Securing Bash Nodes

Introduction

This section provides an overview regarding security enhancement to enable more control of the bash nodes to the users and provide capabilities to restrict operations and file access.

So, with the aim to secure bash nodes, provide maximum flexibility, and adapt to specific requirements of various environments, three different security levels have been introduced in the bash nodes of workflows.

  • Security Level 0: No security

  • Security Level 1: rbash

  • Security Level 2: chroot jail

Security Levels

NOTE Infoworks installation will be set up with security level 0 for a bash operator by default. Admin can change the security level after installation.

Security Level 0: No security

No security will be implemented for the bash operator. This will allow users to run commands on the edge node as the infoworks Linux user.

Security Level 1: rbash

A new Linux user will be set up and a home directory will be created for that user. From the bash node, the new user will only be able to access files from their home directory. Each operation (for example, mkdir/ls) on linux has an associated binary. Copying the binary enables the operation. Any operation outside this list will be blocked.

Run the following script to set up or change any configuration in security settings:

bash $IW_HOME/bin/bash_user_setup.sh

NOTE Run the above mentioned script if you are:

  • Switching security levels

  • Making any configuration changes in bash_node.ini (for example, adding a new operation)

Features

This security level blocks user from:

  • Using the cd command

  • Modifying the values of $PATH, $SHELL, $BASH_ENV, or $ENV

  • Executing programs that contain a /

  • Redirecting output using >,>|, <>,>&, &>, and >>

  • Getting out of restricted mode within scripts

  • Turning off restricted mode

  • Any binary operation that is not recognized for the user

Benefits

  • Operation whitelist: We can specify which operations will be allowed to the user

    • Destructive operations like mv, rm will be blocked

    • Admin operations like chown, ln will be blocked

    • User cannot execute anything from ‘/

  • External file write block: User will be blocked from editing files owned by another user.

Security Level 2: chroot jail

A new user is created and a restricted context is set up automatically for them. All bash operations will be run in the context of a chroot jail. This will provide an isolation for the user from the rest of the edge node.

Run the following script to set up or change any configuration in security settings:

bash $IW_HOME/bin/bash_user_setup.sh

Features

This security level blocks:

  • Any binary operation that is not recognized for the user.

  • Access to any files outside the chroot jail.

Benefits

  • Operation whitelist: We can specify which operations will be allowed to the user

  • Isolation from the rest of the edge node: We can isolate the access of the user to a specific directory. They cannot access any files outside this directory

  • Highly Configurable: Most behavior in this paradigm is configurable: commands, files and directories accessible, device paths, libs.

NOTE In addition to above mentioned features and benefits, Security level 2 also provides all the features and benefits of Security Level 1.

Configuring Bash Security

NOTE By default, security level is set to 0, which means no additional security is enabled. To customize behavior, Admin must edit the configuration file.

To configure the Bash Security:

Step 1: Navigate to the following path.

$IW_HOME/apricot-meteor/infoworks_python/infoworks/orchestrator/scripts/bash_user_setup/bash_node.ini
[user] username = bash_user password = IN11**rk [security] # this indicates the level of security to implement for bash nodes. supported features will # differ for various levels # 0: set level to this for no security. Bash node will run as IW_USER on the edge node # 1: set level to this to setup security with rbash. # 2: set level to this for maximum security. This will setup a chroot jail and bash will run # on the edge node within the jail security_level = 2 [home] # list of binaries to be made available to users in jail whitelist = bash rbash mkdir touch ls cat vi grep vim whoami rm su netstat ps which uname readlink env dirname clear chmod lsof curl # list of directories to be mounted in jail mounts = $IW_HOME/resources /proc # list of directories to be copied to jail iw_resources = $IW_HOME/bin $IW_HOME/apricot-meteor/infoworks_python # list of system libraries to be copied to jail # if file is not in ['/lib', '/lib64', '/usr/lib', '/usr/lib64', '/lib/x86_64-linux-gnu'], provide full path # ex: /usr/lib64/libnss_compat.so.2 system_libs = # list of /dev/* directories to be created in the jail # each item should be of the following type 'MODE NAME TYPE [MAJOR MINOR]' # '666 null c 1 3' devices = '666 null c 1 3' '444 urandom c 1 9'

Step 2: Edit the bash_node.ini file.

  • If you are using security level 0:

    • Set security_level = 0 for no security. Bash node will run as IW_USER on the edge node.

  • If you are using security level 1:

    • Set security_level = 1 for setting up security with rbash.

    • You can configure the following fields:

      • username: Linux user name which will access bash node.

      • password: Linux user password.

      • whitelist: List of all binaries that user can execute for security level 1.

  • If you are using security level 2:

    • Set security_level = 2 for maximum security. This will setup a chroot jail and bash will run.

    • You can configure the following fields:

      • username: Linux user name which will access bash node.

      • password: Linux user password.

      • whitelist: List of all binaries that user can execute for security level 2.

      • mounts: List of directories to be mounted in jail to give real time access in security level 2

      • iw_resources: List of directories to be copied in security level 2.

      • system_libs: Any linux library to be copied to chroot jail in security level 2.

      • devices: Device mounts to be added to chroot jail in security level 2.

Step 3: Run bash_user_setup.sh.

Managing Privileges

Infoworks provides ability to manage privileges available to the bash operators at different security levels.

Privileges

Security Level 2

Security Level 1

Security level 0

Remove Infoworks Directories

Blocked

Privileged

Privileged

Read Infoworks conf file

Blocked

Privileged

Privileged

Edit Infoworks conf file

Blocked

Blocked

Privileged

Read Infoworks certificate files

Blocked

Privileged

Privileged

Read files at system root /

Blocked

Privileged

Privileged

Execute binaries from a directory not in PATH

Blocked

Blocked

Privileged

Download using wget

Privileged

Privileged

Privileged

Kill a process

Blocked

Blocked

Privileged

Change ownership of some directory

Blocked

Blocked

Privileged

User modifications (add new user/change user password)

Blocked

Blocked

Privileged

Start, stop or status

Blocked

Blocked

Privileged

The above mentioned vulnerabilities are default behaviors. Some of these can be configurable as per the requirements.

  Last updated
On This Page