ooooo        ooooo ooooo      ooo ooooo     ooo ooooooo  ooooo   .oooooo.   ooooooooo.   
     `888'        `888' `888b.     `8' `888'     `8'  `8888    d8'   d8P'  `Y8b  `888   `Y88. 
      888          888   8 `88b.    8   888       8     Y888..8P    888      888  888   .d88' 
      888          888   8   `88b.  8   888       8      `8888'     888      888  888ooo88P'  
      888          888   8     `88b.8   888       8     .8PY888.    888      888  888`88b.    
      888       o  888   8       `888   `88.    .8'    d8'  `888b   `88b    d88'  888  `88b.  
     o888ooooood8 o888o o8o        `8     `YbodP'    o888o  o88888o  `Y8bood8P'  o888o  o888o

SOFT - TAZKE VAHY (ROBUSTNEJSIE RIESENIA)

  • Firejail
    https://github.com/netblue30/firejail
    Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Vzhladom na dost velku komplexnost tohto nastroja je otazne kolko bezpecnostnych problemov moze pouzitie tohto nastroja priniest aj ked je zoznam deklarovanych bezpecnostnych moznosti celkom zaujimavy.

V poslednom case bolo v nastroji firejail objavenych dost vela bezpecnostnych problemov:

  • 2017 - seclist - Firejail security
  • firejail - release notes
  • security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  • security: disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  • security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
  • security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
  • security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
  • security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
  • CVE-2016-9016 submitted by Aleksey Manevich
  • security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
  • CVE-2016-7545 submitted by Aleksey Manevich
  • ...

SOFT - LAHKE VAHY

  • Jailkit
    Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities. Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.

  • bubblewrap (ProjectAtomic/RedHat)
    Unprivileged sandboxing tool. The goal of bubblewrap is to run an application in a sandbox, where it has restricted access to parts of the operating system or user data such as the home directory.

  • Mbox
    2013 - Practical and effective sandboxing for non-root users

SOFT - DALSIE PROJEKTY

  • openjail
    Openjail is a secure application sandbox built with modern Linux sandboxing features, built on top of playpen.

  • SimpleLinuxSandbox
    A simple sandbox using Linux namespaces. Executes COMMAND in a virtual environment with very limited access to system resources. The command is executed with non-root privileges. The uid and gid can be directly specified with -u and -g options, otherwise the user running the sandbox is used. If the sandbox is run as root (e.g. with sudo), then the non-root user must be specified through -u and -g options.

  • Limon
    2015 - Automating Linux Malware Analysis Using Limon Sandbox
    Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware's process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis.

  • Sandbox (Gentoo)
    Sandbox is a library (and helper utility) to run programs in a "sandboxed" environment. This is used as a QA measure to try and prevent applications from modifying files they should not

DOC