SovereignCloudStack / issues

This repository is used for issues that are cross-repository or not bound to a specific repository.

https://github.com/orgs/SovereignCloudStack/projects/6

2 stars 1 forks source link

Testbed assessment with Low privileged users/roles #494

Open 90n20 opened 8 months ago

90n20 commented 8 months ago

As a SCS security auditor, I want to check and assess a SCS testbed deployment within the context of a low privileged user on both manager and nodes, so that I could report that all systems are configured properly and without any flaw that could impact their security as a whole.

Related to #410

Definition of Ready:

[ ] User Story is small enough to be finished within one sprint
[ ] User Story is clear and understood by the whole team
[ ] Acceptance criteria are defined
[ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

[ ] All acceptance criteria are met
[ ] Changes have been reviewed
[ ] CI tests have run successfully
[ ] Documentation has been updated
[ ] Release Notes have been updated

90n20 commented 8 months ago

Issue Progress

Testbed manager

[x] Launched compliance and privilege escalation check tools
- [x] OpenSCAP
- Scanning profiles based on CIS Ubuntu 22.04 Level 2 Server Benchmark
- Passed rules: 131
- Failed rules: 114 (3 high, 92 medium, 14 low, 5 info)
- [x] lynis
- Hardening index: 65/100
- [x] linPEAS
- Processes running as root, SUID files, readable config files, readable secrets (passwords, private keys, etc)
[x] Reviewing results

Testbed nodes

[x] Launched compliance and privilege escalation check tools
- [x] OpenSCAP
- Scanning profiles based on CIS Ubuntu 22.04 Level 2 Server Benchmark
- Passed rules: 125
- Failed rules: 115 (3 high, 93 medium, 14 low, 5 info)
- [x] lynis
- Hardening index:
  - node0: 63/100
  - node1 & node2: 64/100
- [x] linPEAS
- Processes running as root, SUID files, readable config files, readable secrets (passwords, private keys, etc)
[x] Reviewing results

90n20 commented 7 months ago

Updated progress with scripts results on nodes.

90n20 commented 6 months ago

After reviewing the results, they have been reported with recommended actions in a document on SCS Nextcloud instance.

Next actions will consist on perform the same tests over a testbed deployment with hardening enabled to compare both results.

90n20 commented 6 months ago

Issue Progress (hardening enabled)

Testbed manager

[x] Launched compliance and privilege escalation check tools
- [x] OpenSCAP
- Scanning profiles based on CIS Ubuntu 22.04 Level 2 Server Benchmark
- Passed rules: 149
- Failed rules: 180 (2 high, 160 medium, 13 low, 5 info)
- [x] lynis
- Hardening index: 68/100
- [x] linPEAS
- Processes running as root, SUID files, readable config files, readable secrets (passwords, private keys, etc)
[x] Reviewing results

Testbed nodes

[x] Launched compliance and privilege escalation check tools
- [x] OpenSCAP
- Scanning profiles based on CIS Ubuntu 22.04 Level 2 Server Benchmark
- Passed rules: 144
- Failed rules: 178 (2 high, 158 medium, 13 low, 5 info)
- [x] lynis
- Hardening index:
  - node0, node1 & node2: 68/100
- [x] linPEAS
- Processes running as root, SUID files, readable config files, readable secrets (passwords, private keys, etc)
[x] Reviewing results

90n20 commented 6 months ago

Updated progress with hardening applied. Preliminary checks show slightly better results (with OpenScap more rules are being checked as hardening enables some new services, hence past "non applicable" rules are now added to the list)

90n20 commented 6 months ago

New document uploaded to nextcloud with the results with hardening applied. Both include recommended actions.