Enhanced Zone Security Mode Idea

Enhanced Zone Security Mode Idea

[omnios]

[-- Attachment #1: Type: text/plain, Size: 1947 bytes --]

I've had a probably crazy idea for enhanced sparse zone security rattling around I thought I'd share...

Sparse zones really help secure a server since the system files are read-only. But it's pretty easy for a hacker that gains access to a shell to cause trouble.

As a further step in securing a zone, would it be possible to enable a zone security mode which would disable most all programming and maintenance functionality (shell functions), while continuing to allow the normal functioning of the zone programs.

Programs and scripts running from read-only exec approved file systems, cron jobs, etc would be allowed to run normally, but almost all shell commands would be disabled with an error message.

Perhaps it would help to share the path to this idea to help explain...

Read-only system files offers a lot of protection in spare zones, but it's still possible to run unapproved scripts/programs, from writable filesystems even when the noexec feature is specified:

noexec stops:

#script.sh

from being run directly when script.sh is a potentially harmful script written in a noexec filesystem, but you can still run:

#bash script.sh

Would it be reasonably possible to get the operating system to optionally disable shell scripts in noexec file systems and/or all shell commands in a zone when enabled? In other words:

#bash script-mounted-in-noexec-filesystem.sh

#bash echo "Gotcha"

#echo "Gotcha"

would all fail when zone protection was enabled, while scripts/programs mounted in exec privileged filesystems would still work.

In essence, a zone would become essentially unusable from the shell when protection is enabled while allowing the zone to continue to run.

I know it's not perfect protection, since a hacker that gained access could still cause trouble when a zone disabled protection for maintenance, but it seems like it just might be worthwhile.

Thanks for your consideration.

[-- Attachment #2: Type: text/html, Size: 2621 bytes --]

Re: [developer] Enhanced Zone Security Mode Idea

[Till Wegmüller]

Hi

That is possible today. We assign these privileges based on a RBAC 
system. Read `man rbac`for details. Just keep in mind that without shell 
it could become hazardous to debug inside a zone. But for sparse that 
could work since you debug from the global zone.

Greetings
Till

On 07.02.23 09:54, omnios@puptv.com wrote:
> I've had a probably crazy idea for enhanced sparse zone security 
> rattling around I thought I'd share...
> 
> Sparse zones really help secure a server since the system files are 
> read-only. But it's pretty easy for a hacker that gains access to a 
> shell to cause trouble.
> 
> As a further step in securing a zone, would it be possible to enable a 
> zone security mode which would disable most all programming and 
> maintenance functionality (shell functions), while continuing to allow 
> the normal functioning of the zone programs.
> 
> Programs and scripts running from read-only exec approved file systems, 
> cron jobs, etc would be allowed to run normally, but almost all shell 
> commands would be disabled with an error message.
> 
> Perhaps it would help to share the path to this idea to help explain...
> 
> Read-only system files offers a lot of protection in spare zones, but 
> it's still possible to run unapproved scripts/programs, from writable 
> filesystems even when the noexec feature is specified:
> 
> noexec stops:
> 
> #script.sh
> 
> from being run directly when script.sh is a potentially harmful script 
> written in a noexec filesystem, but you can still run:
> 
> #bash script.sh
> 
> Would it be reasonably possible to get the operating system to 
> optionally disable shell scripts in noexec file systems and/or all shell 
> commands in a zone when enabled? In other words:
> 
> #bash script-mounted-in-noexec-filesystem.sh
> 
> #bash echo "Gotcha"
> 
> #echo "Gotcha"
> 
> would all fail when zone protection was enabled, while scripts/programs 
> mounted in exec privileged filesystems would still work.
> 
> In essence, a zone would become essentially unusable from the shell when 
> protection is enabled while allowing the zone to continue to run.
> 
> I know it's not perfect protection, since a hacker that gained access 
> could still cause trouble when a zone disabled protection for 
> maintenance, but it seems like it just might be worthwhile.
> 
> Thanks for your consideration.
> *illumos <https://illumos.topicbox.com/latest>* / illumos-developer / 
> see discussions <https://illumos.topicbox.com/groups/developer> + 
> participants <https://illumos.topicbox.com/groups/developer/members> + 
> delivery options 
> <https://illumos.topicbox.com/groups/developer/subscription> Permalink 
> <https://illumos.topicbox.com/groups/developer/T8880c29747009d71-M19731b764c69966352d9d9fc>

Re: [developer] Enhanced Zone Security Mode Idea

[Brian Bennett]

[-- Attachment #1: Type: text/plain, Size: 3527 bytes --]

I'll add to this by saying that SmartOS already does something similar with KVM and Bhyve brand zones as a countermeasure to potential vm escape. There are no known guest escapes, but if one were discovered and a guest did manage to escape the vm, they would not be able to create files, fork, list processes, or access the network. And there's no reason, necessarily, that this behavior is limited to just kvm or bhyve branded zones.

--
Brian Bennett
Developer, Triton | Manta | SmartOS
www.tritondatacenter.com | mnx.io



On Feb 7, 2023, at 2:24 AM, Till Wegmüller <toasterson@gmail.com> wrote:

Hi

That is possible today. We assign these privileges based on a RBAC system. Read `man rbac`for details. Just keep in mind that without shell it could become hazardous to debug inside a zone. But for sparse that could work since you debug from the global zone.

Greetings
Till

On 07.02.23 09:54, omnios@puptv.com<mailto:omnios@puptv.com> wrote:
I've had a probably crazy idea for enhanced sparse zone security rattling around I thought I'd share...
Sparse zones really help secure a server since the system files are read-only. But it's pretty easy for a hacker that gains access to a shell to cause trouble.
As a further step in securing a zone, would it be possible to enable a zone security mode which would disable most all programming and maintenance functionality (shell functions), while continuing to allow the normal functioning of the zone programs.
Programs and scripts running from read-only exec approved file systems, cron jobs, etc would be allowed to run normally, but almost all shell commands would be disabled with an error message.
Perhaps it would help to share the path to this idea to help explain...
Read-only system files offers a lot of protection in spare zones, but it's still possible to run unapproved scripts/programs, from writable filesystems even when the noexec feature is specified:
noexec stops:
#script.sh
from being run directly when script.sh is a potentially harmful script written in a noexec filesystem, but you can still run:
#bash script.sh
Would it be reasonably possible to get the operating system to optionally disable shell scripts in noexec file systems and/or all shell commands in a zone when enabled? In other words:
#bash script-mounted-in-noexec-filesystem.sh
#bash echo "Gotcha"
#echo "Gotcha"
would all fail when zone protection was enabled, while scripts/programs mounted in exec privileged filesystems would still work.
In essence, a zone would become essentially unusable from the shell when protection is enabled while allowing the zone to continue to run.
I know it's not perfect protection, since a hacker that gained access could still cause trouble when a zone disabled protection for maintenance, but it seems like it just might be worthwhile.
Thanks for your consideration.
*illumos <https://illumos.topicbox.com/latest>* / illumos-developer / see discussions <https://illumos.topicbox.com/groups/developer> + participants <https://illumos.topicbox.com/groups/developer/members> + delivery options <https://illumos.topicbox.com/groups/developer/subscription> Permalink <https://illumos.topicbox.com/groups/developer/T8880c29747009d71-M19731b764c69966352d9d9fc>

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/T8880c29747009d71-Md576ee9457ebb3b8e304651e
Delivery options: https://illumos.topicbox.com/groups/developer/subscription


[-- Attachment #2: Type: text/html, Size: 14136 bytes --]