Changes between Version 12 and Version 13 of doc/OperationalSecurity


Ignore:
Timestamp:
Apr 23, 2010, 4:47:35 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OperationalSecurity

    v12 v13  
    5252On Debian, running at least a 2.6.4 kernel, encrypting swap is simple as doing
    5353a aptitude/apt-get install cryptsetup.
    54 After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (Under Device Drivers---> Multi-Device Support (RAID and LVM)---> CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
     54After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
    5555the ciphers you want to support add the following to /etc/crypttab
    5656
     
    5858# <target device> <source device> <key file> <options>
    5959swap                    /dev/hda2 /dev/urandom swap
    60 tmp                     /dev/hda5 /dev/urandom tmp
    6160}}}
    6261
    63 where /dec/hda2 is your swap-device and /dev/hda5 is /tmp.
    64 
    65 Your fstab should look like this:
    66 {{{
    67 /dev/mapper/tmp /tmp            ext2    defaults        0       2
    68 /dev/mapper/swap none           swap    sw              0       0
    69 }}}
    70 
    71 Note ext2 on /tmp.
    72 
     62where /dec/hda2 is your swap-device.
    7363Reboot.
    7464You should see something like
     
    8272}}}
    8373
    84 Verify with `dmsetup table`
    85 {{{
    86 tmp: 0 979902 crypt aes-cbc-plain 9840530abe44eb49826aaaaaaaa4809e688a01f6a1c1cebc6caaaa6b2a4ad97d4 0 3:5 0
    87 swap: 0 1959930 crypt aes-cbc-plain 3c2bbd7e5e500bca957a8dcb88754aaaaaa34986541aeaaafe3daa1542c3389e9 0 3:2 0
    88 }}}
    89 
    90 '''FreeBSD'''
    91 
    92 Swap encryption has been possible with FreeBSD since 5.3-RELEASE.
    93 
    94 Information on how to configure it can be found in the FreeBSD handbook:
    95 [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html  Encrypting Swap Space with FreeBSD]
    96 
    97 Information on how to encrypt other disk partitions can be found here:
    98 [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html  Encrypting Disk Partitions with FreeBSD]
    99 
    100 '''OpenBSD'''
    101 
    102 For many releases, it has been very easy to encrypt swap space in OpenBSD.
    103 
    104 You can enable it dynamically by setting `sysctl -w vm.swapencrypt.enable=1`
    105 or editing `/etc/sysctl.conf` to permanently make the change:
     74A quick and dirty script to encrypt /tmp which is located on /dev/hda5 in this example:
    10675
    10776{{{
    108 vm.swapencrypt.enable=1        # 1=Encrypt pages that go to swap
    109 }}}
    110 
    111 Here are instructions on setting up an encrypted virtual filesystem:
    112 [http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html]
    113 
    114 In addition to encrypted filesystems, keeping temporary files in a memory file system
    115 is an option. This means you're using system memory as a hard drive and when the partition
    116 is unmounted the files stored are lost.
    117 
    118 Adding the following to /etc/fstab, where {{{/dev/wd0b}}} is your swap, creates two
    119 74M MFS partitions for {{{/tmp}}} and {{{/var/tmp}}}:
    120 {{{
    121 /dev/wd0b /tmp mfs rw,nodev,nosuid,-s=153600 0 0
    122 /dev/wd0b /var/tmp mfs rw,nodev,nosuid,-s=153600 0 0
     77#
     78# dmcrypt /tmp
     79#
     80cryptsetup remove tmp 2> /dev/null > /dev/null
     81echo -n "Encrypting /tmp ..."
     82cryptsetup -d /dev/urandom create tmp /dev/hda5
     83mkfs.ext2 /dev/mapper/tmp  2> /dev/null > /dev/null
     84echo " Done"
    12385}}}
    12486
    12587'''Windows'''
    12688
    127 {{{
    128 Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    129 Shutdown: Clear virtual memory pagefile
    130 }}}
    131 
    132 When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system.
    133 
    134 For Windows 95/NT visit [http://www.stack.nl/~galactus/remailers/wipeswap.html].
    135 
    136 For Windows 2000/2003/XP and the 64bit versions of these (running FAT/FAT32/NFTS): The open source project [http://www.truecrypt.org/ TrueCrypt] with its extensions [http://www.truecrypt.org/third-party-projects/tcgina/ TCGINA] and [http://www.truecrypt.org/third-party-projects/tctemp/ TCTEMP] allows transparent encryption with e.g. AES, Twofish, Blowfish of Windows' temporary files directory, user profiles and general data containers. Therefore with True''''''Crypt/TCGINA/TCTEMP you will be able to ensure that any sensitive files (including the  server's  private  key and swap  space) are stored inside encrypted containers as recommended above. A pdf document explaining step by step how to install and set this up can be downloaded from [http://www.herrschilling.de/sjsinternetpubs/files/Truecrypt_TOR.pdf TrueCrypt_TOR.pdf].
    137 
    138 [http://www.jetico.com/index.htm#/bcrypt7.htm BestCrypt] is similar to True''''''Crypt but does not offer as many features. Best''''''Crypt also creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.
    139 
    140 Microsoft resource document for the [http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp    Encrypted File System] (NTFS only)
    141 
    142 To use EFS built into Windows XP Professional, browse to Documents and settings\<username>\Application Data and right click on the Tor
    143 directory and select Properties. In the general tab click on the Advanced tab and tick the "Encrypt contents to secure data"
    144 See the Microsoft resource document above for me details.
     89You're able clean the swap in Windows 2000/XP by enabling "Shutdown: Clear
     90virtual memory pagefile" in you local security policy.
     91For Windows 95/NT visit [http://www.stack.nl/~galactus/remailers/wipeswap.html this page].
    14592
    14693{{{
    14794TODO: Give instructions on setting up encrypted filesystems and swap on
    148 various OSs (hopefully including OS X).
     95various OSs (hopefully including OS X and Windows).
    14996}}}
    15097
     
    160107Make sure that the machine running your Tor server is physically secure. If
    161108it is in a cabinet or rack in a colocation facility, make sure the door(s)
    162 is/are locked. If it is in a machine room in your office, make sure the door
     109is/are locked. If it is in a machine room in your office, make sure the do
    163110to the machine room is locked.
    164111
     
    175122
    176123If you must run other services, lock them down to the extent possible. For
    177 example, you can set OpenSSH to only allow certain user accounts to connect with the AllowUsers option,
     124example, you can set OpenSSH to allow only certain user accounts to connect,
    178125or you can firewall your system such that only certain IP addresses are
    179126allowed to connect to the SSH service on your server. The same applies for
     
    193140delete logs after as short a time as you can manage.
    194141
    195 Remember, you can recover deleted files as long as the space has not been
    196 overwritten.  With midly expensive computer forensics, you can recover even
    197 multiple pass overwrites.
     142If possible, keep no logs.
    198143
    199 The best policy is to keep no logs.  If you must keep logs, consider rotating
    200 them and purging the old logs with an overwrite scheme such as Peter Gutmann's
    201 35 pass overwrite using special patterns.
    202 
    203 EFF's best practices for online service providers [http://www.eff.org/osp/20040819_OSPBestPractices.pdf pdf].
     144{{{
     145TODO: Point to EFF's best practices document?
     146}}}
    204147
    205148== Install Tor and Other Software Carefully ==
     
    214157== Operating System Paranoia ==
    215158
    216 Some operating systems come in "high security" flavors, such as [http://www.nsa.gov/selinux/ Security Enhanced  Linux], 
    217 [http://www.trustedbsd.org/ TrustedBSD] and [http://www.openbsd.org OpenBSD]. These systems offer advanced
     159Some operating systems come in "high security" flavors, such as Security
     160Enhanced  Linux,  TrustedBSD and OpenBSD. These systems offer advanced
    218161security mechanisms such as mandatory access control (MAC), application   
    219162sandboxing, resource management knobs, and so on. Consider using them if
    220163they exist on your system and would help.
    221164
    222 
    223165== Run Tor and Other Services in a Restricted Environment ==
    224166
    225 See Steven J Murdoch's guide to [:TheOnionRouter/TorInChroot: running Tor in a chroot] and/or [:TheOnionRouter/OpenbsdChrootedTor: running Tor in an OpenBSD chroot].
    226 
    227 '''Run Tor with Systrace in OpenBSD'''
    228 
    229 You can use this with or without chrooting tor.  You can use this with other operating systems that systrace supports such as GNU/Linux.  You will
    230 probably have to change some of the file locations.
    231 
    232 Running 'systrace -A tor' will generate a default policy for you (note: this provides no protection at this point).  After you
    233 have a generated policy, you can use this one below to refine it.  After you have it configured for your system,
    234 then when you run systrace with -a it will enforce the policy which provides protection.
    235 
    236 {{{
    237 Policy: /bin/tor, Emulation: native
    238         native-__sysctl: permit
    239         native-break: permit
    240 # Memory
    241         native-mmap: permit
    242         native-mprotect: permit
    243         native-mquery: permit
    244         native-munmap: permit
    245 # Files
    246         native-chdir: filename eq "/var/lib/tor" then permit
    247         native-close: permit
    248         native-dup2: permit
    249         native-fcntl: permit
    250         native-fstat: permit
    251         native-getdirentries: permit
    252         native-ioctl: permit
    253         native-lseek: permit
    254         native-pread: permit
    255         native-read: permit
    256         native-write: permit
    257 # File reads
    258         native-fsread: filename match "/<non-existent filename>: *" then deny
    259         native-fsread: filename eq "/dev/crypto" then permit
    260         native-fsread: filename eq "/dev/null" then permit
    261         native-fsread: filename eq "/dev/srandom" then permit
    262         native-fsread: filename eq "/etc/group" then permit
    263         native-fsread: filename eq "/etc/pwd.db" then permit
    264         native-fsread: filename eq "/etc/spwd.db" then permit
    265         native-fsread: filename eq "/etc/tor/torrc" then permit
    266         native-fsread: filename eq "/etc/malloc.conf" then permit
    267         native-fsread: filename eq "/etc/localtime" then permit
    268         native-fsread: filename eq "/usr/lib" then permit
    269         native-fsread: filename match "/usr/lib/libc.so*" then permit
    270         native-fsread: filename match "/usr/lib/libcrypto.so*" then permit
    271         native-fsread: filename match "/usr/lib/libssl.so*" then permit
    272         native-fsread: filename match "/usr/lib/libz.so*" then permit
    273         native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
    274         native-fsread: filename match "/usr/share/zoneinfo/*" then permit
    275         native-fsread: filename eq "/var/lib/tor" then permit
    276         native-fsread: filename match "/var/lib/tor/*" then permit
    277         native-fsread: filename eq "/var/log/tor" then permit
    278         native-fsread: filename match "/var/log/tor/*" then permit
    279 # Time 
    280         native-gettimeofday: permit
    281 # User ID and group ID.  Change these as needed.
    282         native-getuid: permit
    283         native-setgid: gid eq "1001" then permit
    284         native-setuid: uid eq "1001" and uname eq "_tor" then permit
    285 # Resource limits
    286         native-getrlimit: permit
    287         native-setrlimit: permit
    288 # Process
    289         native-exit: permit
    290         native-fork: permit
    291         native-pipe: permit
    292 # Permission bits
    293         native-getpid: permit
    294         native-geteuid: permit
    295         native-issetugid: permit
    296         native-setsid: permit
    297 # Signals
    298         native-sigaction: permit
    299         native-sigprocmask: permit
    300         native-sigreturn: permit
    301 # File writes
    302         native-fswrite: filename match "/<non-existent filename>: *" then deny
    303         native-fswrite: filename eq "/dev/crypto" then permit
    304         native-fswrite: filename eq "/dev/null" then permit
    305         native-fswrite: filename match "/var/log/tor/*" then permit
    306         native-fswrite: filename match "/var/lib/tor/*" then permit
    307         native-rename: filename match "/var/lib/tor/cached-directory*" and filename[1] match "/var/lib/tor/cached-directory*" then permit
    308 # Networking
    309         native-bind: sockaddr eq "inet-[127.0.0.1]:9050" then permit
    310         native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
    311         native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
    312         native-setsockopt: permit
    313         native-listen: permit
    314         native-poll: permit
    315         native-getsockopt: permit
    316         native-accept: permit
    317         native-recvfrom: permit
    318         native-sendto: true then permit
    319 # Without socketpair, you cannot access Tor hidden services.
    320         native-socketpair: permit
    321 # List of ports to connect to.  These are needed for the server list and potentially
    322 # using a tor server.
    323         native-connect: sockaddr match "inet-*:80" then permit
    324         native-connect: sockaddr match "inet-*:443" then permit
    325 # Typically, tor servers are in the range of 8,000 - 10,000.  This below lets tor
    326 # connect to any unpriv port.
    327 # Match ports 1024 through 1999
    328         native-connect: sockaddr re "inet-.*:102[4-9]$" then permit
    329         native-connect: sockaddr re "inet-.*:10[3-9][0-9]$" then permit
    330         native-connect: sockaddr re "inet-.*:1[1-9][0-9]{2}$" then permit
    331 # Match 2000 - 9999
    332         native-connect: sockaddr re "inet-.*:[2-9][0-9]{3}$" then permit
    333 # Match ports 10000 - 65535
    334         native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
    335 
    336 }}}
    337 
    338 '''Grsecurity'''
    339 
    340 [http://www.grsecurity.net GrSecurity] ACL policy. Tested with the Debian package.
    341 {{{
    342 subject /usr/sbin/tor o {
    343         /                               h
    344         /var/lib/tor                    rwcdl
    345         /lib                            rx
    346         /usr/lib                        rx
    347         /dev/urandom                    r
    348         /dev/null                       rw
    349         /etc/tor                        r
    350         /var/log/tor                    rw
    351         /var/run/tor                    rwcdl
    352 
    353         -CAP_ALL
    354 
    355         connect 127.0.0.1:9050 stream tcp
    356         # Not very good, but since servers listen on different ports...
    357         connect 0.0.0.0/0:9001-9100 stream tcp
    358         connect 0.0.0.0/0:443 stream tcp
    359         bind    127.0.0.1:9050 stream tcp
    360 }
    361 }}}
    362 
    363 '''Drop``My``Rights for Windows XP and Windows Server 2003 '''
    364 
    365 See [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp Browsing the Web and Reading E-mail Safely as an Administrator]
    366 
    367 "Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context."
     167See Steven J Murdoch's guide to [:TheOnionRouter/TorInChroot: running Tor in a chroot].
    368168
    369169{{{
     
    372172
    373173== Other Resources ==
    374 
    375        
    376 [http://www.cert.org/security-improvement/ CERT® Security Improvement Modules]
    377 
    378 [http://www.debian.org/doc/manuals/securing-debian-howto/ Securing Debian HOWTO]
    379 
    380 [http://www.gentoo.org/proj/en/hardened/index.xml Hardened Gentoo]
    381 
    382 [http://geodsoft.com/howto/harden/ Harden OpenBSD]
    383 
    384 [http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1 NSA Operating Systems Guides]
    385174
    386175{{{
     
    392181 * First version by Chris Palmer based on IRC conversation with Roger Dingledine.
    393182 * Wikified and mildly edited by Nick Mathewson.
     183