Changes between Version 6 and Version 7 of doc/OperationalSecurity


Ignore:
Timestamp:
Apr 23, 2010, 4:47:35 AM (9 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OperationalSecurity

    v6 v7  
    5252On Debian, running at least a 2.6.4 kernel, encrypting swap is simple as doing
    5353a aptitude/apt-get install cryptsetup.
    54 After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
     54After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (Under Device Drivers---> Multi-Device Support (RAID and LVM)---> CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
    5555the ciphers you want to support add the following to /etc/crypttab
    5656
     
    5858# <target device> <source device> <key file> <options>
    5959swap                    /dev/hda2 /dev/urandom swap
    60 }}}
    61 
    62 where /dec/hda2 is your swap-device.
     60tmp                     /dev/hda5 /dev/urandom tmp
     61}}}
     62
     63where /dec/hda2 is your swap-device and /dev/hda5 is /tmp.
     64
     65Your fstab should look like this:
     66{{{
     67/dev/mapper/tmp /tmp            ext2    defaults        0       2
     68/dev/mapper/swap none           swap    sw              0       0
     69}}}
     70
     71Note ext2 on /tmp.
     72
    6373Reboot.
    6474You should see something like
     
    7282}}}
    7383
    74 A quick and dirty script to encrypt /tmp which is located on /dev/hda5 in this example:
    75 
    76 {{{
    77 #
    78 # dmcrypt /tmp
    79 #
    80 cryptsetup remove tmp 2> /dev/null > /dev/null
    81 echo -n "Encrypting /tmp ..."
    82 cryptsetup -d /dev/urandom create tmp /dev/hda5
    83 mkfs.ext2 /dev/mapper/tmp  2> /dev/null > /dev/null
    84 echo " Done"
    85 }}}
     84Verify with `dmsetup table`
     85{{{
     86tmp: 0 979902 crypt aes-cbc-plain 9840530abe44eb49826aaaaaaaa4809e688a01f6a1c1cebc6caaaa6b2a4ad97d4 0 3:5 0
     87swap: 0 1959930 crypt aes-cbc-plain 3c2bbd7e5e500bca957a8dcb88754aaaaaa34986541aeaaafe3daa1542c3389e9 0 3:2 0
     88}}}
     89
     90'''FreeBSD'''
     91
     92Swap encryption has been possible with FreeBSD since 5.3-RELEASE.
     93
     94Information on how to configure it can be found in the FreeBSD handbook:
     95[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html  Encrypting Swap Space with FreeBSD]
     96
     97Information on how to encrypt other disk partitions can be found here:
     98[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html  Encrypting Disk Partitions with FreeBSD]
    8699
    87100'''OpenBSD'''
     
    99112[http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html]
    100113
     114In addition to encrypted filesystems, keeping temporary files in a memory file system
     115is an option. This means you're using system memory as a hard drive and when the partition
     116is unmounted the files stored are lost.
     117
     118Adding the following to /etc/fstab, where {{{/dev/wd0b}}} is your swap, creates two
     11974M MFS partitions for {{{/tmp}}} and {{{/var/tmp}}}:
     120{{{
     121/dev/wd0b /tmp mfs rw,nodev,nosuid,-s=153600 0 0
     122/dev/wd0b /var/tmp mfs rw,nodev,nosuid,-s=153600 0 0
     123}}}
     124
    101125'''Windows'''
    102126
    103 You're able clean the swap in Windows 2000/XP by enabling "Shutdown: Clear
    104 virtual memory pagefile" in you local security policy.
    105 For Windows 95/NT visit [http://www.stack.nl/~galactus/remailers/wipeswap.html this page].
     127{{{
     128Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
     129Shutdown: Clear virtual memory pagefile
     130}}}
     131
     132When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system.
     133
     134For Windows 95/NT visit [http://www.stack.nl/~galactus/remailers/wipeswap.html].
     135
     136For Windows 2000/2003/XP and the 64bit versions of these (running FAT/FAT32/NFTS): The open source project [http://www.truecrypt.org/ TrueCrypt] with its extensions [http://www.truecrypt.org/third-party-projects/tcgina/ TCGINA] and [http://www.truecrypt.org/third-party-projects/tctemp/ TCTEMP] allows transparent encryption with e.g. AES, Twofish, Blowfish of Windows' temporary files directory, user profiles and general data containers. Therefore with True''''''Crypt/TCGINA/TCTEMP you will be able to ensure that any sensitive files (including the  server's  private  key and swap  space) are stored inside encrypted containers as recommended above. A step by step explanation how to install and set this up can can be found in this [http://www.herrschilling.de/sjsinternetpubs/truecrypt_tor.php pdf-file].
     137
     138[http://www.jetico.com/index.htm#/bcrypt7.htm BestCrypt] is similar to True''''''Crypt but does not offer as many features. Best''''''Crypt also creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.
     139
     140Microsoft resource document for the [http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp    Encrypted File System] (NTFS only)
     141
     142To use EFS built into Windows XP Professional, browse to Documents and settings\<username>\Application Data and right click on the Tor
     143directory and select Properties. In the general tab click on the Advanced tab and tick the "Encrypt contents to secure data"
     144See the Microsoft resource document above for me details.
    106145
    107146{{{
    108147TODO: Give instructions on setting up encrypted filesystems and swap on
    109 various OSs (hopefully including OS X and Windows).
     148various OSs (hopefully including OS X).
    110149}}}
    111150
     
    121160Make sure that the machine running your Tor server is physically secure. If
    122161it is in a cabinet or rack in a colocation facility, make sure the door(s)
    123 is/are locked. If it is in a machine room in your office, make sure the do
     162is/are locked. If it is in a machine room in your office, make sure the door
    124163to the machine room is locked.
    125164
     
    136175
    137176If you must run other services, lock them down to the extent possible. For
    138 example, you can set OpenSSH to allow only certain user accounts to connect,
     177example, you can set OpenSSH to only allow certain user accounts to connect with the AllowUsers option,
    139178or you can firewall your system such that only certain IP addresses are
    140179allowed to connect to the SSH service on your server. The same applies for
     
    154193delete logs after as short a time as you can manage.
    155194
    156 If possible, keep no logs.
    157 
    158 {{{
    159 TODO: Point to EFF's best practices document?
    160 }}}
     195Remember, you can recover deleted files as long as the space has not been
     196overwritten.  With midly expensive computer forensics, you can recover even
     197multiple pass overwrites.
     198
     199The best policy is to keep no logs.  If you must keep logs, consider rotating
     200them and purging the old logs with an overwrite scheme such as Peter Gutmann's
     20135 pass overwrite using special patterns.
     202
     203EFF's best practices for online service providers [http://www.eff.org/osp/20040819_OSPBestPractices.pdf pdf].
    161204
    162205== Install Tor and Other Software Carefully ==
     
    171214== Operating System Paranoia ==
    172215
    173 Some operating systems come in "high security" flavors, such as Security
    174 Enhanced  Linux,  TrustedBSD and OpenBSD. These systems offer advanced
     216Some operating systems come in "high security" flavors, such as [http://www.nsa.gov/selinux/ Security Enhanced  Linux], 
     217[http://www.trustedbsd.org/ TrustedBSD] and [http://www.openbsd.org OpenBSD]. These systems offer advanced
    175218security mechanisms such as mandatory access control (MAC), application   
    176219sandboxing, resource management knobs, and so on. Consider using them if
    177220they exist on your system and would help.
    178221
     222
    179223== Run Tor and Other Services in a Restricted Environment ==
    180224
    181 See Steven J Murdoch's guide to [:TheOnionRouter/TorInChroot: running Tor in a chroot].
     225See Steven J Murdoch's guide to [:TheOnionRouter/TorInChroot: running Tor in a chroot] and/or [:TheOnionRouter/OpenbsdChrootedTor: running Tor in an OpenBSD chroot].
     226
     227'''Run Tor with Systrace in OpenBSD'''
     228
     229You can use this with or without chrooting tor.  You can use this with other operating systems that systrace supports such as GNU/Linux.  You will
     230probably have to change some of the file locations.
     231
     232Running 'systrace -A tor' will generate a default policy for you (note: this provides no protection at this point).  After you
     233have a generated policy, you can use this one below to refine it.  After you have it configured for your system,
     234then when you run systrace with -a it will enforce the policy which provides protection.
     235
     236{{{
     237Policy: /bin/tor, Emulation: native
     238        native-__sysctl: permit
     239        native-break: permit
     240# Memory
     241        native-mmap: permit
     242        native-mprotect: permit
     243        native-mquery: permit
     244        native-munmap: permit
     245# Files
     246        native-chdir: filename eq "/var/lib/tor" then permit
     247        native-close: permit
     248        native-dup2: permit
     249        native-fcntl: permit
     250        native-fstat: permit
     251        native-getdirentries: permit
     252        native-ioctl: permit
     253        native-lseek: permit
     254        native-pread: permit
     255        native-read: permit
     256        native-write: permit
     257# File reads
     258        native-fsread: filename match "/<non-existent filename>: *" then deny
     259        native-fsread: filename eq "/dev/crypto" then permit
     260        native-fsread: filename eq "/dev/null" then permit
     261        native-fsread: filename eq "/dev/srandom" then permit
     262        native-fsread: filename eq "/etc/group" then permit
     263        native-fsread: filename eq "/etc/pwd.db" then permit
     264        native-fsread: filename eq "/etc/spwd.db" then permit
     265        native-fsread: filename eq "/etc/tor/torrc" then permit
     266        native-fsread: filename eq "/etc/malloc.conf" then permit
     267        native-fsread: filename eq "/etc/localtime" then permit
     268        native-fsread: filename eq "/usr/lib" then permit
     269        native-fsread: filename match "/usr/lib/libc.so*" then permit
     270        native-fsread: filename match "/usr/lib/libcrypto.so*" then permit
     271        native-fsread: filename match "/usr/lib/libssl.so*" then permit
     272        native-fsread: filename match "/usr/lib/libz.so*" then permit
     273        native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
     274        native-fsread: filename match "/usr/share/zoneinfo/*" then permit
     275        native-fsread: filename eq "/var/lib/tor" then permit
     276        native-fsread: filename match "/var/lib/tor/*" then permit
     277        native-fsread: filename eq "/var/log/tor" then permit
     278        native-fsread: filename match "/var/log/tor/*" then permit
     279# Time 
     280        native-gettimeofday: permit
     281# User ID and group ID.  Change these as needed.
     282        native-getuid: permit
     283        native-setgid: gid eq "1001" then permit
     284        native-setuid: uid eq "1001" and uname eq "_tor" then permit
     285# Resource limits
     286        native-getrlimit: permit
     287        native-setrlimit: permit
     288# Process
     289        native-exit: permit
     290        native-fork: permit
     291        native-pipe: permit
     292# Permission bits
     293        native-getpid: permit
     294        native-geteuid: permit
     295        native-issetugid: permit
     296        native-setsid: permit
     297# Signals
     298        native-sigaction: permit
     299        native-sigprocmask: permit
     300        native-sigreturn: permit
     301# File writes
     302        native-fswrite: filename match "/<non-existent filename>: *" then deny
     303        native-fswrite: filename eq "/dev/crypto" then permit
     304        native-fswrite: filename eq "/dev/null" then permit
     305        native-fswrite: filename match "/var/log/tor/*" then permit
     306        native-fswrite: filename match "/var/lib/tor/*" then permit
     307        native-rename: filename match "/var/lib/tor/cached-directory*" and filename[1] match "/var/lib/tor/cached-directory*" then permit
     308# Networking
     309        native-bind: sockaddr eq "inet-[127.0.0.1]:9050" then permit
     310        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
     311        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
     312        native-setsockopt: permit
     313        native-listen: permit
     314        native-poll: permit
     315        native-getsockopt: permit
     316        native-accept: permit
     317        native-recvfrom: permit
     318        native-sendto: true then permit
     319# Without socketpair, you cannot access Tor hidden services.
     320        native-socketpair: permit
     321# List of ports to connect to.  These are needed for the server list and potentially
     322# using a tor server.
     323        native-connect: sockaddr match "inet-*:80" then permit
     324        native-connect: sockaddr match "inet-*:443" then permit
     325# Typically, tor servers are in the range of 8,000 - 10,000.  This below lets tor
     326# connect to any unpriv port.
     327# Match ports 1024 through 1999
     328        native-connect: sockaddr re "inet-.*:102[4-9]$" then permit
     329        native-connect: sockaddr re "inet-.*:10[3-9][0-9]$" then permit
     330        native-connect: sockaddr re "inet-.*:1[1-9][0-9]{2}$" then permit
     331# Match 2000 - 9999
     332        native-connect: sockaddr re "inet-.*:[2-9][0-9]{3}$" then permit
     333# Match ports 10000 - 65535
     334        native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
     335
     336}}}
     337
     338'''Grsecurity'''
     339
     340[http://www.grsecurity.net GrSecurity] ACL policy. Tested with the Debian package.
     341{{{
     342subject /usr/sbin/tor o {
     343        /                               h
     344        /var/lib/tor                    rwcdl
     345        /lib                            rx
     346        /usr/lib                        rx
     347        /dev/urandom                    r
     348        /dev/null                       rw
     349        /etc/tor                        r
     350        /var/log/tor                    rw
     351        /var/run/tor                    rwcdl
     352
     353        -CAP_ALL
     354
     355        connect 127.0.0.1:9050 stream tcp
     356        # Not very good, but since servers listen on different ports...
     357        connect 0.0.0.0/0:9001-9100 stream tcp
     358        connect 0.0.0.0/0:443 stream tcp
     359        bind    127.0.0.1:9050 stream tcp
     360}
     361}}}
     362
     363'''Drop``My``Rights for Windows XP and Windows Server 2003 '''
     364
     365See [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp Browsing the Web and Reading E-mail Safely as an Administrator]
     366
     367"Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context."
    182368
    183369{{{
     
    186372
    187373== Other Resources ==
     374
     375       
     376[http://www.cert.org/security-improvement/ CERT® Security Improvement Modules]
     377
     378[http://www.debian.org/doc/manuals/securing-debian-howto/ Securing Debian HOWTO]
     379
     380[http://www.gentoo.org/proj/en/hardened/index.xml Hardened Gentoo]
     381
     382[http://geodsoft.com/howto/harden/ Harden OpenBSD]
     383
     384[http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1 NSA Operating Systems Guides]
    188385
    189386{{{