Skip to content
This repository has been archived by the owner on Jan 6, 2023. It is now read-only.

Latest commit

 

History

History
52 lines (36 loc) · 3.39 KB

README.md

File metadata and controls

52 lines (36 loc) · 3.39 KB

DISCONTINUATION OF PROJECT

This project will no longer be maintained by Intel.

Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.

Intel no longer accepts patches to this project.

If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.
Image Security Analyser Framework

The purpose of ISA FW is to provide an extensible framework for analysing different security aspects of OS images during the build process. The design intention of FW is to stay build system independent and have a minimal interface towards it. The actual functional logic of the framework can be found in its plugins that can be created independently from each other.

The interface towards a build system is defined in set of classes in the isafw.py file. The data passed from a build system to the ISA FW is in a form of python class objects.

Currently supported objects

  • ISA_package. Represents a source package/receipe data for each package being build by a build system
  • ISA_pkg_list. Represents a list of binary packages information, such as package names and versions, that are being included into the OS image
  • ISA_kernel. Represents an information about the kernel to be included into the OS image, such as kernel configuration location.
  • ISA_filesystem. Represents an information about the filesystem to be included into the OS image, such as its location and type.

The framework supports a number of callbacks that are invoked by a build system during different stages of package and OS image build. These callbacks are then forwarded for processing to the avaliable ISA FW plugins that have registered for these callbacks. Plugins can do their own analyzing on each stage of the build process and produce security reports.

Currently supported callbacks

  • process_package(self, ISA_package). Called per each source package that is being assembled by a build system
  • process_pkg_list(self, ISA_pkg_list). Called once per each image assembled by a build system
  • process_kernel(self, ISA_kernel). Called once per each image assembled by a build system
  • process_filesystem(self, ISA_filesystem). Called once per each filesystem that is being included into the image

Currently supported plugins

  • ISA_cve_plugin. Plugin for checking CVE information for packages. Works on top of cve-check-tool (https://github.com/ikeydoherty/cve-check-tool)
  • ISA_la_plugin. Plugin for verifying licensing information for packages.
  • ISA_cf_plugin. Plugin for analysing binary compilation flags on rootfs. Works on top of checksec.sh script (http://www.trapkit.de/tools/checksec.html)
  • ISA_kca_plugin. Plugin for analysing security aspects of kernel configuration.
  • ISA_fsa_plugin. A basic plugin for analysing image filesystem.

License

ISA FW and its plugins are available under the terms of the BSD 3-Clause License. Please check the LICENSE file for further details. The integration of ISA FW is licensed under the license specified in each corresponding file under integration folder. Copyright (C) 2015 Intel Corporation