Matrix security section
From Linux NFS
Revision as of 07:25, 28 July 2005 by 24.20.224.228 (Talk)
Contents |
Code Audit
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.A.1 | Audit the NFSv4 server code | New | |||
V.A.2 | Audit the NFSv4 client code | New | |||
V.A.3 | Audit the rpcbind / portmap code | New | |||
V.A.4 | Audit the krb5 code | DONE | Assuming MIT krb5 libs are already reviewed | ||
V.A.5 | Audit the idmapd code | New | |||
V.A.6 | Audit the mountd | New | |||
V.A.7 | Audit the RPC authentication code (gssd, authsys, etc.) | New |
Security regression testing
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.B.1 | Run Stanford/Coverity Checker periodically | New | |||
V.B.2 | Run SMATCH as regression test periodically | New | |||
V.B.3 | Run FlawFinder as regression test periodically | New | |||
V.B.4 | Run Sparse as regression test periodically | Open | OSDL |
Administration tools
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.C.1 | Verify that only administrative users can access admin tools and config files | New | Perhaps run this in a test suite |
Security features design review
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.D.1 | Review Authentication/ACL feature design | New | U Mich has done some NFS2/3 ACL testing 10/04 | ||
V.D.2 | Review each security flavor feature design Krb5 | New | |||
V.D.3 | Review security negotiation feature design | New | Still needs some implementation work | ||
V.D.4 | Review named attributes feature design | New | Still needs some implementation work | ||
V.D.5 | Review supporting advanced security flavors on the callback channel design | New | Still needs some implementation work | ||
V.D.6 | Penetration testing for client callback implementation | New |
Security feature testing
ID | test | tool test | status | owner | notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|
V.E.1 | Ensure a functionality test sufficiently tests Authentication/ACL | New | V.E.2 | Ensure a functionality test sufficiently covers each security flavor Krb5 | New | ||||||
V.E.3 | Ensure a functionality test sufficiently covers security negotiation | New | |||||||||
V.E.4 | Ensure a functionality test sufficiently covers named attributes | New | |||||||||
V.E.5 | Ensure a functionality test sufficiently covers advanced security flavors on callback channel | New | |||||||||
V.E.6 | Ensure a functionality test sufficiently covers penetration testing for client callback implementation | New |
Attack and penetration security review
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.F.1 | Identify security issues assuming attack from client-side | Open | Bull | Bull planning on creating a list of issues in 2005
NFSv4 client Denial of service Userland daemons Mount and other nfs utils | |
V.F.2 | Identify security issues assuming attack from server-side | Open | Bull | Bull planning on creating a list of issues in 2005 | |
V.F.3 | Identify security/privacy issues assuming listening by an active or passive third party | Open' | Bull | Bull planning on creating a list of issues in 2005 |
Cross realm
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.G.1 | Two v4 domains; kerberos, ACLs in one realm; file system in another | New | Still experimental |
Documentation for testing/auditing
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.H.1 | Ensure there is high level design documentation of NFSv4 security Start with Bruce's paper | New | |||
V.H.2 | Ensure there is inline documentation for security related code in kernel | New | |||
V.H.3 | Ensure there is inline documentation for GSS API (libgssapi, librpcsecgss) | New | |||
V.H.4 | Ensure there is inline documentation for nfsv4 libraries | New |
Security use case
ID | test | tool test | status | owner | notes |
---|---|---|---|---|---|
V.I.1 | Verify proper functionality/security correctness of NFSv4 in a VPN environment | New | Venkat will write use case |