changes for review of hardening, idaholab#328

mmguero-dev · Oct 22, 2024 · ec6f6cc · ec6f6cc
1 parent 2d9da42
commit ec6f6cc
Show file tree

Hide file tree

Showing 10 changed files with 25 additions and 8 deletions.
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
@@ -105,6 +105,7 @@ RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true"
     chown --silent -R ${PUSER}:root \
         /usr/share/logstash \
         /logstash-persistent-queue && \
+    chmod -R o-w /usr/share/logstash && \
     echo "Retrieving and parsing Wireshark manufacturer database..." && \
     python3 /usr/local/bin/manuf-oui-parse.py -o /etc/vendor_macs.yaml && \
     echo "Complete."

diff --git a/docs/hardening.md b/docs/hardening.md
@@ -21,12 +21,16 @@ The Malcolm aggregator base operating system claims exceptions from the recommen
 
 **2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid option to /run/shm Partition**, **2.16 Add noexec option to /run/shm Partition** - The Malcolm aggregator base operating system does not mount `/run/shm` as a separate partition, so these recommendations do not apply.
 
+**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers.
+
 **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - The Malcolm aggregator base operating system is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel.
 
 **3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensure uninterrupted service. A boot loader password is not enabled.
 
 **4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system.
 
+**5.2 Install screen** - The Malcolm base operating system comes with `tmux`, a modern `screen` alternative. 
+
 **6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by the Malcolm aggregator base operating system, but the `avahi` and `cups` services themselves are disabled.
 
 **6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary.
@@ -55,6 +59,8 @@ Password-related recommendations under **9.2** and **10.1** - The library packag
 
 **10.1.10 Set maxlogins for all accounts** and **10.5 Set Timeout on ttys** - The Malcolm aggregator base operating system does not create multiple regular user accounts: only the `root` and aggregator service accounts are used.
 
+**12.8 Find Un-owned Files and Directories** and **12.9 Find Un-grouped Files and Directories** - The files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.8_find_unowned_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.9_find_ungrouped_files.sh) exist within the layers of Malcolm's Docker images. While they do not belong to any user/group the host system knows about, the ownership of these files is set correctly in each Docker container's entrypoint. These files are not accessible to any unprivileged user on the host.
+
 **12.10 Find SUID System Executables**, **12.11 Find SGID System Executables** - The few files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.10_find_suid_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.11_find_sgid_files.sh) are valid exceptions required by the Malcolm aggregator base operating system's core requirements.
 
 **14.1  Defense for NAT Slipstreaming** - As Malcolm may operate as a network traffic capture appliance sniffing packets on a network interface configured in promiscuous mode, this recommendation does not apply.

diff --git a/docs/hedgehog-hardening.md b/docs/hedgehog-hardening.md
@@ -18,12 +18,16 @@ Hedgehog Linux claims exceptions from the recommendations in this benchmark in t
 
 **2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid Option to /run/shm Partition**, **2.16 Add noexec Option to /run/shm Partition** - Hedgehog Linux does not mount `/run/shm` as a separate partition, so these recommendations do not apply.
 
+**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers.
+
 **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - Hedgehog Linux is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel.
 
 **3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensured uninterrupted service. A boot loader password is not enabled.
 
 **4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system.
 
+**5.2 Install screen** - Hedgehog Linux comes with `tmux`, a modern `screen` alternative. 
+
 **6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by Hedgehog Linux, but the `avahi` and `cups` services themselves are disabled.
 
 **6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary.

diff --git a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -201,6 +201,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${yq_tar_url}" | tar -xzf - ./yq_linux_${ARCH
 
 mv ./yq_linux_${ARCH} /usr/bin/yq
 chmod 755 /usr/bin/yq
+chown root:root /usr/bin/yq
 ###
 
 # supercronic
@@ -220,6 +221,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${croc_tar_url}" | tar -xzf - croc
 
 mv ./croc /usr/local/bin/croc
 chmod 755 /usr/local/bin/croc
+chown root:root /usr/local/bin/croc
 ###
 
 # update clamav signatures

diff --git a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot
@@ -117,6 +117,7 @@ sed -i "s/#user_allow_other.*/user_allow_other/" /etc/fuse.conf
 find /etc/audit -type d -exec chmod 750 "{}" \;
 find /etc/audit -type f -exec chmod 640 "{}" \;
 chmod 600 /etc/ssh/sshd_config
+chmod o-w /run/sendmail/mta/smsocket
 
 # set DIR_MODE to 750 for new users
 sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf
@@ -178,7 +179,7 @@ cat << 'EOF' >> /etc/fluent-bit/parsers.conf
     Format logfmt
 EOF
 
-# remove identifying operating system information
+# remove identifying operating system information from /etc/issue*
 truncate -s 0 /etc/motd
 sed -i "s/Debian/Hedgehog/g" /etc/issue
 sed -i "s/Debian/Hedgehog/g" /etc/issue.net

diff --git a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config
@@ -111,7 +111,7 @@ ClientAliveCountMax 0
 #ChrootDirectory none
 #VersionAddendum none
 
-Banner=/etc/issue
+Banner=/etc/issue.net
 
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*

diff --git a/hedgehog-raspi/sensor_install.sh b/hedgehog-raspi/sensor_install.sh
@@ -251,6 +251,7 @@ clean_up() {
 
     # Set Hedgehog banner
     mv /root/hedgehog-ascii-text.txt /etc/issue
+    cp /etc/issue /etc/issue.net
 
     # Remove ethernet interface files left by installation
     # Sensor setup will create necessary files when user runs setup

diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
@@ -167,7 +167,7 @@ systemctl disable htpdate || true
 sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate
 sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate
 
-# remove identifying operating system information from /etc/issue
+# remove identifying operating system information from /etc/issue*
 truncate -s 0 /etc/motd
 sed -i "s/Debian/Hedgehog/g" /etc/issue
 sed -i "s/Debian/Hedgehog/g" /etc/issue.net

diff --git a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config
@@ -111,7 +111,7 @@ ClientAliveCountMax 0
 #ChrootDirectory none
 #VersionAddendum none
 
-Banner=/etc/issue
+Banner=/etc/issue.net
 
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*

diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh
@@ -204,8 +204,9 @@ db_get malcolm/dod_banner
 
 if [ "$RET" = true ]; then
   # login banner
-  OLD_ISSUE="$(grep ^Debian /etc/issue | sed -r "s@[[:space:]]\\\.*@@g")"
-  cat << 'EOF' > /etc/issue
+  for ISSUE_FILE in /etc/issue /etc/issue.net; do
+    OLD_ISSUE="$(grep ^Debian ${ISSUE_FILE} | sed -r "s@[[:space:]]\\\.*@@g")"
+    cat << 'EOF' > ${ISSUE_FILE}
 You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
 By using this IS (which includes any device attached to this IS), you consent to the following conditions:
 -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
@@ -215,8 +216,9 @@ By using this IS (which includes any device attached to this IS), you consent to
 -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
 
 EOF
-  /bin/echo -E "$OLD_ISSUE \n \l" >> /etc/issue
-  echo >> /etc/issue
+    /bin/echo -E "$OLD_ISSUE \n \l" >> ${ISSUE_FILE}
+    echo >> ${ISSUE_FILE}
+  done
 
 else
   rm -f /usr/local/bin/dod-login-banner.sh