My team is talking about a LWN article
(https://lwn.net/Articles/1077035/) in which the XZ backdoor is
mentioned, which reminds me that I'm interested in deploying "got-audit"
as a generic test in Fedora CI.
The original version of got-audit is a Python gdb extension which uses
the "gef" framework. gdb-gef is packaged in Fedora[1]. I also have an
automatically generated port to a standalone version[2] which I hope
will be less maintenance overhead in the future.
I asked for review of the generic test pipeline on
#fedora-ci:fedoraproject.org, where Cristian Le expressed a general
sense of approval for the test, but asked for more discussion of the
implementation.
The pipeline[3] is a generic test. It checks rpm packages to determine
if they define systemd services. If they do, then it installs the rpm
package and attempts to start the service. If the service starts, then
each PID is checked with got-audit to report any unusual symbol
resolution. Cristian suggested that we might want to make this a tmt
check instead, since we can't assume that any systemd service will start
without manual configuration. However, there aren't yet any good
examples of such a check to use as reference, so if we go that route
it'll involve some experimentation, I think.
The got-audit tool attaches to a running PID, builds a list of maps that
are backed by files, and then a list of symbols in the GOT for each.
Symbols are expected to resolve into a map that is backed by an ELF
shared object that exports a symbol of the same name.
Would anyone like to volunteer to provide additional review of this tool
and pipeline?
I think it would be nice to use this to document / illustrate how to
deploy security analysis tools in Fedora CI, in the hope that there will
be more security analysis tools in the future.
1: https://src.fedoraproject.org/rpms/gdb-gef
2: https://codeberg.org/gordonmessmer/got-audit
3: https://codeberg.org/gordonmessmer/got-audit-pipeline
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new