Puppet Class: os_hardening::suid_sgid

Defined in:
manifests/suid_sgid.pp

Overview

Class: os_hardening::suid_sgid

Minimize SUID and SGID bits.

Parameters:

  • whitelist (Array) (defaults to: [])
  • blacklist (Array) (defaults to: [])
  • remove_from_unknown (Boolean) (defaults to: false)
  • dry_run_on_unknown (Boolean) (defaults to: false) 


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
# File 'manifests/suid_sgid.pp', line 12

class os_hardening::suid_sgid (
  Array   $whitelist           = [],
  Array   $blacklist           = [],
  Boolean $remove_from_unknown = false,
  Boolean $dry_run_on_unknown  = false,
) {

  # suid and sgid blacklists and whitelists
  # ---------------------------------------
  # don't change values in the system_blacklist/whitelist
  # adjust values for blacklist/whitelist instead,
  # they can override system_blacklist/whitelist

  # list of suid/sgid entries that must be removed
  $system_blacklist = [
    # blacklist as provided by NSA
    '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
    # sshd must not use host-based authentication (see ssh cookbook)
    '/usr/libexec/openssh/ssh-keysign',
    '/usr/lib/openssh/ssh-keysign',
    # misc others
    # not normally required for user
    '/sbin/netreport',
    # modify interfaces via functional accounts
    '/usr/sbin/usernetctl',
    # connecting to ...
    # no isdn...
    '/usr/sbin/userisdnctl',
    # no ppp / dsl ...
    '/usr/sbin/pppd',
    # lockfile
    '/usr/bin/lockfile',
    '/usr/bin/mail-lock',
    '/usr/bin/mail-unlock',
    '/usr/bin/mail-touchlock',
    '/usr/bin/dotlockfile',
    # need more investigation, blacklist for now
    '/usr/bin/arping',
    '/usr/sbin/uuidd',
    # investigate current state...
    '/usr/bin/mtr',
    # investigate current state...
    '/usr/lib/evolution/camel-lock-helper-1.2',
    # pseudo-tty, needed?
    '/usr/lib/pt_chown',
    '/usr/lib/eject/dmcrypt-get-device',
    # midnight commander screensaver
    '/usr/lib/mc/cons.saver',
  ]

  # list of suid/sgid entries that can remain untouched
  $system_whitelist = [
    # whitelist as provided by NSA
    '/bin/mount', '/bin/ping', '/bin/su', '/bin/umount',
    '/sbin/pam_timestamp_check','/sbin/unix_chkpwd', '/usr/bin/at',
    '/usr/bin/gpasswd', '/usr/bin/locate', '/usr/bin/newgrp',
    '/usr/bin/passwd', '/usr/bin/ssh-agent', '/usr/libexec/utempter/utempter',
    '/usr/sbin/lockdev', '/usr/sbin/sendmail.sendmail', '/usr/bin/expiry',
    # whitelist ipv6
    '/bin/ping6','/usr/bin/traceroute6.iputils',
    # whitelist nfs
    '/sbin/mount.nfs', '/sbin/umount.nfs',
    # whitelist nfs4
    '/sbin/mount.nfs4', '/sbin/umount.nfs4',
    # whitelist cron
    '/usr/bin/crontab',
    # whitelist consolemssaging
    '/usr/bin/wall', '/usr/bin/write',
    # whitelist: only SGID with utmp group for multi-session access
    #            impact is limited; installation/usage has some remaining risk
    '/usr/bin/screen',
    # whitelist locate
    '/usr/bin/mlocate',
    # whitelist usermanagement
    '/usr/bin/chage', '/usr/bin/chfn', '/usr/bin/chsh',
    # whitelist fuse
    '/bin/fusermount',
    # whitelist pkexec
    '/usr/bin/pkexec',
    # whitelist sudo
    '/usr/bin/sudo','/usr/bin/sudoedit',
    # whitelist postfix
    '/usr/sbin/postdrop','/usr/sbin/postqueue',
    # whitelist apache
    '/usr/sbin/suexec',
    # whitelist squid
    '/usr/lib/squid/ncsa_auth', '/usr/lib/squid/pam_auth',
    # whitelist kerberos
    '/usr/kerberos/bin/ksu',
    # whitelist pam_caching
    '/usr/sbin/ccreds_validate',
    # whitelist Xorg
    '/usr/bin/Xorg',
    '/usr/bin/X',
    # freedesktop ipc
    '/usr/lib/dbus-1.0/dbus-daemon-launch-helper',
    # gnome
    '/usr/lib/vte/gnome-pty-helper',
    '/usr/lib/libvte9/gnome-pty-helper',
    '/usr/lib/libvte-2.90-9/gnome-pty-helper',
  ]

  $final_blacklist = combine_sugid_lists($system_blacklist, $whitelist, $blacklist)
  $final_whitelist = combine_sugid_lists($system_whitelist, $blacklist, $whitelist)

  os_hardening::blacklist_files { $final_blacklist: }

  if $remove_from_unknown {
    # create a helper script
    # TODO: do without
    file { '/usr/local/sbin/remove_suids':
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0500',
      content => template('os_hardening/remove_sugid_bits.erb'),
    }
    #remove all bits
    exec { 'remove SUID/SGID bits from unknown':
      command => '/usr/local/sbin/remove_suids',
    }
    File['/usr/local/sbin/remove_suids'] -> Exec['remove SUID/SGID bits from unknown']
  }

}