DISCONTINUATION OF PROJECT
This project will no longer be maintained by Intel.
Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.
Intel no longer accepts patches to this project.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.
Image Security Analyser Framework
The purpose of ISA FW is to provide an extensible framework for analysing different security aspects of OS images during the build process. The design intention of FW is to stay build system independent and have a minimal interface towards it. The actual functional logic of the framework can be found in its plugins that can be created independently from each other.
The interface towards a build system is defined in set of classes in the isafw.py file. The data passed from a build system to the ISA FW is in a form of python class objects.
- ISA_package. Represents a source package/receipe data for each package being build by a build system
- ISA_pkg_list. Represents a list of binary packages information, such as package names and versions, that are being included into the OS image
- ISA_kernel. Represents an information about the kernel to be included into the OS image, such as kernel configuration ___location.
- ISA_filesystem. Represents an information about the filesystem to be included into the OS image, such as its ___location and type.
The framework supports a number of callbacks that are invoked by a build system during different stages of package and OS image build. These callbacks are then forwarded for processing to the avaliable ISA FW plugins that have registered for these callbacks. Plugins can do their own analyzing on each stage of the build process and produce security reports.
- process_package(self, ISA_package). Called per each source package that is being assembled by a build system
- process_pkg_list(self, ISA_pkg_list). Called once per each image assembled by a build system
- process_kernel(self, ISA_kernel). Called once per each image assembled by a build system
- process_filesystem(self, ISA_filesystem). Called once per each filesystem that is being included into the image
- ISA_cve_plugin. Plugin for checking CVE information for packages. Works on top of cve-check-tool (https://github.com/ikeydoherty/cve-check-tool)
- ISA_la_plugin. Plugin for verifying licensing information for packages.
- ISA_cf_plugin. Plugin for analysing binary compilation flags on rootfs. Works on top of checksec.sh script (http://www.trapkit.de/tools/checksec.html)
- ISA_kca_plugin. Plugin for analysing security aspects of kernel configuration.
- ISA_fsa_plugin. A basic plugin for analysing image filesystem.
ISA FW and its plugins are available under the terms of the BSD 3-Clause License. Please check the LICENSE file for further details. The integration of ISA FW is licensed under the license specified in each corresponding file under integration folder. Copyright (C) 2015 Intel Corporation