Image Security Analyser Framework
The purpose of ISA FW is to provide an extensible framework for analysing different security aspects of OS images during the build process. The design intention of FW is to stay build system independent and have a minimal interface towards it. The actual functional logic of the framework can be found in its plugins that can be created independently from each other.
The interface towards a build system is defined in set of classes in the isafw.py file. The data passed from a build system to the ISA FW is in a form of python class objects.
Currently supported objects
- ISA_package. Represents a source package/receipe data for each package being build by a build system
- ISA_pkg_list. Represents a list of binary packages information, such as package names and versions, that are being included into the OS image
- ISA_kernel. Represents an information about the kernel to be included into the OS image, such as kernel configuration location.
- ISA_filesystem. Represents an information about the filesystem to be included into the OS image, such as its location and type.
The framework supports a number of callbacks that are invoked by a build system during different stages of package and OS image build. These callbacks are then forwarded for processing to the avaliable ISA FW plugins that have registered for these callbacks. Plugins can do their own analyzing on each stage of the build process and produce security reports.
Currently supported callbacks
- process_package(self, ISA_package). Called per each source package that is being assembled by a build system
- process_pkg_list(self, ISA_pkg_list). Called once per each image assembled by a build system
- process_kernel(self, ISA_kernel). Called once per each image assembled by a build system
- process_filesystem(self, ISA_filesystem). Called once per each filesystem that is being included into the image
Currently supported plugins
- ISA_cve_plugin. Plugin for checking CVE information for packages. Works on top of cve-check-tool (https://github.com/ikeydoherty/cve-check-tool)
- ISA_la_plugin. Plugin for verifying licensing information for packages.
- ISA_cf_plugin. Plugin for analysing binary compilation flags on rootfs. Works on top of checksec.sh script (http://www.trapkit.de/tools/checksec.html)
- ISA_kca_plugin. Plugin for analysing security aspects of kernel configuration.
- ISA_fsa_plugin. A basic plugin for analysing image filesystem.
ISA FW and its plugins are available under the terms of the BSD 3-Clause License. Please check the LICENSE file for further details. The integration of ISA FW is licensed under the license specified in each corresponding file under integration folder. Copyright (C) 2015 Intel Corporation