SovereignCloudStack / issues

This repository is used for issues that are cross-repository or not bound to a specific repository.
https://github.com/orgs/SovereignCloudStack/projects/6
2 stars 1 forks source link

IaaS Internal Pentesting (Gray-Box) #410

Open 90n20 opened 9 months ago

90n20 commented 9 months ago

Assessing the security of internal resources and components hosted within a SCS testbed deployment. This will be done from a Gray-box perspective, which involves a mix of knowledge about the environment, similar to internal personnel, combined with external information that an attacker might gather. (Related to #391)

Tasks

90n20 commented 7 months ago

We have finished with internal testing through wireguard/ssh tunnels, with special mention to the following ports/services on both testbed manager and nodes:

2 security advisories have been created (only visible to authorized members) affecting the following components:

Going forward, manager and nodes will be tested from the point of view of an authenticated user.

90n20 commented 4 months ago

Assesment with Low and High privileged users has been performed on a standard testbed deployment, giving an overview of the security mechanisms present in manager and nodes either without and with hardening enabled. The results, which have been uploaded to SCS nexcloud instance, may be used by teams to improve the overall security of the systems.

This should be tested again, maybe following releases calendar, in order to track possible changes. Automation may be possible, however lots of manual work and checking is involved in the process.

Moving on, we are now testing the internal security of the components within a deployed instance on a test project. This will allow us to evaluate the security from the point of view of a "client" using the infrastructure (#530)

90n20 commented 3 months ago

Internal security of the components inside a deployed instance on a testbed project has been reviewed using two different machines (CirrOS and Ubuntu ones). Our evaluation showed minor problems, which guarantees the security of the infrastructure from a client's point of view.

All tasks related to this issue have been finished.

bitkeks commented 3 months ago

Ok thanks @90n20. Let's sync on this one final time and create an executive summary for the rest of the team and our partners.