From ec6f6cc5208d8357ee14c82d73d656b35714d00d Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Oct 2024 13:31:59 -0600 Subject: [PATCH] changes for review of hardening, idaholab/Malcolm#328 --- Dockerfiles/logstash.Dockerfile | 1 + docs/hardening.md | 6 ++++++ docs/hedgehog-hardening.md | 4 ++++ .../config/hooks/normal/0910-sensor-build.hook.chroot | 2 ++ .../hooks/normal/0991-security-performance.hook.chroot | 3 ++- .../config/includes.chroot/etc/ssh/sshd_config | 2 +- hedgehog-raspi/sensor_install.sh | 1 + .../hooks/normal/0991-security-performance.hook.chroot | 2 +- malcolm-iso/config/includes.chroot/etc/ssh/sshd_config | 2 +- shared/bin/preseed_late_user_config.sh | 10 ++++++---- 10 files changed, 25 insertions(+), 8 deletions(-) diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index a7ba388f4..69348bb05 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -105,6 +105,7 @@ RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" chown --silent -R ${PUSER}:root \ /usr/share/logstash \ /logstash-persistent-queue && \ + chmod -R o-w /usr/share/logstash && \ echo "Retrieving and parsing Wireshark manufacturer database..." && \ python3 /usr/local/bin/manuf-oui-parse.py -o /etc/vendor_macs.yaml && \ echo "Complete." diff --git a/docs/hardening.md b/docs/hardening.md index 62441646b..6a492682e 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -21,12 +21,16 @@ The Malcolm aggregator base operating system claims exceptions from the recommen **2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid option to /run/shm Partition**, **2.16 Add noexec option to /run/shm Partition** - The Malcolm aggregator base operating system does not mount `/run/shm` as a separate partition, so these recommendations do not apply. +**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers. + **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - The Malcolm aggregator base operating system is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel. **3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensure uninterrupted service. A boot loader password is not enabled. **4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system. +**5.2 Install screen** - The Malcolm base operating system comes with `tmux`, a modern `screen` alternative. + **6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by the Malcolm aggregator base operating system, but the `avahi` and `cups` services themselves are disabled. **6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary. @@ -55,6 +59,8 @@ Password-related recommendations under **9.2** and **10.1** - The library packag **10.1.10 Set maxlogins for all accounts** and **10.5 Set Timeout on ttys** - The Malcolm aggregator base operating system does not create multiple regular user accounts: only the `root` and aggregator service accounts are used. +**12.8 Find Un-owned Files and Directories** and **12.9 Find Un-grouped Files and Directories** - The files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.8_find_unowned_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.9_find_ungrouped_files.sh) exist within the layers of Malcolm's Docker images. While they do not belong to any user/group the host system knows about, the ownership of these files is set correctly in each Docker container's entrypoint. These files are not accessible to any unprivileged user on the host. + **12.10 Find SUID System Executables**, **12.11 Find SGID System Executables** - The few files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.10_find_suid_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.11_find_sgid_files.sh) are valid exceptions required by the Malcolm aggregator base operating system's core requirements. **14.1 Defense for NAT Slipstreaming** - As Malcolm may operate as a network traffic capture appliance sniffing packets on a network interface configured in promiscuous mode, this recommendation does not apply. diff --git a/docs/hedgehog-hardening.md b/docs/hedgehog-hardening.md index 41bf13e83..c993f2042 100644 --- a/docs/hedgehog-hardening.md +++ b/docs/hedgehog-hardening.md @@ -18,12 +18,16 @@ Hedgehog Linux claims exceptions from the recommendations in this benchmark in t **2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid Option to /run/shm Partition**, **2.16 Add noexec Option to /run/shm Partition** - Hedgehog Linux does not mount `/run/shm` as a separate partition, so these recommendations do not apply. +**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers. + **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - Hedgehog Linux is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel. **3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensured uninterrupted service. A boot loader password is not enabled. **4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system. +**5.2 Install screen** - Hedgehog Linux comes with `tmux`, a modern `screen` alternative. + **6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by Hedgehog Linux, but the `avahi` and `cups` services themselves are disabled. **6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary. diff --git a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 50f9e89af..8c40a1f7c 100755 --- a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -201,6 +201,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${yq_tar_url}" | tar -xzf - ./yq_linux_${ARCH mv ./yq_linux_${ARCH} /usr/bin/yq chmod 755 /usr/bin/yq +chown root:root /usr/bin/yq ### # supercronic @@ -220,6 +221,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${croc_tar_url}" | tar -xzf - croc mv ./croc /usr/local/bin/croc chmod 755 /usr/local/bin/croc +chown root:root /usr/local/bin/croc ### # update clamav signatures diff --git a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot index 4801ca047..e4fa64082 100755 --- a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -117,6 +117,7 @@ sed -i "s/#user_allow_other.*/user_allow_other/" /etc/fuse.conf find /etc/audit -type d -exec chmod 750 "{}" \; find /etc/audit -type f -exec chmod 640 "{}" \; chmod 600 /etc/ssh/sshd_config +chmod o-w /run/sendmail/mta/smsocket # set DIR_MODE to 750 for new users sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf @@ -178,7 +179,7 @@ cat << 'EOF' >> /etc/fluent-bit/parsers.conf Format logfmt EOF -# remove identifying operating system information +# remove identifying operating system information from /etc/issue* truncate -s 0 /etc/motd sed -i "s/Debian/Hedgehog/g" /etc/issue sed -i "s/Debian/Hedgehog/g" /etc/issue.net diff --git a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config index 84e31145f..d1ad39c03 100644 --- a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config +++ b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config @@ -111,7 +111,7 @@ ClientAliveCountMax 0 #ChrootDirectory none #VersionAddendum none -Banner=/etc/issue +Banner=/etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/hedgehog-raspi/sensor_install.sh b/hedgehog-raspi/sensor_install.sh index 0b3cf187f..12c82de02 100644 --- a/hedgehog-raspi/sensor_install.sh +++ b/hedgehog-raspi/sensor_install.sh @@ -251,6 +251,7 @@ clean_up() { # Set Hedgehog banner mv /root/hedgehog-ascii-text.txt /etc/issue + cp /etc/issue /etc/issue.net # Remove ethernet interface files left by installation # Sensor setup will create necessary files when user runs setup diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot index 55f54c4a6..3ed2d1a30 100755 --- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -167,7 +167,7 @@ systemctl disable htpdate || true sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate -# remove identifying operating system information from /etc/issue +# remove identifying operating system information from /etc/issue* truncate -s 0 /etc/motd sed -i "s/Debian/Hedgehog/g" /etc/issue sed -i "s/Debian/Hedgehog/g" /etc/issue.net diff --git a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config index 84e31145f..d1ad39c03 100644 --- a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config +++ b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config @@ -111,7 +111,7 @@ ClientAliveCountMax 0 #ChrootDirectory none #VersionAddendum none -Banner=/etc/issue +Banner=/etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh index 3fe94bf3b..6795aaa86 100755 --- a/shared/bin/preseed_late_user_config.sh +++ b/shared/bin/preseed_late_user_config.sh @@ -204,8 +204,9 @@ db_get malcolm/dod_banner if [ "$RET" = true ]; then # login banner - OLD_ISSUE="$(grep ^Debian /etc/issue | sed -r "s@[[:space:]]\\\.*@@g")" - cat << 'EOF' > /etc/issue + for ISSUE_FILE in /etc/issue /etc/issue.net; do + OLD_ISSUE="$(grep ^Debian ${ISSUE_FILE} | sed -r "s@[[:space:]]\\\.*@@g")" + cat << 'EOF' > ${ISSUE_FILE} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. @@ -215,8 +216,9 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. EOF - /bin/echo -E "$OLD_ISSUE \n \l" >> /etc/issue - echo >> /etc/issue + /bin/echo -E "$OLD_ISSUE \n \l" >> ${ISSUE_FILE} + echo >> ${ISSUE_FILE} + done else rm -f /usr/local/bin/dod-login-banner.sh