELTF_* variable + 6. Note: Keep existing spaces before/efter ELTF_* in a few cases. + +DocBook Format: - rules: ELTF*PL* variables + Several strict rules apply for the multiline string in programlisting + in addition to the general XML rules above: + 7. Max line length < 80 char + 8. Use backslash (\) to break longer lines + 9. Use spaces (e.g. 4) to indent continuation lines in programlistings + 10. No trailing spaces on any line + 11. No spaces or linefeed immediately after leading + 12. No spaces or linefeed before trailing + +DocBook Format: - rules: ELTF_*URL* variables + 13. ELTF_*URL and corresponding ELTF_*TXTURL shall be identical strings + 14. Only if the URL is extremely long, the TXTURL can be a separate string + +Each target has one section with target parameters: +
+ MACHINE ELTF_T_MANIFEST_DIR - Information + ..... with many ELTF_ variables .... +
+ + 15. If there is only one target. ELTF just replaces ELTF parameters + + 16. It there are multiple targets. ELTF copies the section and appends the + section the required number of times. + Each section ID will become unique: eltf-target-table-ELTF_T_MANIFEST_DIR + Each section title will become unique + +Tables with target parameters in each target section: + 17. It is possible for ELTF to append more rows with one parameter each + to these tables, because the entire tables are included in the book + +Special - NOT YET READY DEFINED how to handle the optionally included + Eclipse and its version, but this is a first suggestion: + 18. Just now ELTF can define ELFT_ECLIPSE_VERSION as a full string + with both version number and name, + 19. MANUALLY if Eclipse is NOT included in the release, + the release manager should manually set condition="hidden" on + the entire section in the book XML about Eclipse + + + +BELOW WE TRY TO EXPLAIN EACH ELTF_* variable, but always check with make eltf +if there are more new variables, missing in this description file. + +_____________________________________________________________________________ +ELTF_PL_HOST_PREREQ Multiline list of host prerequisites, e.g. commands + like sudo apt-get install xxxx or similar. + First line = comment with the complete host name! + It is possible to include multiple hosts by just + adding an empty line, comment with host name, etc. + xi:include eltf-prereq-apt-get-commands-host/1 + This is a ... + Example: +# Host Ubuntu 14.04.5 LTS 64bit +sudo apt-get update +sudo apt-get install sed wget subversion git-core coreutils unzip texi2html \ + texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \ + make gcc build-essential xsltproc g++ desktop-file-utils chrpath \ + libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \ + libxml-parser-perl + +_____________________________________________________________________________ +ELTF_PL_GET_REPO Multiline commands to download the repo tool + xi:include eltf-getting-repo-install-command/1 + This is a ... + Example: +mkdir -p ~/bin +curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo +chmod a+x ~/bin/repo +export PATH=~/bin:$PATH + +_____________________________________________________________________________ +ELTF_EL_REL_VER General parameter string: The version of this Enea + Linux release. Major version and optional .Minor + Typically created from MAJOR and MINOR in enea.conf + MINOR in enea.conf is empty or contains a dot+minor + xi_include EneaLinux_REL_VER/1 + This is a X.x used in many places. + Examples: +6 + or +6.1 + +_____________________________________________________________________________ +ELTF_YOCTO_VER General parameter string: Yocto version, created + from DISTRO in poky.ent + xi:include Yocto_VER/1 + This is a X.x used in many places. + Example: +2.1 + +_____________________________________________________________________________ +ELTF_YOCTO_NAME General parameter string: Yocto name (branch), created + from DISTRO_NAME_NO_CAP in poky.ent + xi:include Yocto_NAME/1 + This is a X.x used in many places. + Example: +krogoth + +_____________________________________________________________________________ +ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL +ELTF_YOCTO_PROJ_DOWNLOAD_URL strings with correct Yocto version string + at the end, typically without "dot". + xi:include ULINK_YOCTO_PROJECT_DOWNLOAD/1 + This is an ... + Example: +http://www.yoctoproject.org/downloads/core/krogoth/21 + +_____________________________________________________________________________ +ELTF_EL_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL strings +ELTF_EL_DOWNLOAD_URL and shall be the http:/..... address where + Enea NFV Access can be downloaded + Often containing same version as in ELTF_EL_REL_VER + xi:include ULINK_ENEA_LINUX_URL/1 + This is an ... + Example: +http://linux.enea.com/6 + +_____________________________________________________________________________ +ELTF_PL_CLONE_W_REPO Multiline commands to run repo to clone everything. + Use the variable $MACHINE/default.xml (the text in + the book will list the avaiable values of MACHINE, + taken from the manifest repository) + xi:include eltf-repo-cloning-enea-linux/1 + This is a ... + Example: +mkdir enea-linux +cd enea-linux +repo init -u git://git.enea.com/linux/el_manifests-standard.git \ + -b refs/tags/EL6 -m $MACHINE/default.xml +repo sync + +_____________________________________________________________________________ +ELTF_ECLIPSE_VERSION Optional general parameter string. + NOT YET READY DEFINED + Just now a release manage must manually set + condition="hidden" on the Eclipse section, + if Eclipse is not included in the release. + ELTF just replaces ELTF_ECLIPSE_VERSION with a full + string with "X.Y (name)" + It includes the ID and can only be ONCE in the book. + xi:include eltf-eclipse-version-row + Example. +4.5 (Mars) + + +_____________________________________________________________________________ +ELTF_T_* All these are in each target (MACHINE) and ELTF + must separately replace them with strings for + each target + NOTE: All (except the MANIFEST_DIR) are in rows + in a table and ELTF can select to append + more parameters by adding more rows + +_____________________________________________________________________________ +ELTF_T_MANIFEST_DIR This happens to be in two places. Must be exactly +ELTF_T_MANIFEST_DIR the directory name in the manifest, e.g. same + as the MACHINE names in $MACHINE/default.xml. + In book: a) Part of section ID + b) Part of section title + Examples: +p2041rgb + or +ls1021aiot + or +qemuarm + +_____________________________________________________________________________ +ELTF_T_NAME Target specific: "Target Official Name" + NOT same as the target directory name in most cases. + In book: An element in a row + Examples: +P2041RGB + or +LS1021a-IoT + or +qemuarm + +_____________________________________________________________________________ +ELTF_T_ARC_DESC Target specific: "Architecture and Description" + It can be a short identification string or + it can be a longer descriptive sentence. + In book: An element in a row + Examples: +Power, e500mc + or +ARM Cortex-A7 + +_____________________________________________________________________________ +ELTF_T_DS_TXTURL Target specific: "Link to target datasheet. These +ELTF_T_DS_URL two usually are IDENTICAL strings with correct + hyperlink to the target's official datasheet. + In book: an ... + Only if the link is VERY LONG, the text part shall + instead be a descriptive string (see 2:nd example). + NOTE: Also here no spaces or line-feeds! + Examples: +url="http://wiki.qemu.org">http://wiki.qemu.org +or +url="http://www.nxp.com/products/microcontrollers-and-processors/arm-processors/qoriq-arm-processors/qoriq-ls1021a-iot-gateway-reference-design:LS1021A-IoT">link to NXP's datasheet + +_____________________________________________________________________________ +ELTF_T_POKY_VER Target specific: "Poky version" created either + from POKYVERSION in poky.ent + or using a hashvalue with a leading string, in + which case it may be different per target. + In book: An in a row + Examples: +15.0.0 +or +Git commit id: 75ca53211488a3e268037a44ee2a7ac5c7181bd2 + +_____________________________________________________________________________ +ELTF_T_GCC_VER Target specific: "GCC Version". Should be in poky + but not easy to find among various parameters. + ELTF would extract it from build logs building SDK + and it is possibly different per target. + In book: An in a row + Example: +5.3 + +_____________________________________________________________________________ +ELTF_T_KERN_VER Target specific: "Linux Kernel Version". Often + different per target. + In book: An in a row + Example: +3.12 + +_____________________________________________________________________________ +ELTF_T_DRIVERS Target specific: "Supported Drivers". This is a + comma-separated list of driver names. + ELTF should create the list in same order for each + target, e.g. alphabetic migth be OK. + In book: An in a row + Example: +Ethernet, I2C, SPI, PCI, USB, SD/SDHC/SDXC + + +_____________________________________________________________________________ +ELTF_T_EL_RPM_TXTURL Target specific: "Enea rpm folder for downloading +ELTF_T_EL_RPM_URL RPM packages for this target". These two are + INDENTICAL strings with hyperlink to the web site + at Enea where the customer can download RPMs + Note: Often the ELFT_EL_REL_VER value and + the ELTF_T_MANIFEST_DIR are used in the link. + In book: an ... + Example: +url="https://linux.enea.com/6/ls1021aiot/rpm">https://linux.enea.com/6/ls1021aiot/rpm + +_____________________________________________________________________________ diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml new file mode 100644 index 0000000..2e008e3 --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml @@ -0,0 +1,952 @@ + + + + Hardening Enea NFV Access + +
+ Broken Algorithms + + Make sure that algorithms that are broken in regards to security are + not used. + + Ask Sona/Casc if the algorithms listed below are the broken ones + to check for or if they're the ones that are broken to begin with and if + seen should be eliminated from use. + + + + DES + + + + 3DES + + + + CAST + + + + BLOWFISH + + + + MD5 + + + + SHA-1 + + + + MODP512 + + + + MODP768 + + + + MODP1024 + + +
+ +
+ System Installation + + Enea NFV Access Images should be check summed with SHA512 and/or a + signed GPG key. See https://www.openssl.org/source/ + for more details on how to proceed. +
+ +
+ Security Updates + + Applying security patches is an important part of security hardening + and maintenance. Enea backports all known critical vulnerabilities within + a reasonable time frame if not immeditately, and makes them available to + users for updates/upgrades. + + Prepare the system for regular updates in the following + manner: + + + + Configure the target to get software updates from the Enea + source repository. + + + + Test to update or remove a package using apt-get command: + root@inteld1521:~#apt-get update/upgrade + + +
+ +
+ OpenEmbedded meta-security layer + + An OpenEmbedded meta-security layer provides many hardening tools. + These tools are open source packages suited for embedded devices. Below is + a list of several packages included in meta-security layer: + + + + Bastille + + + + Redhat-security + + + + Buck-security + + + + Libseccomp + + + + Pax-utils + + + + Nmap + + + + ISIC + + + + Tripwire + + + + checksecurity + + + + TOMOYO, which contains a number of very useful libraries for + system analysis. Ask Sona if this is the intended meaning of + what she wrote here originally: TOMOYO and a number of libraries which + is very useful system analysis tool + + + + For more information about tools supported in the meta-security + layer please refer to Introduction to the Tools in + meta-security layer. + + change the bold text to point to the section/chapter in question + through an xref +
+ +
+ Kernel Hardening + + For a secure set of build CONFIGs and runtime settings see the + Kernel + Self Protection Project. Essentially, there are three ways to pass + options to the kernel: + + + + When building the kernel (via + menuconfig) + + + + When starting the kernel (usually, when invoked from a boot + loader). + + + + At runtime (through the files in /proc and + /sys). See sysctl for + details. + + + + Parameters either have the format parameter or + parameter=value. Kernel parameters can be configured + via /etc/sysctl.conf at run time or via + menuconfig at build time. + + + + How to enable/disable kernel parameters via menuconfig: + + + + bitbake virtual/kernel –c menuconfig + + + + Enable the configuration you want, save the .config file in + the build directory, and run bitbake. + + + + For more info see http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html. + + + + Permanently add a Kernel Boot Parameter from boot loader: + + sudo gedit /etc/default/grub + + Enter your password when prompted by sudo. If the file + /etc/default/grub appears to be empty or does not + exist, see the instructions for earlier releases above. + + + + Using etc/sysctl.conf: + + We can view the value of a particular Linux kernel parameter + using sysctl, followed by the name of the parameter: + + root@inteld1521:~# sysctl dev.cdrom.autoclose +dev.cdrom.autoclose = 1 + + Or read the associated file: + + root@inteld1521:~# cat /proc/sys/dev/cdrom/autoclose +1 +root@inteld1521:~# cat /proc/sys/dev/cdrom/ + + It is good to store the output of the kernel settings for + comparison or reference by redirecting the output of the sysctl + command to a file, for example: + + sysctl -A > /root/sysctl.settings.store + + + + The following kernel configurations can be used to secure the Linux + system against attacks. + + # Turn on execshield +kernel.exec-shield=1 +kernel.randomize_va_space=1 + +# Enable IP spoofing protection +net.ipv4.conf.all.rp_filter=1 + +# Disable IP source routing +net.ipv4.conf.all.accept_source_route=0 + +# Ignore broadcasts request +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.icmp_ignore_bogus_error_messages=1 + +# Make sure spoofed packets get logged +net.ipv4.conf.all.log_martians = 1 + +
+ Security Options + + + + SECURITY + + + + (on/off) Enable different security models + + + + Depends on SYSFS + + + + This option allows you to choose different security modules to + configure into your kernel. If this option is not selected, the + default Linux security model will be used. + + + + SECURITY_NETWORK + + + + (on/off) Socket and Networking Security Hooks + + + + Depends on SECURITY + + + + This enables the socket and networking security hooks. If + enabled, a security module can use these hooks to implement socket + and networking access controls. If you are unsure how to answer this + question, answer N. + + + + SECURITY_CAPABILITIES + + + + Kernel Version(s): 2.6.15.6 + + + + (on/off/module) Default Linux Capabilities + + + + Depends on SECURITY + + + + This enables the "default" Linux capabilities + functionality. + + + + SECURITY_ROOTPLUG + + + + Kernel Version(s): 2.6.15.6 + + + + (on/off/module) Root Plug Support + + + + depends on USB && SECURITY + + + + This is a sample LSM module that should only be used as such. + It prevents any programs running with egid == 0 + if a specific USB device is not present in the system. + + + + SECURITY_SECLVL + + + + Kernel Version(s): 2.6.15.6 + + + + (on/off/module) BSD Secure Levels + + + + Depends on SECURITY + + + + select CRYPTO + + + + select CRYPTO_SHA1 + + + + Implements BSD Secure Levels as an LSM. See file + Documentation/seclvl.txt for instructions on how + to use this module. + + +
+ +
+ Stack Protector (-fstack-protector GCC feature) + + CONFIG_CC_STACKPROTECTOR +CONFIG_CC_STACKPROTECTOR_REGULAR +CONFIG_CC_STACKPROTECTOR_STRONGThis option turns on the + -fstack-protector GCC feature. This feature inserts a + canary value on the stack just before the return address, and validates + the value just before returning. Stack based buffer overflows (that need + to overwrite this return address) will now also overwrite the canary, + which gets detected and the attack is then neutralized via a kernel + panic. This feature requires gcc version 4.2 or above. + + + + prompt: Enable -fstack-protector buffer overflow detection + (EXPERIMENTAL) + + + + type: bool + + + + depends on: (none) + + + + defined in arch/arm/Kconfig + + + + found in Linux kernels: 2.6.36–2.6.39, + 3.0–3.13 + + + + Currently these configurations are not set in the Intel kernel in + Enea NFV Access:tmp/deploy/images/inteld1521/config-inteld1521.config + +CONFIG_CC_STACKPROTECTOR is not set +CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG is not set +
+ +
+ CONFIG_FREELIST_RANDOM + + An optional config to randomize the SLAB freelist (heap freelist). + SLAB is a memory management mechanism intended for the efficient memory + allocation of kernel objects. SLAB displays the desirable property of + eliminating fragmentation caused by allocations and + deallocations. + + This security feature reduces the predictability of the kernel + slab allocator against heap overflows. +
+ +
+ CONFIG_PAGE_POISONING + + This feature fills the pages with poison patterns after + free_pages() and verifies the patterns before + alloc_pages(). This results in a large slowdown, but + helps to find certain types of memory corruption. + + This option cannot be enabled in combination with hibernation as + that would result in incorrect warnings of memory corruption after a + resume, since free pages are not saved to the suspend image. Poison + pages after freeing are found in + mm/Kconfig.debug. + + The configuration item CONFIG_PAGE_POISONING: + + + + prompt: Poison pages after freeing + + + + type: bool + + + + depends on: (none) + + + + defined in mm/Kconfig.debug + + + + found in Linux kernels: 4.6–4.12, 4.13-rc+HEAD + + +
+ +
+ CONFIG_HARDENED_USERCOPY + + CONFIG_HARDENED_USERCOPY +CONFIG_HARDENED_USERCOPY_PAGESPANThis configuration checks + that objects being copied to/from user space meet certain + criteria. +
+ +
+ CONFIG_CC_STACKPROTECTOR_STRONG + + CONFIG_CC_STACKPROTECTOR_STRONG=y, is a more + powerful stack canary checking method supported by GCC versions 4.9 and + later. On an x86 "defconfig" build, this feature adds canary checks to + about 20% of all kernel functions, which increases the kernel code size + by about 2%. + + More info about this feature can be found at https://lwn.net/Articles/584278/. +
+ +
+ CONFIG_RANDOMIZE_BASE + + CONFIG_RANDOMIZE_BASE with physical memory + randomization, extends kernel image physical address randomization to + addresses larger than 4GB, among other improvements. +
+ +
+ CONFIG_RANDOMIZE_MEMORY + + CONFIG_RANDOMIZE_MEMORY randomizes the virtual + addresses of memory sections, including physical memory mappings: + vmalloc, and vemmap. As with other + memory randomization routines, by randomizing the virtual address space + of kernel memory sections, the goal is to mitigate predictable memory + locations. +
+
+ +
+ OS Hardening + + The sections below detail various ways in which a developer can + effectively secure their operating system(s). + +
+ Remove root account + + Create a default user with su access and then + use sudo to delegate administrative access. +
+ +
+ Rsyslog, Syslog, Syslogng Service + + Rsyslog is the default logging program on several Linux + distributions. Apart from implementing the syslog protocol, rsyslog adds + additional features such as content-based filtering and also uses TCP + for transporting, providing many configuration options. Further reading + is available at https://linux-audit.com/central-audit-logging-configuration-collecting-linux-audit-events/. +
+ +
+ Removing unnecessary Packages + + Enea provides a minimum set of packages in release images. All + extra packages should be available in the Enea source repository so + users can get when needed. + + Ask Sona/Casc for details on what should be definitively written + in this section +
+ +
+ Disk Isolation and Protection + + Critical systems should be separated into different partitions. An + example to start from would be: + + / +/boot +/usr +/home +/tmp +/var + + Create a separate volume with the nodev, + nosuid, and noexec options set for + /tmp. /tmp is intended to be + globally writable, creating a separate partition for it can prevent + resource exhaustion. + + Setting nodev prevents users from creating or + using block or special character devices. Setting + noexec prevents users from running binary executables + from /tmp. Setting nosuid prevents users from + creating set userid files in /tmp. +
+ +
+ Disable unwanted SUID and SGID Binaries + + There are 3 special permissions available for executable files and + directories: + + + + SUID permission + + + + SGID permission + + + + Sticky bit + + + +
+ SUID/SGID + + To better understand, check the permissions of the + /usr/bin/passwd command: # ls -lrt /usr/bin/passwd +-r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwdThere + are 2 S’s in the permission field, the first ”s” + stands for the SUID and the second for SGID. When a command or script + set with SUID bit is run, its effective UID becomes that of the owner + of the file, rather than of the user who is running it. + + If there are files with all SUID/SGID bits enabled, said files + can be misused if the SUID/SGID executable has a security problem or + bug. All local or remote users can access/use the file, which may + prove dangerous. It's a good idea to find all such files and this can + be done using the find command: + + #See all set user id files: + find / -perm +4000 + +# See all group id files + find / -perm +2000 + +# Or combine both in a single command + find / \( -perm -4000 -o -perm -2000 \) -print + find / -path -prune -o -type f -perm +6000 -lsYou + need to investigate each reported file. See reported file(s) man page + for further details. +
+ +
+ Sticky Bit + + The Sticky Bit is primarily used on shared directories. It's + useful for shared directories such as /var/tmp and + /tmp because users can create files, read and + execute files owned by other users, but are not allowed to remove + files owned by other users. + + For example, if user Bob creates a file named /tmp/bob, user Tom + cannot delete this file even when the /tmp directory has permission + 777. If Sticky Bit is not set, then Tom can delete /tmp/bob, since the + file inherits the parent directory permissions. The root users and + file owners can remove their own files. + + Example:# ls -ld /var/tmp +drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmpT refers + to when the execute permissions are off and t refers to when they are + on. +
+
+ +
+ Secure boot directory + + The boot directory contains important files related to the Linux + kernel, make sure that this directory is locked down with read-only + permissions. You can set the owner and group of + /etc/grub.conf to the root user like so: + + #chown root:root /etc/fstab +#chown root:root /etc/grub.conf + +EX: ls -ld /boot/* <<<< root only + +lrwxrwxrwx 1 root root 32 Aug 7 13:07 /boot/bzImage -> / +bzImage-4.9.30-intel-pk-standard +-rw-r--r-- 1 root root 7860816 Jun 8 10:55 /boot/bzImage-4.9.20-yocto-standard +-rw-r--r-- 1 root root 4624464 Aug 7 12:48 /boot/bzImage-4.9.30-intel-pk-standard +
+
+ +
+ Network Security & Remote Access + + The networking stack includes IPsec, which provides confidentiality, + authenticity, and integrity protection of IP networking. It can be used to + implement VPNs, and also point to point security. + +
+ Encrypt Data Communication + + All data transmitted over a network is open to monitoring. Encrypt + transmitted data whenever possible with passwords or by using + keys/certificates. + + Below are several methods and tools that facilitate + encryption: + + + + Use scp, ssh, + rsync, or sftp for file + transfers. You can also mount a remote server file system or your + own home directory using special sshfs and fuse + tools. + + + + GnuPG allows you to encrypt and sign your data and + communication, features a versatile key management system as well as + access modules for all kind of public key directories. + + + + OpenVPN is a cost-effective, lightweight SSL VPN. + + Another option to try out is tinc, which + uses tunneling and encryption to create a secure private network + between hosts, on the Internet or on a private insecure LAN. + + + + Lighttpd SSL (Secure Server Layer) HTTPS Configuration and + Installation. + + + + Apache SSL (Secure Server Layer) HTTPS (mod_ssl) Configuration + and Installation. + + + + Configure Nginx with free Let’s Encrypt SSL certificate + on Debian or Ubuntu Linux. + + +
+ +
+ SSH service + + SSH is secure by default but its services need to be hardened as + well. Open /etc/ssh/sshd_config and change the + default configuration: + + + + Change the default port number 22 to something else, e.g. + 99.root@inteld1521:~# xxxxx + + + + Disable ssh login for rootssh root@172.24.12.73 +root@inteld1521:~# + + + + Make sure following configuration is set for the SSH + server: + + + + Protocol version is set to 2 + + + + LogLevel is set to INFO + + + + PermitEmptyPasswords + + + + IgnoreRhosts to yes + + + + HostbasedAuthentication no + + + + PermitEmptyPasswords no + + + + X11Forwarding no + + + + MaxAuthTries 5 + + + + Ciphers aes128-ctr,aes192-ctr,aes256-ctr + + + + ClientAliveInterval 900 + + + + ClientAliveCountMax 0 + + + + UsePAM yes + + + + These settings use the default set on most platforms, setting + them to other values impacts the security of the SSH server. + + + + The SSH connection to a server can be controlled by using the + following files: /etc/hosts.allow and + /etc/hosts.deny. Set the + permissions on the sshd_config file so that only + root users can change its contents like so: #chown root:root /etc/ssh/sshd_config +#chmod 600 /etc/ssh/sshd_config +
+ +
+ Check for open ports + + Identifying open connections to the internet is a critical + mission. In Kali Linux, the following command can be used to spot any + hidden open ports: + + root@172:~# netstat -ral -tuwx -en + +Kernel IP routing table +Destination Gateway Genmask Flags Metric Ref Use Iface +0.0.0.0 172.24.15.254 0.0.0.0 UG 0 0 0 eth1 +172.24.12.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1 +
+ +
+ Legacy services and Unencrypted Authentication + + Disable legacy services that rely on unencrypted authentication + such as: telnet­server, rsh, rlogin, rcp, + ypserv, ypbind, tftp, tftp­server, talk and talk­server. + + Use instead OpenSSH + , SFTP or FTPS (FTP over SSL), + which adds SSL or TLS encryption to FTP. +
+ +
+ Disable unnecessary Services + + Disabling unused services will reduce the attack surface. Examples + of such services include: FTP, DNS, LDAP, SMB, + DHCP, NFS, SNMP, etc. +
+ +
+ Firewall + + Firewalls are an important tool and act as a barrier between a + trusted and an untrusted network. Iptables is a firewall (user space application) + which allows users to configure the Netfilter provided by the Linux kernel. Netfilter + hooks packets which pass into, through and from the system. Kernel-level + modules may hook into this framework to examine packets and make + security decisions about them. + + Iptables contains five + tables: + + + + Raw is used only for + configuring packets to be exempt from connection tracking. + + + + Filter is the default table, + where all the actions typically associated with a firewall take + place. + + + + NAT is used for network + address translation (e.g. port forwarding). + + + + Mangle is used for + specialized packet alterations. + + + + Security is used for + Mandatory Access Control networking rules (e.g. SELinux). + + + + Filter and NAT are the most common use cases. The other tables are + aimed at complex configurations involving multiple routers and routing + decisions, and are beyond the scope of these introductory + remarks. + + Here are some important features to consider for securing a host + network (these kernel parameters are set in + /etc/sysctl.conf): + + Disable: + + + + IP forwarding + + + + send packet redirects + + + + source routed packet acceptance + + + + ICMP redirect acceptance + + + + Enable: + + + + Ignore Broadcast Requests + + + + Bad Error Message Protection + + + + TCP/SYN cookies + + + + iptables is a systemd service. However, the service won't start + unless it finds a /etc/iptables/iptables.rules + file. To start the service for the first time edit: + + # vi /etc/iptables/iptables.rulesor# cp /etc/iptables/empty.rules /etc/iptables/iptables.rules <<< no empty.rules +root@inteld1521:~# ls /usr/sbin/iptables +iptables iptables-restore iptables-save + + Then start the iptables.service unit. As with + other services, if you want iptables to be loaded automatically on boot, + you must enable it. + + Iptables rules for IPv6 are, by default, stored in + /etc/iptables/ip6tables.rules, which is read by + ip6tables.service. You can start it the same way as + shown above. After adding rules via command-line as shown below, save + the configuration file manually: # iptables-save > /etc/iptables/iptables.rules +
+
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml new file mode 100644 index 0000000..bbf203f --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/introduction.xml @@ -0,0 +1,127 @@ + + + + Overview + + This document describes the activities needed for securing/hardening + Enea NFV Access platform by ESRT/ developers in order to fulfill the + security requirements specified in CPDX-2632 (see + the Security section under Pre-Study). + +
+ Introduction + + This document contains a checklist to use when hardening Enea NFV + Access. Please read Enea NFV Access User's Hardening + Guide for further information about the hardening features + available. + +
+ Revision History + + + + + + + + Revision + + Author + + Date + + Purpose for Revision + + + + + + 4 + + Sona Sarmadi + + 2017-09-07 + + Added Appendix, sec 4. + + + + 3 + + Sona Sarmadi + + 2017-09-05 + + Added introduction to the tools in the Open Embedded + meta-security layer Fixed 1.1 Revision History. + + + + 2 + + Sona Sarmadi + + 2017-08-30 + + Made this document as a guideline for Enea NFV Access + developers. Moved section 2 and 3 to a new document (a guideline + only for users). + + + + 1 + + Sona Sarmadi + + 2017-08-20 + + Initial Revision + + + +
+
+ +
+ References + + + + SANS + linux-kernel-hardening-1294 + + + + lwn.net/Articles/705262/ + + + + Hardening + Guide for Users of Enea NFV AccessNot sure if this + should remain an ulink to eneadoc or be changed to an olink to the + guide in question. + + +
+ +
+ Definitions and Acronyms + + Definitions + + [FIXME] + + Acronyms + + [FIXME] +
+
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml new file mode 100644 index 0000000..63c1225 --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/metasecure_tools.xml @@ -0,0 +1,465 @@ + + + Introduction to Meta-Security Layer Tools + +
+ Summary of tools supported in the Meta-Security layer + + + + + + Afflib + + On-disk format for storing computer forensic + information + + + + Aircrack-ng + + A set of tools for auditing wireless networks + + + + AppArmor + + A MAC control system + + + + Bastille + + Linux hardening tool + + + + Buck-security + + Linux security scanner + + + + TOMOYO + + A Mandatory Access Control (MAC) implementation for + Linux + + + + checksec + + Program randominization + + + + checksecurity + + Basic system security checks + + + + ClamAV + + Anti-virus utility for command-line interface + + + + ecryptfs-utils + + The eCryptfs mount helper and support libraries + + + + freediameter + + Platform for deploying a Diameter network for + Authentication, Authorization and Accounting. + + + + ISIC + + IP Stack Integrity Checker + + + + keynote + + Linux Key Management Utilities + + + + keyutils + + Linux Key Management Utilities + + + + libdhash + + Library of hashing algorithms + + + + libgssglue + + Exports a gssapi interface which calls other gssapi + libraries + + + + libmhash + + Library of hashing algorithms + + + + Libmspack + + A library for Microsoft compression formats + + + + Libseccomp + + The libseccomp library provides an easy to use, platform + independent, interface to the Linux Kernel's syscall filtering + mechanism: seccomp. + + + + Nikto + + Web server scanner + + + + Nmap + + Network auditing tool + + + + Paxctl + + A tool that allows PaX flags to be modified on a per-binary + basis + + + + redhat-security + + redhat security tools + + + + samhain + + Samhain is an integrity checker and host intrusion + detection system that can be used on single hosts as well as large + ones. + + + + Scapy + + Network scanning and manipulation tool + + + + Smack + + A simplified Mandatory Access Control + + + + sssd + + Selection of tools for developers working with + Smack + + + + Suricata + + The Suricata Engine is an Open Source Next Generation + Intrusion Detection and Prevention Engine + + + + Tripwire + + A system integrity assessment tool (IDS) + + + + xmlsec1 + + XML Security Library is a C library based on + LibXML2 + + + + +
+ +
+ How to configure, build and run the tools + + In order to use this layer, you need to make the build system aware + of it. To do so, first clone the layer located at the address: + http://git.enea.com/cgit/linux/meta-security.git, then add the following + lines to the files below. + + + + In bblayers.conf: + + BBLAYERS ?= " \ +/path/to/oe-core/meta \ +/path/to/meta-openembedded/meta-oe \ +/path/to/meta-openembedded/meta-perl \ +/path/to/meta-openembedded/meta-gnome \ +/path/to/meta-openembedded/meta-xfce \ +/path/to/meta-openembedded/meta-python \ +/path/to/meta-openembedded/meta-networking \ +/path/to/layer/meta-security \ + + + + In local.conf: + + IMAGE_INSTALL_append = "aircrack-ng buck-security checksecurity freediameter / +keynote libgssglue libseccomp samhain-client samhain-server samhain-standalone / +sssd xmlsec1 clamav keyutils libmhash nikto paxctl scapy suricata bastille / +checksec ecryptfs-utils isic libmspack nmap redhat-security smack tripwire" + + + + poky/build $ bitbake enea-hardend-image-virtualization-host + + Need clarification here on a possible intro or specified + action/file as noted above. + + + +
+ AppArmor + + AppArmor, like most other LSMs, supplements rather than replaces + the default Discretionary Access Control (DAC). As such, it's impossible + to grant a process more privileges than it had in the first place. When + AppArmor is active for an application, the operating system allows the + application to access only those files and folders that are mentioned in + its security profile. Thus, with a well-planned security profile, even + if the application is compromised during an attack, it won't be able to + do much harm. + + Before compiling the kernel, set the following + options:CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 +CONFIG_DEFAULT_SECURITY_APPARMOR=y +CONFIG_AUDIT=yAlternatively, instead of setting + CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE and + CONFIG_DEFAULT_SECURITY_APPARMOR, you can set the + kernel boot + parameters in this manner: apparmor=1 + security=apparmor. For those new or altered variables to not + get overridden, place them at the bottom of the config file or adjust + the previous invocations accordingly. + + For further information see https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04. + + To put the profile in enforce mode, use the + aa-enforce: + + sudo apparmor_status +sudo aa-enforce nginxIt is recommended that you reload all + profiles and restart Nginx to be sure that the latest changes are in + effect: sudo /etc/init.d/apparmor reload +sudo service nginx restartEnable complain mode with the + aa-complain command. It is recommended that you wait + several days before running the aa-logprof command, + to give the system time to log more common actions for the application + if you are going to create a profile that will be used in production + systems. +
+ +
+ ISIC - IP Stack Integrity Checker + + ISIC is a suite of utilities + meant to exercise the stability of an IP Stack and its component stacks + (TCP, UDP, ICMP et. al.). It generates many pseudo-random packets of the + target protocol, which are given tendancies to conform to. For example: + 50% of the packets generated can have IP Options, and 25% of the packets + can be IP fragments, the percentages are arbitrary however, and most of + the packet fields have a configurable tendancy. root@qemux86:~# esic -i eth0 -s 52:54:00:12:34:0A -p rand -m 5000what + does this programlisting detail exactly, is it an example or something + more directly concrete? +
+ +
+ Nikto Web Vulnerability Scanner + + Nikto is a web vulnerability scanner, a security testing tool that + scans web servers for vulnerabilities and other known issues. +
+ +
+ Nmap Network Exploration Tool + + Nmap (Network Mapper), is an open source security scanner for + network exploration and security auditing. It is used to discover hosts + and services on a network, essentially creating a "map" of the network. + Nmap sends specially crafted packets to the target host(s), then + analyzes the responses. + + Nmap uses raw IP packets in novel ways to determine what hosts are + available on the network, what services (application name and version) + those hosts are offering, what operating systems (and OS versions) they + are running, what type of packet filters/firewalls are in use, and + dozens of other characteristics. While Nmap is commonly used for + security audits, many systems and network administrators find it useful + for routine tasks such as network inventory, managing service upgrade + schedules, and monitoring host or service uptime. See a few examples of + options to use below: + + nmap -v -A scanme.nmap.org +nmap -v -sn 192.168.0.0/16 10.0.0.0/8 +nmap -v -iR 10000 -Pn -p 80For more info see https://layers.openembedded.org/layerindex/branch/master/layer/meta-security/. +
+ +
+ Paxctl + + A tool that allows PaX flags to be modified on a per-binary basis. + PaX provides various types of protection against abuses of memory, some + of which can only be enabled or disabled by (re)configuring the kernel + and recompiling/rebooting it. + + Several important types (PAGEEXEC, EMUTRAMP, MPROTECT, RANDMMAP + and SEGMEXEC) can be tweaked when the system is up and running by + marking the PaX flags on the ELF objects of the program you want to run. + Since some programs need to use memory in a way normally forbidden by + PaX, some restrictions may have to be relaxed on a per program basis. + For more informations see: https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX. + + Example:root #paxctl-ng -v /bin/* +
+ +
+ Samhin + + Samhain is a host-based intrusion detection + system (HIDS) which provides integrity checking and log file + monitoring/analysis, as well as 4.1detection, port monitoring, detection + of rogue SUID executables, and hidden processes. It's main features + include: + + + + Complete integrity check + + Uses cryptographic checksums of files to detect modifications. + It can find rogue SUID executables anywhere on disk. + + + + Centralized monitoring + + Native support for logging to a central server via encrypted + and authenticated connections. + + + + Tamper resistance + + Database and configuration files can be signed log file + entries. E-mail reports are signed support for stealth + operations. + + +
+ +
+ Smack + + A simplified Mandatory Access Control. +
+ +
+ Suricata + + The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. +
+ +
+ TOMOYO + + TOMOYO is + an alternative (pathname-based) Mandatory Access Control (MAC) + implementation for Linux that can be used to increase the security of a + system, while also being useful purely as a system analysis tool. The + main features of TOMOYO Linux include: + + + + System analysis + + + + Increased security through Mandatory Access Control + + + + Tools to aid in policy generation + + + + Simple syntax + + + + Easy to use + + + + Very few dependencies + + + + Requires no modification of existing binaries + + + + To start via command line add:"security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd"To + initialize:/usr/lib/ccs/init_policy +DISTRO_FEATURES_append = " tomoyo" +
+ +
+ Tripwire + + Tripwire is an intrusion detection system (IDS), which constantly + and automatically, keeps your critical system files and reports under + control if they have been destroyed or modified by a hacker (or by + mistake). It allows the system administrator to know immediately what + was compromised and fix it. For more information see: http://www.linuxjournal.com/article/8758. +
+ +
+ xmlsec1 + + XML Security Library is a C library based on LibXML2. +
+
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk b/doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk new file mode 100644 index 0000000..6f0889c --- /dev/null +++ b/doc/book-enea-nfv-access-dev-hardening-guide/swcomp.mk @@ -0,0 +1,10 @@ +# Component build specification + +# Version of THIS book +BOOK_VER ?= $(REL_VER)-dev + +DOCBOOK_SRC := $(COMP)/swcomp.mk $(COMP)/doc/book.xml $(shell find $(COMP)/doc -type f \( -name "*.xml" -o -name "*.svg" -o -name "*.png" \) ! -name "book.xml" -print) + +BOOKPACKAGES := book-enea-nfv-access-dev-hardening-guide +BOOKDESC_$(BOOKPACKAGES) := "Enea NFV Access $(PROD_VER) Developer's Hardening Guide" +BOOKDEFAULTCONDITION := $(DEFAULTCONDITIONS) diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml new file mode 100644 index 0000000..fe6b11f --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/book.xml @@ -0,0 +1,18 @@ + + +]> + + <trademark class="registered">Enea</trademark> NFV Access User's Hardening Guide + + Release Version + + + + + + + \ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml new file mode 100644 index 0000000..eaa7ebd --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_template.xml @@ -0,0 +1,151 @@ + + +
+ File with Parameters in the Book Auto-updated by ELFT + + + See the eltf_params_updated_template_howto_use.txt text + file for description of how to create the final eltf_params_updated.xml from this template and for + all REQUIREMENTS. Use the command + "make eltf" to extract a full list of all + ELTF variables, which always begins with ELTF_ and don't only rely on the + howto text file list! The plan is that ELTF will auto-update this when + needed. + + +
+ Common Parameters + + A programlisting, ID + "eltf-prereq-apt-get-commands-host" + + ELTF_PL_HOST_PREREQ + + A programlisting, ID + "eltf-getting-repo-install-command" + + ELTF_PL_GET_REPO + + Several phrase elements, various IDs. Ensure EL_REL_VER is + correct also compared to the "previous" REL VER in pardoc-distro.xml + "prev_baseline". + + ELTF_EL_REL_VER + + ELTF_YOCTO_VER + + ELTF_YOCTO_NAME + + ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL + + ELTF_EL_DOWNLOAD_TXTURL + + A programlisting, ID "eltf-repo-cloning-enea-linux". Use + $MACHINE/default.xml as parameter, where MACHINE is one of the target + directory names in the manifest. + + ELTF_PL_CLONE_W_REPO + + A table with ONE row, only the row with ID + "eltf-eclipse-version-row" is included in the book. MANUALLY BOTH in the + template.xml and in the updated.xml, set condition hidden on the + <row>, if eclipse is not in the release. + + + + + + Eclipse version ELTF_ECLIPSE_VERSION plus command line + development tools are included in this Enea NFV Access release. + + + + + + Below is one big section with title "Supported Targets with + Parameters". The entire section is included completely in the book via ID + "eltf-target-tables-section" and shall be LAST in the template. The + template contains ONE target subsection. COPY/APPEND it, if multiple + targets exist in the release and optionally add rows with additional + target parameters in each target subsection table. +
+ +
+ Supported Targets with Parameters + + The tables below describes the target(s) supported in this Enea + NFV Access release. + +
+ MACHINE ELTF_T_MANIFEST_DIR - Information + + + + + + + + + + Target official name + + ELTF_T_NAME + + + + Architecture and Description + + ELTF_T_ARC_DESC + + + + Link to target datasheet + + See ELTF_T_DS_TXTURL + + + + Poky version + + ELTF_T_POKY_VER + + + + GCC version + + ELTF_T_GCC_VER + + + + Linux Kernel Version + + ELTF_T_KERN_VER + + + + Supported Drivers + + ELTF_T_DRIVERS + + + + Enea rpm folder for downloading RPM packages for this + target + + ELTF_T_EL_RPM_TXTURL + + + + +
+ + +
+
\ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml new file mode 100644 index 0000000..f6bd068 --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated.xml @@ -0,0 +1,165 @@ + + +
+ File with Parameters in the Book Auto-updated by ELFT + + + See the eltf_params_updated_template_howto_use.txt text + file for description of how to create the final eltf_params_updated.xml from this template and for + all REQUIREMENTS. Use the command + "make eltf" to extract a full list of all + ELTF variables, which always begins with ELTF_ and don't only rely on the + howto text file list! The plan is that ELTF will auto-update this when + needed. + + +
+ Common Parameters + + A programlisting, ID + "eltf-prereq-apt-get-commands-host" + + # Host Ubuntu 14.04.5 LTS 64bit +sudo apt-get -y update +sudo apt-get -y install sed wget subversion git-core coreutils unzip texi2html \ + texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \ + make gcc build-essential xsltproc g++ desktop-file-utils chrpath \ + libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \ + libxml-parser-perl + + A programlisting, ID + "eltf-getting-repo-install-command" + + mkdir -p ~/bin +curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo +chmod a+x ~/bin/repo +export PATH=~/bin:$PATH + + Several phrase elements, various IDs. Ensure EL_REL_VER is + correct also compared to the "previous" REL VER in pardoc-distro.xml + "prev_baseline". + + 1.0 + + 2.1 + + krogoth + + http://www.yoctoproject.org/downloads/core/krogoth/21 + + https://linux.enea.com/6 + + A programlisting, ID "eltf-repo-cloning-enea-linux". Use + $MACHINE/default.xml as parameter, where MACHINE is one of the target + directory names in the manifest. + + mkdir enea-linux +cd enea-linux +repo init -u git@git.enea.com:linux/manifests/el_manifests-virtualization.git \ + -b refs/tags/EL6 -m $MACHINE/default.xml +repo sync + + A table with ONE row, only the row with ID + "eltf-eclipse-version-row" is included in the book. MANUALLY in book, set + condition hidden if eclipse is not in the release. Do this both in + template.xml and updated.xml. + + + + + + Eclipse version 4.3 (Mars) plus command line development + tools are included in this Enea NFV Access release. + + + + + + Below is one big section with title "Supported Targets with + Parameters". The entire section is included completely in the book via ID + "eltf-target-tables-section" and shall be LAST in the template. The + template contains ONE target subsection. COPY/APPEND it, if multiple + targets exist in the release and optionally add rows with additional + target parameters in each target subsection table. +
+ +
+ Supported Reference Boards with Parameters + + The tables below describes the target(s) supported in this Enea NFV + Access release. + +
+ MACHINE p2041rdb - Information + + + + + + + + + + Target official name + + P2041RDB + + + + Architecture and Description + + Power, e500mc + + + + Link to target datasheet + + See link + to NXP's datasheet + + + + Poky version + + Git-commit-id: + 75ca53211488a3e268037a44ee2a7ac5c7181bd2 + + + + GCC version + + 5.3 + + + + Linux Kernel Version + + 3.12 + + + + Supported Drivers + + Ethernet, I2C, SPI, PCI Express, USB, Flash, + SD/SDHC/SDXC, RTC + + + + Enea rpm folder for downloading RPM packages for this + target + + https://linux.enea.com/6/p2041rgb/rpm + + + + +
+
+
\ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt new file mode 100644 index 0000000..87a6445 --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/eltf_params_updated_template_how_to_use.txt @@ -0,0 +1,320 @@ +eltf_params_template_updated_howto_use.txt + +This is a way to collect all parameters for an Enea NFV Access release +in one parameter file, easy to automatically update by ELTF regularly. + +NOTE: Both the release info AND the open source books use parameters from + here, but the XML file is inside the release info book directory. + +NOTE: The manifest_conf.mk, or overridden by the environment variable + MANIFESTHASH, contains the full tag (or hashvalue) for downloading + the manifest when the books are built. The list of target + directories are fetched from the manifest into the book. + The eltf_params_updates.xml can all the time contain + the final next complete tag e.g. refs/tags/EL6 or similar + in the ELTF_PL_CLONE_W_REPO parameter command lines. + +The ordinary book XML files use xi:include statements to include elements +from this parameter file. The book XML files can thus be manually edited. +Before editing, you must run "make init". +Any other text in the template or updated.xml file, outside the parts that +are included in the book, are not used but still all must be correct +DocBook XML files. + +ELTF work: + template => ELTF replaces ALL ELTF_xxx variables => updated XML file + => push to git only if changed + + +eltf_params_template.xml (in git) + File used by ELTF to autocreate/update the real parameter + file eltf_params_updated.xml. + +eltf_params_updated.xml (in git) + Real parameter file where ELTF has replaced all ELTF_xx variables with + strings, in several cases with multiline strings. + No spaces or linefeed allowed in beginning or end of the variable values! + + +xi:include: Each parameter is xi:include'ed in various book files, using + the IDs existing in the parameter files. + In most cases the 1:st element inside an element with an ID is included + using a format like eltf-prereq-apt-get-commands-host/1. + In very few cases the element with the ID is included in the book, one + example is the target section which has an ID, but which contains + multiple subsections, one per target. + All IDs in a book must be unique. + +DocBook XML: All XML files must be correct DocBook XML files. + +Do NOT edit/save the real *updated.xml file with XMLmind to avoid changes + not done by ELTF. But it is OK to open the real file in XMLmind to + check that the format is correct. + +ELTF should autocreate a temporary "real" file but only replace + and push the eltf_params_updated.xml if it is changed. + + +make eltf + This lists all ELTF_xxx variables and some rules how to treat them + +DocBook Format: All elements - rules: + Several strict generic XML rules apply for all strings: + 1. No TABs allowed or any other control chr than "linefeed" + 2. Only 7-bit ASCII + 3. Any < > & must be converted to < > and & + Similar for any other non-7-bit-ASCII but avoid those! + 4. No leading spaces or linefeeds when replacing the ELTF_* variable + 5. No trailing spaces or linefeeds when replacing the ELTF_* variable + 6. Note: Keep existing spaces before/efter ELTF_* in a few cases. + +DocBook Format: - rules: ELTF*PL* variables + Several strict rules apply for the multiline string in programlisting + in addition to the general XML rules above: + 7. Max line length < 80 char + 8. Use backslash (\) to break longer lines + 9. Use spaces (e.g. 4) to indent continuation lines in programlistings + 10. No trailing spaces on any line + 11. No spaces or linefeed immediately after leading + 12. No spaces or linefeed before trailing + +DocBook Format: - rules: ELTF_*URL* variables + 13. ELTF_*URL and corresponding ELTF_*TXTURL shall be identical strings + 14. Only if the URL is extremely long, the TXTURL can be a separate string + +Each target has one section with target parameters: +
+ MACHINE ELTF_T_MANIFEST_DIR - Information + ..... with many ELTF_ variables .... +
+ + 15. If there is only one target. ELTF just replaces ELTF parameters + + 16. It there are multiple targets. ELTF copies the section and appends the + section the required number of times. + Each section ID will become unique: eltf-target-table-ELTF_T_MANIFEST_DIR + Each section title will become unique + +Tables with target parameters in each target section: + 17. It is possible for ELTF to append more rows with one parameter each + to these tables, because the entire tables are included in the book + +Special - NOT YET READY DEFINED how to handle the optionally included + Eclipse and its version, but this is a first suggestion: + 18. Just now ELTF can define ELFT_ECLIPSE_VERSION as a full string + with both version number and name, + 19. MANUALLY if Eclipse is NOT included in the release, + the release manager should manually set condition="hidden" on + the entire section in the book XML about Eclipse + + + +BELOW WE TRY TO EXPLAIN EACH ELTF_* variable, but always check with make eltf +if there are more new variables, missing in this description file. + +_____________________________________________________________________________ +ELTF_PL_HOST_PREREQ Multiline list of host prerequisites, e.g. commands + like sudo apt-get install xxxx or similar. + First line = comment with the complete host name! + It is possible to include multiple hosts by just + adding an empty line, comment with host name, etc. + xi:include eltf-prereq-apt-get-commands-host/1 + This is a ... + Example: +# Host Ubuntu 14.04.5 LTS 64bit +sudo apt-get update +sudo apt-get install sed wget subversion git-core coreutils unzip texi2html \ + texinfo libsdl1.2-dev docbook-utils fop gawk python-pysqlite2 diffstat \ + make gcc build-essential xsltproc g++ desktop-file-utils chrpath \ + libgl1-mesa-dev libglu1-mesa-dev autoconf automake groff libtool xterm \ + libxml-parser-perl + +_____________________________________________________________________________ +ELTF_PL_GET_REPO Multiline commands to download the repo tool + xi:include eltf-getting-repo-install-command/1 + This is a ... + Example: +mkdir -p ~/bin +curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo +chmod a+x ~/bin/repo +export PATH=~/bin:$PATH + +_____________________________________________________________________________ +ELTF_EL_REL_VER General parameter string: The version of this Enea + Linux release. Major version and optional .Minor + Typically created from MAJOR and MINOR in enea.conf + MINOR in enea.conf is empty or contains a dot+minor + xi_include EneaLinux_REL_VER/1 + This is a X.x used in many places. + Examples: +6 + or +6.1 + +_____________________________________________________________________________ +ELTF_YOCTO_VER General parameter string: Yocto version, created + from DISTRO in poky.ent + xi:include Yocto_VER/1 + This is a X.x used in many places. + Example: +2.1 + +_____________________________________________________________________________ +ELTF_YOCTO_NAME General parameter string: Yocto name (branch), created + from DISTRO_NAME_NO_CAP in poky.ent + xi:include Yocto_NAME/1 + This is a X.x used in many places. + Example: +krogoth + +_____________________________________________________________________________ +ELTF_YOCTO_PROJ_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL +ELTF_YOCTO_PROJ_DOWNLOAD_URL strings with correct Yocto version string + at the end, typically without "dot". + xi:include ULINK_YOCTO_PROJECT_DOWNLOAD/1 + This is an ... + Example: +http://www.yoctoproject.org/downloads/core/krogoth/21 + +_____________________________________________________________________________ +ELTF_EL_DOWNLOAD_TXTURL General parameters. These two are IDENTICAL strings +ELTF_EL_DOWNLOAD_URL and shall be the http:/..... address where + Enea NFV Access can be downloaded + Often containing same version as in ELTF_EL_REL_VER + xi:include ULINK_ENEA_LINUX_URL/1 + This is an ... + Example: +http://linux.enea.com/6 + +_____________________________________________________________________________ +ELTF_PL_CLONE_W_REPO Multiline commands to run repo to clone everything. + Use the variable $MACHINE/default.xml (the text in + the book will list the avaiable values of MACHINE, + taken from the manifest repository) + xi:include eltf-repo-cloning-enea-linux/1 + This is a ... + Example: +mkdir enea-linux +cd enea-linux +repo init -u git://git.enea.com/linux/el_manifests-standard.git \ + -b refs/tags/EL6 -m $MACHINE/default.xml +repo sync + +_____________________________________________________________________________ +ELTF_ECLIPSE_VERSION Optional general parameter string. + NOT YET READY DEFINED + Just now a release manage must manually set + condition="hidden" on the Eclipse section, + if Eclipse is not included in the release. + ELTF just replaces ELTF_ECLIPSE_VERSION with a full + string with "X.Y (name)" + It includes the ID and can only be ONCE in the book. + xi:include eltf-eclipse-version-row + Example. +4.5 (Mars) + + +_____________________________________________________________________________ +ELTF_T_* All these are in each target (MACHINE) and ELTF + must separately replace them with strings for + each target + NOTE: All (except the MANIFEST_DIR) are in rows + in a table and ELTF can select to append + more parameters by adding more rows + +_____________________________________________________________________________ +ELTF_T_MANIFEST_DIR This happens to be in two places. Must be exactly +ELTF_T_MANIFEST_DIR the directory name in the manifest, e.g. same + as the MACHINE names in $MACHINE/default.xml. + In book: a) Part of section ID + b) Part of section title + Examples: +p2041rgb + or +ls1021aiot + or +qemuarm + +_____________________________________________________________________________ +ELTF_T_NAME Target specific: "Target Official Name" + NOT same as the target directory name in most cases. + In book: An element in a row + Examples: +P2041RGB + or +LS1021a-IoT + or +qemuarm + +_____________________________________________________________________________ +ELTF_T_ARC_DESC Target specific: "Architecture and Description" + It can be a short identification string or + it can be a longer descriptive sentence. + In book: An element in a row + Examples: +Power, e500mc + or +ARM Cortex-A7 + +_____________________________________________________________________________ +ELTF_T_DS_TXTURL Target specific: "Link to target datasheet. These +ELTF_T_DS_URL two usually are IDENTICAL strings with correct + hyperlink to the target's official datasheet. + In book: an ... + Only if the link is VERY LONG, the text part shall + instead be a descriptive string (see 2:nd example). + NOTE: Also here no spaces or line-feeds! + Examples: +url="http://wiki.qemu.org">http://wiki.qemu.org +or +url="http://www.nxp.com/products/microcontrollers-and-processors/arm-processors/qoriq-arm-processors/qoriq-ls1021a-iot-gateway-reference-design:LS1021A-IoT">link to NXP's datasheet + +_____________________________________________________________________________ +ELTF_T_POKY_VER Target specific: "Poky version" created either + from POKYVERSION in poky.ent + or using a hashvalue with a leading string, in + which case it may be different per target. + In book: An in a row + Examples: +15.0.0 +or +Git commit id: 75ca53211488a3e268037a44ee2a7ac5c7181bd2 + +_____________________________________________________________________________ +ELTF_T_GCC_VER Target specific: "GCC Version". Should be in poky + but not easy to find among various parameters. + ELTF would extract it from build logs building SDK + and it is possibly different per target. + In book: An in a row + Example: +5.3 + +_____________________________________________________________________________ +ELTF_T_KERN_VER Target specific: "Linux Kernel Version". Often + different per target. + In book: An in a row + Example: +3.12 + +_____________________________________________________________________________ +ELTF_T_DRIVERS Target specific: "Supported Drivers". This is a + comma-separated list of driver names. + ELTF should create the list in same order for each + target, e.g. alphabetic migth be OK. + In book: An in a row + Example: +Ethernet, I2C, SPI, PCI, USB, SD/SDHC/SDXC + + +_____________________________________________________________________________ +ELTF_T_EL_RPM_TXTURL Target specific: "Enea rpm folder for downloading +ELTF_T_EL_RPM_URL RPM packages for this target". These two are + INDENTICAL strings with hyperlink to the web site + at Enea where the customer can download RPMs + Note: Often the ELFT_EL_REL_VER value and + the ELTF_T_MANIFEST_DIR are used in the link. + In book: an ... + Example: +url="https://linux.enea.com/6/ls1021aiot/rpm">https://linux.enea.com/6/ls1021aiot/rpm + +_____________________________________________________________________________ diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml new file mode 100644 index 0000000..46245da --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/guidelines_hardening_linux.xml @@ -0,0 +1,212 @@ + + + + Guidelines on How to Harden a Linux System + + In order to effectively create apt security layers to harden your + system correctly, you must first analyze your needs and answer several + ideas/questions which are detailed below. + + + + Analyzing and defining Roles for your + system + + + + What purpose does the system have? + + + + What security risks apply to the system? + + + + Is it host/server? Does it need to do remote access? Public + use? + + + + How hardened the system need to be? (This depends on what role + it has). + + + + + + Review Policies and + Compliances + + What policies and compliances must your system adhere to? Examples + of possible standards and polices, among many others, are: + + + + PCI DSS (confidentiality of credit card consumer data) + + + + HIPAA (protects patient data in health care system) + + + + FISMA (Federal Information Security Management Act) + + + + ISO 27001 family (Information Security Management + Systems) + + + + + + Keep the Software + up-to-date + + Apply software updates and security fixes regularly. Upgrade as + soon a new version is available. It is easier to hack a system which is + running publicly known vulnerable software but this can be avoided. + Linux provides all necessary tools to keep the system updated. All + security updates should be reviewed and applied as soon as + possible. + + + + Mandatory Access Control + (MAC) + + SELinux, TOMOYO, SMACK (Simplified Mandatory Access Control + Kernel). + + + + Memory Protection and ASLR + + + There are two major mechanisms in place to protect memory access + which turned on by default on most x86-64 Linux systems. The first is + the so-called NX bit, which is a setting that gives finer-grained + permissions to mapped memory regions. The second is address space layout + randomization (ASLR) which randomizes where certain parts of a program + are loaded into memory. For further reading on this, see here. + + + + Block unauthorized access to a network and + Restrict Access + + + + Enable the firewall (see what rules are already configured + iptables -L) + + + + Use Intrusion Detection/Intrusion Prevention + + + + Disable unused accounts, create user groups and domain + policy + + + + Remove unused/unsecure/obsolete software + + + + Disable unused services + + + + Restrict remote access and administration + + + + + + Use tools to detect + vulnerabilities + + + + Vulnerability scanner, such as Nessus, SAINT, OpenVAS. + + + + Network analyzer, such as Nmap, Wireshark. + + + + Baseline Analyzer, such as Bastille which can view OS + configuration and try to optimize. + + + + + + Create a Secure logging + System + + Create a secure Linux logging system that can be expanded to other + types of systems for secure logging. By using logs, data can be + collected in order to discern why a server crashed. If the server is + unrecoverable, remote logs allow you the ability to see what happened + prior to the crash, even without the system running. If the crash was + related to an intrusion, any information that describes how the system + was compromised can help determine new approaches so further intrusions + can be prevented. + + + + Backup & recovery + + If a system is compromised, the first concern is how to recover. + To ensure that there is something to recove, backup the data and + configurations continually. + + + + Physical Security + + No matter how many security features may be implemented, there is + always a way that an attacker with physical access to the system + (hardware and software) may by-pass them. To make this as difficult as + possible, there are several actions that can be taken to provide a + degree of security against an attacker with physical access to the + machine: + + + + Make sure unauthorized persons don’t have easy access to + the hardware and software. + + + + Prevent an attacker from booting from another disk/USB. + + + + Set permissions and login restrictions as well as a firmware + password. It is also important to set a secondary bootloader + password (LILO or GRUB) to prevent malicious users from + booting. + + + + Encrypt disks before they are installed. + + + + + + Review Process + + Review your security process and security policies often, and + continually seek to improve them. + + + \ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml new file mode 100644 index 0000000..294d67e --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml @@ -0,0 +1,209 @@ + + + A Brief Introduction to Hardening Tools and Technologies + + Linux by default, is not a secure operating system however, it has + many features and tools that can help secure it thoroughly. Detailed below + are several useful tools and features available for Linux which can help + harden the Linux system to really high degrees. + +
+ Namespaces + + Namespaces are a feature of the Linux kernel that isolate and + virtualize system resources for a collection of processes. Examples of + resources that can be virtualized are: + + + + Process IDs + + + + Hostnames + + + + User IDs + + + + Network access + + + + UTS + + + + Control Group (cgroup) + + + + Interprocess communication (IPC) + + + + Filesystems (mnt) + + + + Namespaces are a fundamental aspect of containers on Linux. Tools + like Docker make isolating Linux processes into their own little system + environments easy. This makes it possible to run a whole range of + applications on a single real Linux machine and ensure that no processes + can interfere with each other, without having to resort to using virtual + machines. +
+ +
+ Linux Intrusion Prevention/Detection Systems + + An Intrusion Prevention System (IPS) and an Intrusion Detection + System (IDS) provide an effective layer of security. The Linux Intrusion + Detection System (LIDS) is a patch to the Linux kernel and associated + administrative tools, and enhances the kernel's security by implementing + Mandatory Access Control (MAC). + + When a LIDS system is booted, file restrictions are enforced + immediately. Once the system has come on, the lidsadm + -I command will seal off the kernel, preventing any additional + kernel modules from affecting it. +
+ +
+ Kernel Hardening + + Kernel hardening is primarily about the kernel protecting itself, + eliminating classes of exploits, and reducing its attack surface. Two + approaches to hardening the standard Linux kernel are: + + + + Address space (memory) protection + + + + Advance Access Control System + + + + Buffer overflows (in languages such as C) are one of the leading + vulnerabilities exploited to gain control of a system. The problem arises + when a user can insert more data into a buffer than it was originally + allocated for. Restrictions however, on an application's address space + prevent many types of buffer overflows attacks. +
+ +
+ Linux Security Modules (LSM) + + LSM is a framework part of the Linux kernel. LSM API implements + hooks at all security-critical points within the kernel. The modules + currently accepted in the official kernel are: + + + + AppArmor + + + + SELinux + + + + Smack + + + + TOMOYO Linux + + + + Yama + + + +
+ SELinux + + SELinux, Security Enhanced Linux + is a Kernel security mechanism for the supporting access control + security policy. SELinux has three configuration modes: + + + + Disabled: Turned-off + + + + Permissive: Prints warnings + + + + Enforcing: Policy is enforced + + + + Edit the selinux config file to change the + configuration:# /etc/selinux/config +SELINUX=enforcing +
+
+ +
+ POSIX Access Control Lists (ACL) + + In addition to the file owner, the file group etc., additional users + and groups can be granted or denied access by using POSIX ACLs. For a + file, ACLs can be configured: + + + + Per user + + + + Per group + + + + Via the effective right mask + + + + For users not in the user group, for the file + + +
+ +
+ Logging and Auditing + + Audit logs are useful for analyzing system behavior, and may help + detect attempts at compromising the system. Enea Linux distributions have + logging mechanisms that record all system activities. The syslog service + manages the logs in /var/log/. These logs are critical + for troubleshooting purposes. +
+ +
+ Secure Network Communication + + Encrypt and authenticate network communication using IPsec. +
+ +
+ Hard Disk Encryption and Disk Protection + + Encrypt the disks before they are installed. This is a crucial step + as it will prevent unauthorized access to data even when the hard disk is + connected to a different machine. + + Disk protection is a key step in securing data. Make sure that you + backup data so that situations such as a damaged system and bugs in the OS + updates won't affect them. The backup must be transferred offsite + for major servers to keep data secure during unforeseen disasters. Backup + management must also be well-defined. +
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml new file mode 100644 index 0000000..bbc203b --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_info_security.xml @@ -0,0 +1,144 @@ + + + + Introduction to Information Security + + I want to add an intro to this chapter, it's too brief and + vague, what is the purpose of these 3 lists, what are they intended to + introduce? + +
+ Related Security Categories + + + + Internet Security + + + + Cyberwarfare + + + + Computer Security + + + + Mobile Security + + + + Network Security + + +
+ +
+ Threats + + + + Computer Crime + + + + Vulnerability + + + + Eavesdropping + + + + Exploitation + + + + Trojan Horse + + + + Computer Viruses and Computer Worms + + + + Denial of Service + + + + Malware + + + + Payload + + + + Rootkit + + + + Keylogger + + +
+ +
+ Defenses + + + + Computer Access Control + + + + Application Security + + + + Antivirus Software + + + + Secure Coding + + + + Security by Design + + + + Secure Operating Systems + + + + Authentication + + + + Multi-factor Authentication + + + + Authorization + + + + Data-centric Security + + + + Firewall + + + + Intrusion Detection System + + + + Intrusion Prevention System + + +
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml new file mode 100644 index 0000000..af6b99d --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/doc/introduction.xml @@ -0,0 +1,102 @@ + + + + Overview + + This document describes a set of activities needed for securing Enea + NFV Access by users. Most security hardening configurations and features + affect performance, and should only be set if more security but less + performance is required and acceptable. We emphasize to use layers of + security to get the desired degree of hardening. + +
+ Introduction + + This document describes several hardening techniques and Open Source + tools available for Enea NFV Access platforms. + +
+ Revision History + + + + + + + + Revision + + Author + + Date + + Purpose of Revision + + + + + + 3 + + Sona Sarmadi + + 2017-09-07 + + Added Introduction to Information Security, sec + 2. + + + + 2 + + Sona Sarmadi + + 2017-09-07 + + Updated section 2. + + + + 1 + + Sona Sarmadi + + 2017-08-31 + + Initial Revision, hardening guideline for users. + + + +
+
+ +
+ References + + + + www.sans.org/reading-room/whitepapers/linux/linux-kernel-hardening-1294 + + + + lwn.net/Articles/705262/ + + +
+ +
+ Definitions and Acronyms + + Definitions + + [FIXME] + + Acronyms + + [FIXME] +
+
+ \ No newline at end of file diff --git a/doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk b/doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk new file mode 100644 index 0000000..2fe78b5 --- /dev/null +++ b/doc/book-enea-nfv-access-user-hardening-guide/swcomp.mk @@ -0,0 +1,10 @@ +# Component build specification + +# Version of THIS book +BOOK_VER ?= $(REL_VER)-dev + +DOCBOOK_SRC := $(COMP)/swcomp.mk $(COMP)/doc/book.xml $(shell find $(COMP)/doc -type f \( -name "*.xml" -o -name "*.svg" -o -name "*.png" \) ! -name "book.xml" -print) + +BOOKPACKAGES := book-enea-nfv-access-user-hardening-guide +BOOKDESC_$(BOOKPACKAGES) := "Enea NFV Access $(PROD_VER) User's Hardening Guide" +BOOKDEFAULTCONDITION := $(DEFAULTCONDITIONS) -- cgit v1.2.3-54-g00ecf