diff options
| author |   mudcam <v.nieutin@live.fr> | 2017-12-07 10:31:22 +0100 |
|---|---|---|
| committer |   ronan [iot.bzh] <ronan.lemartret@iot.bzh> | 2017-12-07 12:52:16 +0100 |
| commit | 981e9b9c4a40e248733d45cfedc6a512bdf95f5e (patch) | |
| tree | 12526631368064d80c832d6bbf78b20af85c50f7 /security-blueprint/part-4/5-FileSystems.md | |
| parent | bc11e3eaceb629fbf5dee7ed7bfdf696839ddb12 (diff) | |
Add proposal for new security blueprint
Diffstat (limited to 'security-blueprint/part-4/5-FileSystems.md')
| -rw-r--r-- | security-blueprint/part-4/5-FileSystems.md | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/security-blueprint/part-4/5-FileSystems.md b/security-blueprint/part-4/5-FileSystems.md new file mode 100644 index 0000000..e5ef733 --- /dev/null +++ b/security-blueprint/part-4/5-FileSystems.md @@ -0,0 +1,60 @@ +# File System + +## Disable all file systems not needed + +To reduce the attack surface, file system data is parsed by the kernel, so any logic bugs in file system drivers can become kernel exploits. + +### Disable NFS file system + +NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them. + +<!-- config --> + +Domain | `Config` name | `Value` +------------------------ | --------------- | ------- +Kernel-FileSystems-NFS-1 | `CONFIG_NFSD` | `n` +Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n` + +<!-- endconfig --> + +-------------------------------------------------------------------------------- + +<!-- pagebreak --> + +## Partition Mount Options + +There are several security restrictions that can be set on a filesystem when it is mounted. Some common security options include, but are not limited to: + +`nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take effect. + +`nodev` - Do not interpret character or block special devices on the filesystem. + +`noexec` - Do not allow execution of any binaries on the mounted filesystem. + +`ro` - Mount filesystem as read-only. + +The following flags shall be used for mounting common filesystems: + +<!-- config --> + +Domain | `Partition` | `Value` +-------------------------- | ------------------- | ----------------------------------------------------------------- +Kernel-FileSystems-Mount-1 | `/boot` | `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-2 | `/var` & `/tmp` | In `/etc/fstab` or `vfstab`, add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-3 | _Non-root local_ | If type is `ext2` or `ext3` and mount point not '/', add `nodev`. +Kernel-FileSystems-Mount-4 | _Removable storage_ | Add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-5 | _Temporary storage_ | Add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-6 | `/dev/shm` | Add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`. + +<!-- endconfig --> <!-- note --> + +If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or add a remount with `noexec` and `nosuid` options to system startup. + +<!-- endnote --> <!-- config --> + +Domain | `Config` name | _State_ or `Value` +-------------------------- | ----------------------- | ----------------------------------------------------------------------- +Kernel-FileSystems-Mount-1 | `CONFIG_DEVTMPFS_MOUNT` | _Disabled_ or add remount with `noexec` and `nosuid` to system startup. + +<!-- endconfig --> |