Debian rough audit
Project summary is available at: https://sourceforge.net/projects/debraudit
- I'm looking for programs to use first.
- Next, I'm documenting the programs.
- Next I'm learning how to use the programs.
- Next I'm documenting how to use the programs.
- Next I'm testing the programs.
- Next I'm consulting Debian-devel.
- Somewhere in all this I'm also writing programs.
To prove to myself, and to others, I've created a test file which
compresses better with bzip2 -8 than bzip2 -9. The file is partially random data, and partially
arbitrarily entered data.
I've also created a simple shell script to show
how much difference there is between the different parameters. My
output isn't pretty, but it shouldn't
be hard to understand.
For the compression test parts I'm going to be looking at gzip, bzip2,
ppmd and dact. I want to have pretty output, more "efficient" algorithms
and better example files.
ITS4 Version: 1.1.1 and 1.1.1-1 (Debian) is known to be not very
Feb 18 2002
18 Feb 2002
RATS looks good, and I think it can be automated. I ran it on some
proprietary code and managed to find a bug in RATS at warning level 3.
Splint might be great, but it does C code only. It doesn't seem to like
C++ much at all. It complains about pre-processor errors.
I haven't tried flawfinder yet, but it looks promising.
pychecker looks like a useful tool for checking for bugs in python code.
It's package maintainance in Debian is currently in the hands of the QA
group. I'd like to help package it but I don't know python that well.
I've seen some others advertised, but they seem to be mostly vaporware.
Some exceptions are fuzztest... I haven't throughly checked yet.
Steve shares my desire for security audits of Debian, but he's doing
more than a rough audit. You can find out more at:
Policy and procedures are still needed. I've been discussing some issues
in the Debian-security mailing list. Archives and information about
Debian-security is available at