1 |
I would like to present you an example showing how silly source scanning can |
2 |
be if done without thought: |
3 |
|
4 |
qmail and exim |
5 |
|
6 |
flawfinder reports more flaws in qmail (10 or so) then in exim (only 1). |
7 |
If one would make a decision based on the flawfinder output only, one would |
8 |
install exim. |
9 |
|
10 |
Offcourse if one compares the number of actual security holes found in exim to |
11 |
those found in qmail, one would install qmail. |
12 |
|
13 |
So i understand source code analysis as the first step only to create |
14 |
something for developers and admins/users that is able to guide them in |
15 |
security questions. |
16 |
|
17 |
some of the next steps i can imagin are: |
18 |
- a ports security policy :) |
19 |
|
20 |
- suid scans |
21 |
|
22 |
- scans of binaries |
23 |
|
24 |
- complexity analysis (we got the code, we got the binaries - if there was |
25 |
createt only 1 biiig binary out of al the code we know that the potential |
26 |
security impact is higher (exim) then if there would have been created |
27 |
several small binaries (assuming modularity, like qmail), etc. |
28 |
|
29 |
- dynamic meta-information from external sources (CERT, GLSA Database) |
30 |
This would result in: |
31 |
# emerge -p somemta |
32 |
Calculating dependencies ...done! |
33 |
ebuild information | version | hardened | CERT | GLSA |
34 |
[ebuild N ] net-mail/exim-4.14 - 5 2 |
35 |
|
36 |
# emerge -p --secinfo somemta |
37 |
|
38 |
* net-mail/somemta |
39 |
Latest version available: 4.14 |
40 |
Latest version installed: [ Not Installed ] |
41 |
Size of downloaded files: 1,531 kB |
42 |
Homepage: http://www.somemta.org/ |
43 |
ebuild Maintainer: someone@×××××××××.org |
44 |
Description: A highly configurable, drop-in replacement for sendmail |
45 |
|
46 |
Package is part of gentoo hardened : no |
47 |
CERT Security Advisories for somemta found : 5 |
48 |
CERT affecting this version of somemta found : 1 |
49 |
GLSA for somemta found : 2 |
50 |
GLSA affecting this version of somemta found : 1 |
51 |
|
52 |
Warnig: This version is affected by several security advisories. |
53 |
It is recommended to not install this version! |
54 |
You may try emerge sync or search at bugs.gentoo.org to get a newer |
55 |
version or contact the ebuild maintainer |
56 |
|
57 |
and while you do |
58 |
# emerge somemta |
59 |
you get additional information: |
60 |
* source code analysis report: |
61 |
* 1 potential security flaw found |
62 |
.... |
63 |
|
64 |
* compexity analysis report: |
65 |
* package seems to fairly complex, possible security impact: medium |
66 |
|
67 |
* suid scan report: |
68 |
* the software would like to install the following suids |
69 |
* 1) /usr/sbin/exim suid root |
70 |
* 2) /usr/sbin/blalaber suid mail |
71 |
What would like to do? |
72 |
-3) install all as shown |
73 |
-1) install all without suid |
74 |
or choose number of binary: |
75 |
|
76 |
ofcourse, this all can be enhanced and so on, thats why i put it here :) |
77 |
|
78 |
Jan |
79 |
|
80 |
|
81 |
-- |
82 |
gentoo-hardened@g.o mailing list |