My team is talking about a LWN article (https://lwn.net/Articles/1077035/) in which the XZ backdoor is mentioned, which reminds me that I'm interested in deploying "got-audit" as a generic test in Fedora CI.

The original version of got-audit is a Python gdb extension which uses the "gef" framework. gdb-gef is packaged in Fedora[1]. I also have an automatically generated port to a standalone version[2] which I hope will be less maintenance overhead in the future.

I asked for review of the generic test pipeline on #fedora-ci:fedoraproject.org, where Cristian Le expressed a general sense of approval for the test, but asked for more discussion of the implementation.

The pipeline[3] is a generic test. It checks rpm packages to determine if they define systemd services. If they do, then it installs the rpm package and attempts to start the service. If the service starts, then each PID is checked with got-audit to report any unusual symbol resolution. Cristian suggested that we might want to make this a tmt check instead, since we can't assume that any systemd service will start without manual configuration. However, there aren't yet any good examples of such a check to use as reference, so if we go that route it'll involve some experimentation, I think.

The got-audit tool attaches to a running PID, builds a list of maps that are backed by files, and then a list of symbols in the GOT for each. Symbols are expected to resolve into a map that is backed by an ELF shared object that exports a symbol of the same name.

Would anyone like to volunteer to provide additional review of this tool and pipeline?

I think it would be nice to use this to document / illustrate how to deploy security analysis tools in Fedora CI, in the hope that there will be more security analysis tools in the future.


1: https://src.fedoraproject.org/rpms/gdb-gef

2: https://codeberg.org/gordonmessmer/got-audit

3: https://codeberg.org/gordonmessmer/got-audit-pipeline

--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to