[Fedora-livecd-list] Security LiveCD

Jane Dogalt jdogalt at yahoo.com
Tue Mar 20 17:52:11 UTC 2007 

--- Luke Macken <lmacken at redhat.com> wrote:

> On Sun, Mar 04, 2007 at 06:31:57PM -0800, Jane Dogalt wrote:
> > --- Luke Macken <lmacken at redhat.com> wrote:
> > > I started piecing together a Fedora Security LiveCD, designed for
> > > security auditing, penetration testing, and forensics.  See my
> blog
> > > post and the wiki page for more information:
> > > 
> > >     http://lewk.org/blog/2007/03/04/security-livecd
> > >     http://fedoraproject.org/wiki/LukeMacken/SecurityLiveCD
> > > 
> > > {comments,suggestions,patches} welcome.
> > 
> > Just off the top of my head, here is what I'd like to see-
> > 
> > Suppose you have just created an interesting webserver livecd, with
> > some random smattering of enabled features and services particular
> to
> > your needs.
> > 
> > I would like to see a security livecd, which when booted on a
> system
> > that either has the prior webserver livecd .iso on the disk, or
> > available via the network, does the following-
> > 
> > - boots the webserver livecd under qemu, then runs the most
> aggressive
> > penetration/scan it can think of against it.
> > 
> > Clearly there are many subtle details about how the virtual network
> and
> > system are launched/configured so that they match as closely as
> > possible the real deployment situation.
> > 
> > I would hope that as time passes you would see a cat and mouse back
> and
> > forth.  I.e. various holes are found in the webserver livecd
> > configuration and fixed, and various new penetration mechanisms are
> > added to the security livecd.
> > 
> > Hopefully what would evolve via this 'fitness function' would be a
> > kickstart file describing a very secure webserver livecd (and thus
> less
> > than a stones throw away from a very secure generic webserver
> > kickstart).
> 
> Interesting idea; doesn't seem too far fetched, but I don't know how
> large this use case is.
> 

I would speculate that say 2 years from now, a generic completely
automated security tester livecd(/vm system image) is integrated with
whatever tool ends up with the livecd-creator functionality
(virtmanager/s-c-ks/pungi/whatever).  I.e. it's a simple checkbox at
the end of "create this custom livecd spin" which reads "go ahead and
test this against the security wizard livecd/vm automated pen-tester".

Seems like the 'check to make sure I wasn't an idiot in my system
configuration' button/checkbox would be a nice feature to have, IMHO. 

> Regardless, it's really just a matter of adding some cohesion between
> the existing
> tools (ie, automatic network/host reconnaissance, bringing up virtual
> hosts, then
> running scans/tests on it).

Yup, boils down to imaginitive integration, with tools that have a long
way to go towards making that as easy as possible.


> 
> Right now, [with everything I've seen], you pretty much need to
> already
> know which tools you want to use and how to use them.  I think we
> either
> need to provide some sort of interface that will help users figure
> out
> the right tools for the job (and automate tasks), or at least provide
> them with useful documentation so they can figure out what they need.
> 

I see various tools roll by on lwn and slashdot from time to time that
sound like modern versions of satan/saint.  I.e. push a button, see a
vulnerability report.  Even if you cobbled together something that
wasn't very comprehensive, I bet if it was as easy to utilize as my
prior speculation, that plenty of the right people would make it
comprehensive and high quality quickly.

Of course this goes hand in hand with a similar sanity check script
that you can just go ahead and run on the box since you 'own' it under
qemu anyway.  But still, nice to have what is it, blackbox and glassbox
automated security sanity testing. 

-dmc/jdog

> luke
> 
> --
> Fedora-livecd-list mailing list
> Fedora-livecd-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-livecd-list
> 



 
____________________________________________________________________________________
Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html

More information about the Fedora-livecd-list mailing list