Debian rough audit

Project summary is available at: https://sourceforge.net/projects/debraudit
To prove to myself, and to others, I've created a test file which compresses better with bzip2 -8 than bzip2 -9. The file is partially random data, and partially arbitrarily entered data.

I've also created a simple shell script to show how much difference there is between the different parameters. My output isn't pretty, but it shouldn't be hard to understand.

For the compression test parts I'm going to be looking at gzip, bzip2, ppmd and dact. I want to have pretty output, more "efficient" algorithms and better example files.
ITS4 Version: 1.1.1 and 1.1.1-1 (Debian) is known to be not very effective. See:
Feb 18 2002
http://www.securityfocus.com/archive/1/256925

18 Feb 2002
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=134542
RATS looks good, and I think it can be automated. I ran it on some proprietary code and managed to find a bug in RATS at warning level 3.
Splint might be great, but it does C code only. It doesn't seem to like C++ much at all. It complains about pre-processor errors.
I haven't tried flawfinder yet, but it looks promising.
pychecker looks like a useful tool for checking for bugs in python code. It's package maintainance in Debian is currently in the hands of the QA group. I'd like to help package it but I don't know python that well.
I've seen some others advertised, but they seem to be mostly vaporware. Some exceptions are fuzztest... I haven't throughly checked yet.
Steve shares my desire for security audits of Debian, but he's doing more than a rough audit. You can find out more at: http://www.steve.org.uk/Debian
Policy and procedures are still needed. I've been discussing some issues in the Debian-security mailing list. Archives and information about Debian-security is available at http://lists.Debian.org/debian-security
Hosted on:
SourceForge.net Logo