search

DeineAgenturUG / greenbone-gvm-openvas-for-docker

The Greenbone Vulnerability Management (GVM) and OpenVAS Scanner for Docker!
MIT License
24 stars 7 forks source link

[Enhancement] Enable HTTP Strict Transport Security for gsad-https and gsad-https-owncert commands in supervisord.conf #18

Closed markdesilva closed 2 years ago

markdesilva commented 2 years ago

Is your feature request related to a problem? Please describe. Not a problem, but a security enhancement. When 'gsad-https' and 'gsad-https-owncert' is called from start.sh (referencing commands in /opt/setup/config/supervisord.conf) it is started without enabling HTTP Strict Transport Security "--http-sts" (defaults to 31536000).

Describe the solution you'd like Add the "--http-sts" to the commands for 'gsad-https' and 'gsad-https-owncert' in /opt/setup/config/supervisord.conf

Describe alternatives you've considered NA

Additional context NA

Dexus commented 2 years ago

Would a "gsad" environment help here like X_GSAD_OPTIONS='--enable-xyz --enable-zyx' to setup more settings if need?

With default values if not set? And only have affect if it is used on start of the container.

markdesilva commented 2 years ago

That is possible, but my concern for this would be that users set options that have already been set for 'gsad-https' and 'gsad-https-owncert' in /opt/setup/config/supervisord.conf. Then it may cause "bugs" which are not real bugs and there is wasted time trying to solve something that doesn't need to be solved.

Maybe separate env variables for the security options only. Security options for GSAD are:

--http-frame-opts=FRAME-OPTS
    X-Frame-Options HTTP header. Defaults to "SAMEORIGIN".

--http-csp=CSP
    Content-Security-Policy HTTP header. Defaults to "default-src 'self' 'unsafe-inline'; img-src 'self' blob:; frame-ancestors 'self'"

--http-sts
    Enable HTTP Strict-Tranport-Security header.

--http-sts-max-age=max-age
    max-age in seconds for HTTP Strict-Tranport-Security header. Defaults to 31536000.

Then only accept the default values as defined in the man pages. These should be generally acceptable for all:

-e FRAME_OPTS="true" -e CSP="true" -e HSTS="true"

If there is a need for HSTS_MAXAGE to be set other than default of 31536000, then maybe another env var: -e HSTS_MAXAGE="value"

So GSAD options would be added to one by one

if [$FRAME_OPTS]; then
   GSAD_OPTS += "http-frame-opts=\"SAMEORIGIN\" "
fi
if [$CSP]; then
   GSAD_OPTS += "....
........
........
........
if [$HSTS]; then
   if [$HSTS_MAXAGE]; then
      GSAD_OPTS += "--http-sts-max-age=$HSTS_MAXAGE"
   else
      GSAD_OPTS += "--http-sts"
fi

(Apologies, I'm a little rusty with the shell scripting).

Other options for GSAD 

--per-ip-connection-limit=number
    Sets the maximum number of connections per ip. Use 0 for unlimited.

--http-cors=CORS
    Set Cross-Origin Resource Sharing (CORS) allow origin http header.

But I don't think these are necessary in a general setting. If users really require them, then they can edit the supervisord.conf and add them in manually.

This is just my opinion, X_GSAD_OPTIONS like you suggest is easier to implement, but relies a lot on the end user not messing things up.

Thank you!