More fixes and changelog entries

parent 69df3c7a
<chapt>Developer's Best Practices <chapt>Developer's Best Practices for OS Security
<!-- This chapter is based on the patch I submitted to the Developer's <!-- This chapter is based on the patch I submitted to the Developer's
Reference, see #337086: [BPP] Best practices for security design and review --> Reference, see #337086: [BPP] Best practices for security design and review -->
...@@ -139,65 +139,64 @@ will run as when the package is installed or upgraded: ...@@ -139,65 +139,64 @@ will run as when the package is installed or upgraded:
<example> <example>
[...] [...]
case "$1" in case "$1" in
install|upgrade) install|upgrade)
# If the package has default file it could be sourced, so that # If the package has default file it could be sourced, so that
# the local admin can overwrite the defaults # the local admin can overwrite the defaults
[ -f "/etc/default/<var>packagename</var>" ] && . /etc/default/<var>packagename</var> [ -f "/etc/default/<var>packagename</var>" ] && . /etc/default/<var>packagename</var>
# Sane defaults:
# Sane defaults:
[ -z "$SERVER_HOME" ] && SERVER_HOME=<var>server_dir</var>
[ -z "$SERVER_HOME" ] && SERVER_HOME=<var>server_dir</var> [ -z "$SERVER_USER" ] && SERVER_USER=<var>server_user</var>
[ -z "$SERVER_USER" ] && SERVER_USER=<var>server_user</var> [ -z "$SERVER_NAME" ] && SERVER_NAME="<var>Server description</var>"
[ -z "$SERVER_NAME" ] && SERVER_NAME="<var>Server description</var>" [ -z "$SERVER_GROUP" ] && SERVER_GROUP=<var>server_group</var>
[ -z "$SERVER_GROUP" ] && SERVER_GROUP=<var>server_group</var>
# Groups that the user will be added to, if undefined, then none.
# Groups that the user will be added to, if undefined, then none. ADDGROUP=""
ADDGROUP=""
# create user to avoid running server as root
# 1. create group if not existing
# create user to avoid running server as root if ! getent group | grep -q "^$SERVER_GROUP:" ; then
# 1. create group if not existing echo -n "Adding group $SERVER_GROUP.."
if ! getent group | grep -q "^$SERVER_GROUP:" ; then addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true
echo -n "Adding group $SERVER_GROUP.." echo "..done"
addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true fi
echo "..done" # 2. create homedir if not existing
fi test -d $SERVER_HOME || mkdir $SERVER_HOME
# 2. create homedir if not existing # 3. create user if not existing
test -d $SERVER_HOME || mkdir $SERVER_HOME if ! getent passwd | grep -q "^$SERVER_USER:"; then
# 3. create user if not existing echo -n "Adding system user $SERVER_USER.."
if ! getent passwd | grep -q "^$SERVER_USER:"; then adduser --quiet \
echo -n "Adding system user $SERVER_USER.." --system \
adduser --quiet \ --ingroup $SERVER_GROUP \
--system \ --no-create-home \
--ingroup $SERVER_GROUP \ --disabled-password \
--no-create-home \ $SERVER_USER 2>/dev/null || true
--disabled-password \ echo "..done"
$SERVER_USER 2>/dev/null || true fi
echo "..done" # 4. adjust passwd entry
fi usermod -c "$SERVER_NAME" \
# 4. adjust passwd entry -d $SERVER_HOME \
usermod -c "$SERVER_NAME" \ -g $SERVER_GROUP \
-d $SERVER_HOME \ $SERVER_USER
-g $SERVER_GROUP \ # 5. adjust file and directory permissions
$SERVER_USER if ! dpkg-statoverride --list $SERVER_HOME >/dev/null
# 5. adjust file and directory permissions then
if ! dpkg-statoverride --list $SERVER_HOME >/dev/null chown -R $SERVER_USER:adm $SERVER_HOME
then chmod u=rwx,g=rxs,o= $SERVER_HOME
chown -R $SERVER_USER:adm $SERVER_HOME fi
chmod u=rwx,g=rxs,o= $SERVER_HOME # 6. Add the user to the ADDGROUP group
fi if test -n $ADDGROUP
# 6. Add the user to the ADDGROUP group then
if test -n $ADDGROUP if ! groups $SERVER_USER | cut -d: -f2 | \
then grep -qw $ADDGROUP; then
if ! groups $SERVER_USER | cut -d: -f2 | grep -qw $ADDGROUP; then adduser $SERVER_USER $ADDGROUP
adduser $SERVER_USER $ADDGROUP fi
fi fi
fi ;;
;; configure)
configure)
[...] [...]
</example> </example>
...@@ -250,49 +249,49 @@ range of dynamic assigned system uids and the gid is belongs to a system group: ...@@ -250,49 +249,49 @@ range of dynamic assigned system uids and the gid is belongs to a system group:
<example> <example>
case "$1" in case "$1" in
purge) purge)
[...] [...]
# find first and last SYSTEM_UID numbers # find first and last SYSTEM_UID numbers
for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
case $LINE in case $LINE in
FIRST_SYSTEM_UID*) FIRST_SYSTEM_UID*)
FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;; ;;
LAST_SYSTEM_UID*) LAST_SYSTEM_UID*)
LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;; ;;
*) *)
;; ;;
esac esac
done done
# Remove system account if necessary # Remove system account if necessary
CREATEDUSER="<var>server_user</var>" CREATEDUSER="<var>server_user</var>"
if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then
if [ -n "$USERID" ]; then if [ -n "$USERID" ]; then
if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
[ "$USERID" -le "$LAST_SYSTEM_UID" ]; then [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
echo -n "Removing $CREATEDUSER system user.." echo -n "Removing $CREATEDUSER system user.."
deluser --quiet $CREATEDUSER || true deluser --quiet $CREATEDUSER || true
echo "..done" echo "..done"
fi fi
fi fi
fi fi
fi fi
# Remove system group if necessary # Remove system group if necessary
CREATEDGROUP=<var>server_group</var> CREATEDGROUP=<var>server_group</var>
FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='` FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`
if [ -n "$FIST_USER_GID" ] then if [ -n "$FIST_USER_GID" ] then
if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then
if [ -n "$GROUPGID" ]; then if [ -n "$GROUPGID" ]; then
if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then
echo -n "Removing $CREATEDGROUP group.." echo -n "Removing $CREATEDGROUP group.."
delgroup --only-if-empty $CREATEDGROUP || true delgroup --only-if-empty $CREATEDGROUP || true
echo "..done" echo "..done"
fi fi
fi fi
fi fi
fi fi
[...] [...]
</example> </example>
......
<!-- CVS revision of this document "$Revision: 1.49 $" --> <!-- CVS revision of this document "$Revision: 1.50 $" -->
<chapt>Introduction <chapt>Introduction
<p> <p>
...@@ -339,6 +339,16 @@ VPN section needs to be rewritten. ...@@ -339,6 +339,16 @@ VPN section needs to be rewritten.
<sect id="changelog">Changelog/History: <sect id="changelog">Changelog/History:
<sect1>Version 3.7 (Abril 2006)
<p>Changes by Javier Fernández-Sanguino Peña
<list>
<item>Add a section on Debian Developer's best practices for security.
<item>Ammended firewall script with comments from WhiteGhost.
</list>
<sect1>Version 3.6 (March 2006) <sect1>Version 3.6 (March 2006)
<p>Changes by Javier Fernández-Sanguino Peña <p>Changes by Javier Fernández-Sanguino Peña
......
<!-- CVS revision of this document "$Revision: 1.23 $" --> <!-- CVS revision of this document "$Revision: 1.24 $" -->
<chapt id="sec-services">Securing services running on your system <chapt id="sec-services">Securing services running on your system
...@@ -1722,6 +1722,9 @@ REMOTE_UDP_SERVICES="53" # DNS ...@@ -1722,6 +1722,9 @@ REMOTE_UDP_SERVICES="53" # DNS
# Network that will be used for remote mgmt # Network that will be used for remote mgmt
# (if undefined, no rules will be setup) # (if undefined, no rules will be setup)
# NETWORK_MGMT=192.168.0.0/24 # NETWORK_MGMT=192.168.0.0/24
# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
# SSH_PORT="22"
if ! [ -x /sbin/iptables ]; then if ! [ -x /sbin/iptables ]; then
exit 0 exit 0
...@@ -1757,11 +1760,14 @@ fw_start () { ...@@ -1757,11 +1760,14 @@ fw_start () {
# Output: # Output:
/sbin/iptables -A OUTPUT -j ACCEPT -o lo /sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP is permitted # ICMP is permitted:
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -j ACCEPT
# So are security package updates # So are security package updates:
# Note: You can hardcode the IP address here to prevent DNS spoofing
# and to setup the rules even if DNS does not work but then you
# will not "see" IP changes for this service:
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
# As well as the services we have defined # As well as the services we have defined>
if [ -n "$REMOTE_TCP_SERVICES" ] ; then if [ -n "$REMOTE_TCP_SERVICES" ] ; then
for PORT in $REMOTE_TCP_SERVICES; do for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
...@@ -1777,6 +1783,7 @@ fw_start () { ...@@ -1777,6 +1783,7 @@ fw_start () {
/sbin/iptables -A OUTPUT -j REJECT /sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -P OUTPUT DROP /sbin/iptables -P OUTPUT DROP
# Other network protections # Other network protections
# (some will only work with some kernel versions)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment