Annvix: Project TODO/Audit

From Annvix

We need to do some auditing of Annvix in order to ensure we have as much "userland hardening" as possible, to try as much to use existing capabilities, permissions, etc. without relying on kernel security features such as AppArmor or RSBAC.

The following is a list of items to audit/evaluate for enhanced hardening:

eval /proc/mem security vector
eval all /etc/ files for default permissions
eval gcc only being run via a special group -- so hacker cannot compile rootkit or backdoor (root:admin)
/var/tmp symlink or bind mount to /tmp
better issue message
eval /sbin /usr/sbin for permissions
eval networking stack
eval config files
change rc.d permissions to 0750 root:admin
remove bit from reviewed suid programs
add rsbac_cap_process_hiding to all kernels; this is especially important for 2.6 which doesn't have this (on 2.4, the openwall patch takes care of it)
enforce a 0 size core file via pam_limits
see if ulimit inheritance works; if so, set ulimits in an initscript rather than by the shell in /etc/profile (or at least set some defaults for regular users)
we have rbash as a symlink to bash, we need rsh as a symlink to sh
look at using /bin/rsh for services that require a shell (like apache) rather than /bin/sh; this isn't perfect as some of these services will use programs with shell escapes, but it could add another layer to the onion
set a system-wide password expiry policy by default (60 days?)
default mount options:
- /proc: nodev,nosuid,noexec (not sure if noexec will work, will require testing)
- /tmp: nodev,nosuid,noexec
- /home: nosuid,nodev (I'd almost go as far as noexec too)
- /var: nosuid,noexec,nodev (may break chroots if they are located in /var, but we can do this by default anyways since we don't chroot anything)
- /usr: nodev
- nfs mounts: nodev,nosuid
- /srv: nodev,noexec,nosuid
- The installer should see if these mount points exist and if so, set the mount options accordingly
- enabled ACLs and quota on all filesystems be default? (maybe quota on just /srv and /home?)
set default (and configurable) sysctl settings
package and configure process accounting (psacct)
default iptables firewall (outbound ACCEPT, the rest DENY) -- especially important for the installer
MAJOR: re-write the initscripts to run as a serious of scripts (or a single script) from runit stage 2 (which would allow us to remove things like annvix_consmap, annvix_everytme, annvix_firsttime, network, kheader, keytable, rawdevices, usb, etc... possibly even other things like kudzu, ipsec, iptables)
- instead of sourcing /etc/sysconfig files (which could possibly contain backdoor shellcode to execute commands rather than simply contain FOO=bar statements), use single-file config files as we do with ipsvd (such as /etc/sysconfig/{app}/{option})
examine default php config: disable phpinfo() function by default (maybe system(), exec() and passthru() as well)
remove mysql test database (only if this comes packaged; we may need to patch the setup scripts to not create the test db)
remove the "anonymous" account (re: Tim; not sure what this is tho)

Kernel-based enhancements:

seriously look at the RSBAC jail support to possibly use it to jail things like apache (maybe mod_rsbac will help here?)
also look at mod_apparmor
default policies for AppArmor
add ACL/quota patches for 2.6 if required

Enhancements to rsec (security reporting):

write a dormant account check to execute every month; ie. if a user hasn't logged in in a month, send a note to indicate this (may indicate the need to suspend or remove the account)

Personal tools

Search

Toolbox

From Annvix

Views

Home Recent changes Donations Page Index About Annvix Project Goals Development Team News Developer's Blog Resources User Guide Documentation Release Notes Changelog Mailing Lists Download Annvix Development Tools View Subversion CIA Project Page Ohloh Project Page Search Toolbox What links here Related changes Upload file Special pages Printable version	/Project TODO/Audit From Annvix We need to do some auditing of Annvix in order to ensure we have as much "userland hardening" as possible, to try as much to use existing capabilities, permissions, etc. without relying on kernel security features such as AppArmor or RSBAC. The following is a list of items to audit/evaluate for enhanced hardening: eval /proc/mem security vector eval all /etc/ files for default permissions eval gcc only being run via a special group -- so hacker cannot compile rootkit or backdoor (root:admin) /var/tmp symlink or bind mount to /tmp better issue message eval /sbin /usr/sbin for permissions eval networking stack eval config files change rc.d permissions to 0750 root:admin remove bit from reviewed suid programs add rsbac_cap_process_hiding to all kernels; this is especially important for 2.6 which doesn't have this (on 2.4, the openwall patch takes care of it) enforce a 0 size core file via pam_limits see if ulimit inheritance works; if so, set ulimits in an initscript rather than by the shell in /etc/profile (or at least set some defaults for regular users) we have rbash as a symlink to bash, we need rsh as a symlink to sh look at using /bin/rsh for services that require a shell (like apache) rather than /bin/sh; this isn't perfect as some of these services will use programs with shell escapes, but it could add another layer to the onion set a system-wide password expiry policy by default (60 days?) default mount options: /proc: nodev,nosuid,noexec (not sure if noexec will work, will require testing) /tmp: nodev,nosuid,noexec /home: nosuid,nodev (I'd almost go as far as noexec too) /var: nosuid,noexec,nodev (may break chroots if they are located in /var, but we can do this by default anyways since we don't chroot anything) /usr: nodev nfs mounts: nodev,nosuid /srv: nodev,noexec,nosuid The installer should see if these mount points exist and if so, set the mount options accordingly enabled ACLs and quota on all filesystems be default? (maybe quota on just /srv and /home?) set default (and configurable) sysctl settings package and configure process accounting (psacct) default iptables firewall (outbound ACCEPT, the rest DENY) -- especially important for the installer MAJOR: re-write the initscripts to run as a serious of scripts (or a single script) from runit stage 2 (which would allow us to remove things like annvix_consmap, annvix_everytme, annvix_firsttime, network, kheader, keytable, rawdevices, usb, etc... possibly even other things like kudzu, ipsec, iptables) instead of sourcing /etc/sysconfig files (which could possibly contain backdoor shellcode to execute commands rather than simply contain FOO=bar statements), use single-file config files as we do with ipsvd (such as /etc/sysconfig/{app}/{option}) examine default php config: disable phpinfo() function by default (maybe system(), exec() and passthru() as well) remove mysql test database (only if this comes packaged; we may need to patch the setup scripts to not create the test db) remove the "anonymous" account (re: Tim; not sure what this is tho) Kernel-based enhancements: seriously look at the RSBAC jail support to possibly use it to jail things like apache (maybe mod_rsbac will help here?) also look at mod_apparmor default policies for AppArmor add ACL/quota patches for 2.6 if required Enhancements to rsec (security reporting): write a dormant account check to execute every month; ie. if a user hasn't logged in in a month, send a note to indicate this (may indicate the need to suspend or remove the account) Retrieved from "http://www.annvix.org/Project_TODO/Audit" Category: Development
	Views Page Discussion View source History This page was last modified on 10 February 2007, at 20:07. About Annvix Disclaimers Sponsors: Loans - Debt Consolidation - Phoenix Pools - Credit Cards