Modifications

Historique de la page
Update Identify secure libraries rédigé par LaplongeJunior's avatar LaplongeJunior
Afficher les modifications d'espaces
En ligne Côte à côte
Securing-a-server/Identify-secure-libraries.md
Voir la page @ e604deb5
# Types of libraries # Types of libraries
(GREY: Unknown) (GREY: Unknown)
RED (unsafe!): Lead to an unsecure server, don't install! RED: Lead to an unsecure server, don't install!
ORANGE (1 problem): Can lead to service disruption, but not lost of control ORANGE: Secure for service, doesn't allow admins to access the server
BLUE (1 problem): Secure for service, doesn't allow admins to access the server BLUE (modifier): Can lead to service disruption, but not lost of control
GREEN (secure): Secure for service AND allow admins to carry their tasks GREEN: Secure for service AND allow admins to carry their tasks
GOLD (perfect): Secure, allow admins AND doesn't allow user-level shell GOLD: Secure, allow admins AND doesn't allow user-level shell
In a perfect world, there should be at least one green lib installed, and no lib worse than blue In a perfect world, there should be at least one green lib installed, and no lib worse than blue
Orange ones can be used on servers who doesn't rely on a user connecting (chat and http) Orange ones can be used on servers who doesn't rely on a user connecting (chat and http, root-only bounces)
For security reasons, non-root users can only have read-only permissions For security reasons, non-root users can only have read-only permissions
The ONLY exception is when *all* service libraries are gold (in practice, it's only useful for ftp servers) The ONLY exception is when *all* service libraries are gold (in practice, it's only useful for ftp servers) and the "sudo -u" command is blocked for guest
# Types of users # Types of users
root: the super-administrator, accessing any data about it is a security violation root: the super-administrator, accessing any data about it is a security violation
...@@ -27,4 +27,9 @@ The trick is finding one or several service libraries falling into the "green-bl ...@@ -27,4 +27,9 @@ The trick is finding one or several service libraries falling into the "green-bl
"active X user" is always true for an intruder, always false for an admin : *assume the worse* as this condition is naturally evolving "active X user" is always true for an intruder, always false for an admin : *assume the worse* as this condition is naturally evolving
"registered users" and "forwarded ports" should be heavily documented : it is likely this number will increase over time as additional services are added on a machine "registered users" and "forwarded ports" should be heavily documented : it is likely this number will increase over time as additional services are added on a machine
TODO: Lib requirements + type of users -laplongejr # Important exploits
\ No newline at end of file After taking into consideration said requirements, here's the effect of exploits on the rating of a library
- Any root-level exploit locks a library into the "red" range, as they allow either to access critical files, block the admin access or block the service
- If neither of the rules above is fulfilled, the library is at least at "orange" level
- A "user password reset" exploit add the "blue" modifier, as any service depending on a non-root account can be blocked by changing the password (as it's a modifier, the library will be either orange-blue or green-blue)
- If an admin can obtain a shell thanks to the library (preferably, a guest shell exploit), the library is at least "green"
\ No newline at end of file