benjojo
commented
2 months ago Have you tried to run the program with these modes set? Did it work?
Open udf2457 opened 2 months ago
benjojo
commented
2 months ago Have you tried to run the program with these modes set? Did it work?
udf2457
commented
2 months ago As explained, I didn't want to waste my time if you already tried it. :p
So I take it you have not tried it ? 😉
benjojo
commented
2 months ago no
udf2457
commented
2 months ago With this crude config:
# cat /etc/ixp-xping.yaml
listenhost: 0.0.0.0
listenportstart: 32736
pollratems: 250
prometheusport: 9150
allowedcidrs:
- 127.0.0.0/8I have achieved:
journalctl -fu ixp-xping
Sep 04 19:06:53 zz-test-zz systemd[1]: Started ixp-xping.service - IXP Flow loss performance monitor.
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32736
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32737
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32738
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32739
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32740
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32741
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32742
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32743
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32744
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32745
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32746
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32747
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32748
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32749
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32750
Sep 04 19:06:53 zz-test-zz ixp-xping[7278]: 2024/09/04 19:06:53 Listening on 127.0.0.1:32751With the following beefed up config:
[Unit]
Description=IXP Flow loss performance monitor
# Note to @benjojo, whatever happens you probably want these two anyway....
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
# End note
[Service]
#############
# HARDENING
#############
# Run as a DynamicUser - no need to pre-create a dummy service user
DynamicUser=yes
# Trick to enable reading of config file as DynamicUser
# This gets read verbatim and exposed at the magic path ${CREDENTIALS_DIRECTORY}/config
LoadCredential=config:/etc/ixp-xping.yaml
# The "usual" random assortment of best-practice hardening, see "systemd-analyze security" command...
# CAP_NET_RAW required for ping
AmbientCapabilities=CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_RAW
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateTmp=true
PrivateUsers=yes
# ixp-xping likes to read /proc/sys/net/ipv4/conf/all/arp_ignore so we can't do this one...
# ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=tmpfs
ProtectHostname=yes
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
# Because you are currently using Go bind() directly and not making use of systemd sockets, you need to relax this one
# otherwise you get....
# "Could not list network interfaces, cannot intelligently bind() on ports: route ip+net: netlinkrib: address family not supported by protocol"
# RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=true
RestrictSUIDSGID=yes
SecureBits=noroot noroot-locked no-setuid-fixup no-setuid-fixup-locked
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap @privileged
######################
# EXISTING PARAMETERS
######################
Restart=always
ExecStart=/usr/bin/ixp-xping -cfg.path "${CREDENTIALS_DIRECTORY}/config"
ExecReload=/bin/kill -HUP $MAINPID
TimeoutStopSec=20s
LimitNOFILE=8192
[Install]
WantedBy=multi-user.targetWhich gives you the following (significantly improved !) score:
$ systemd-analyze security ixp-xping
NAME DESCRIPTION >
✓ SystemCallFilter=~@swap System call deny list defined for service, and @swap is included >
✗ SystemCallFilter=~@resources System call deny list defined for service, and @resources is not included (e.g. ioprio>
✓ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is included >
✓ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is included >
✓ SystemCallFilter=~@privileged System call deny list defined for service, and @privileged is included >
✓ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is included >
✓ SystemCallFilter=~@mount System call deny list defined for service, and @mount is included >
✓ SystemCallFilter=~@module System call deny list defined for service, and @module is included >
✓ SystemCallFilter=~@debug System call deny list defined for service, and @debug is included >
✓ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is included >
✓ SystemCallFilter=~@clock System call deny list defined for service, and @clock is included >
✓ RemoveIPC= Service user cannot leave SysV IPC objects around >
✗ RootDirectory=/RootImage= Service runs within the host's root directory >
✓ User=/DynamicUser= Service runs under a transient non-root user identity >
✓ RestrictRealtime= Service realtime scheduling access is restricted >
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock >
✓ NoNewPrivileges= Service processes cannot acquire new privileges >
✓ AmbientCapabilities= Service process does not receive ambient capabilities >
✓ CapabilityBoundingSet=~CAP_BPF Service may not load BPF programs >
✓ SystemCallArchitectures= Service may execute system calls only with native ABI >
✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets >
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets >
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets >
✗ RestrictAddressFamilies=~… Service may allocate exotic sockets >
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets >
✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy >
✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=) >
✓ SupplementaryGroups= Service has no supplementary groups >
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access >
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities >
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters >
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges >
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges >
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access >
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges >
✓ PrivateTmp= Service has no access to other software's temporary files >
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging >
✓ PrivateDevices= Service has no access to hardware devices >
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) >
✗ PrivateNetwork= Service has access to the host's network >
✗ ProtectHome= Service has access to fake empty home directories >
✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r >
✓ KeyringMode= Service doesn't share key material with other services >
✓ Delegate= Service does not maintain its own delegated control group subtree >
✓ PrivateUsers= Service does not have access to other users >
✗ IPAddressDeny= Service does not define an IP address allow list >
✓ NotifyAccess= Service child processes cannot alter service state >
✓ ProtectClock= Service cannot write to the hardware clock or system clock >
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() >
✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes >
✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer >
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system >
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks >
✓ ProtectControlGroups= Service cannot modify the control group file system >
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable >
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM >
✓ ProtectKernelModules= Service cannot load or read kernel modules >
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules >
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() >
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() >
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() >
✓ PrivateMounts= Service cannot install system mounts >
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks >
✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings >
✓ RestrictNamespaces=~user Service cannot create user namespaces >
✓ RestrictNamespaces=~pid Service cannot create process namespaces >
✓ RestrictNamespaces=~net Service cannot create network namespaces >
✓ RestrictNamespaces=~uts Service cannot create hostname namespaces >
✓ RestrictNamespaces=~mnt Service cannot create file system namespaces >
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases >
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes >
✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces >
✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces >
✓ ProtectHostname= Service cannot change system host/domainname >
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities >
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities >
✓ LockPersonality= Service cannot change ABI personality >
✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) >
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC >
✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted >
✗ UMask= Files created by service are world-readable by default >
→ Overall exposure level for ixp-xping.service: 1.7 OK 🙂
At present your deb is distributed with a service file that runs
User=root.Is there a specific reason for this ?
Given that Debian comes with systemd out of the box and systemd in turn provides many security knobs and whistles, I can't help but think you could distribute the deb with a service that runs non-root, maybe even
DynamicUser=yes.e.g. systemd has
CapabilityBoundingSetandAmbientCapabilitiesand/or systemd sockets. So anything that would usually needssetcapcan be done via systemd.Hence the question, is there a reason ? Maybe you've tried and failed ?