ibm-openbmc / dev

Product Development Project Mgmt and Tracking
16 stars 2 forks source link

Allow admin to disable BMC SSH, IPMI, and HTTP access #612

Closed joseph-reynolds closed 2 years ago

joseph-reynolds commented 5 years ago

Expected Delivery Dates

Stakeholders

SME: Joseph Reynolds Design Researcher: @ParishrutB @priyanka-pillai97 UX Designer: @ParishrutB @priyanka-pillai97 FED: @dixsie

Use Case

The BMC admin should have an option to disable BMC shell access as a way to ensure the system is managed only by its intended interfaces (like Redfish REST APIs). Security conscious users will want to disable shell access when build the OpenBMC image or when provision their BMC. They require that, for example, to better control and log use of the BMC's management functions, and to pass audits. Use cases are (1) large-scale data centers where uniform access is desired, and (2) systems with sensitive (personal, financial, etc.) data where shell access constitutes a back door into the system.

Specifically, when disabled, secure shell (ssh) access to the BMC (ssh -p 22) will fail. Note that ssh access to the host console (via ssh -p 2200) is not affected by this design.

The admin will be able to re-enable access, allow the BMC shell to be used for some function, debugging, or whatever, and then disable access again. Presumably use of the shell will be a rare event and closely watched to ensure no back doors into the BMC are created.

The BMC admin should be able to log the fact that BMC shell access was disabled or re-enabled. For example, if the design implements the Redfish ManagerNetworkProtocol SSH property (reference below), then Redfish REST API logging would suffice. The BMC admin should also be able to log ssh connection attempts, for example, log files written by the ssh server, PAM, etc.

Requirements

Design

We don't want the GUI to turn this function on or off by accident. My crude GUI design sketch: I envision a new status field on the admin page that shows if "BMC shell access is enabled" (and clearly indicate this feature is separate from the "host console ssh" feature). Maybe have a way to change its state, indicating one of:

Development

Shell access will remain enabled by default in the current OpenBMC releases.

InVision Prototype


Design Issue (phosphor-webui)


Development Issue


References/Resources

joseph-reynolds commented 3 years ago

Do we need separate the USB enable disable buttons for each physical USB port? One of them may be "dedicated" for a power supply, and the other open.

amboar commented 3 years ago

If we're trying to mitigate malicious behaviour via USB, I don't think having the UPS plugged in via USB is a good idea. If I had physical access and wanted to use a USB-based attack but all the ports bar the UPS USB port were disabled, I'd just unplug the UPS.

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

joseph-reynolds commented 3 years ago

For SSH:

joseph-reynolds commented 3 years ago

For SSH:

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh

rfrandse commented 3 years ago

refresh