Hardening OpenLDAP on Linux with AppArmor and systemd - Defense in Depth implemented in Æ-DI" - #ichael Str&der <michael(stroeder)$om* OpenLDAP Developer,s Day 2018 STROEDER.COM - 1 - ODD 2018-10-08 Michael Ströder <[email protected]> -reelan$er .opics the last 20 years Identity / A$cess Management0 LDAP %ingle %ign-On0 #ulti-Factor Authentication P1I 23)4090 %%H)0 Applied 7rypto Open Sour$e 8 Free Software9 Æ-D!"0 OA.H-LDAP, we:2ldap STROEDER.COM - 2 - ODD 2018-10-08 Why? <e,re all humans and thus error-prone Huge software sta$=s made by humans >ntrusted input 2!s there really any trusted input from remote?6 Prior input validation at lower protocol le+els unfeasible STROEDER.COM - ; - ODD 2018-10-08 AppArmor (1) Linux Se$urity Module 2L%#6 .ext-:ased $onAguration gets $ompiled into kernel Barious 7LI tools aa-* also for proAle generation ProAles, include a:stractions and tuna:les %how conAnement status: ps -axD Default mode9 targeted STROEDER.COM - @ - ODD 2018-10-08 AppArmor (2) "estrict permissions: -ile a$$ess 2r, w0 m0 x0 6 Eetwork access 7apabilities2F6 rlimit 2a=a ulimit6 Eot a repla$ement for input validation, process isolation0 file system ownership/permissions, OpenLDAP A7Ls, et$) STROEDER.COM - 4 - ODD 2018-10-08 En ironment Dedicated machines (:are-metal or V#s) De:ian Linux / open%>%H Linux / 7entOS 7 All ser+ices ha+e separate systemd units OpenLDAP 2.4)@G0 many o+erlays Apache 2.4 as H..P frontend (.LS termination6 %ome we: apps0 Python 2.F0 separate U<%II inst) >nix Domain So$=ets, LDAPI with SASL8H3.H"EAL STROEDER.COM - G - ODD 2018-10-08 !"#$% &omponents LDAPS Æ-DIR provider person sync slapd HR DB aeperson2aeuser custom LDAPI mdb tool LDAPI Apache httpd web2ldap IPC mod_security web HTTPS UWSGI OTP browser (Unix oathenroll check mod_proxy_uwsgi domain socket) SSH client aedirpwd_web SMTP relay admin SMTP (STARTTLS) workstation aedirpwd_cron Æ-DIR slapd consumer LDAPS (syncrepl) mdb STROEDER.COM - F - ODD 2018-10-08 Ansi'le Æ-D!" services completely $onAgured with Ansible All paths already known in Ansi:le vars Eo OS :ase $onAgurationJ Ansible fact for optional AppArmor $onAg9 ansibleKapparmor.status =L 'ena:ledM >se JinOa2 templates for proAles and a:stra$tions %er+ices and AppArmor must be relia:ly restarted! STROEDER.COM - 8 - ODD 2018-10-08 (rofile *eneration Automatic proAle generation with aa-genprof ! wanted to understand all this in detail P hand-made proAles and a:stra$tion 1. >sed standard a:stra$tions shipped by O% pa$=ages 2. "e+iewed standard a:stractions 2yu$=J6 ;. Own :ase a:stractions @. Future9 Work with AppArmor maintainer to split and strip standard a:stra$tions STROEDER.COM - 5 - ODD 2018-10-08 Ser ice ae"slapd ProAle independent of exec name9 8et$8systemd/system8ae-slapd.service AppArmorProfile=ae-slapd roles/ae-dir-ser+er8templates/apparmor8ae-slapd.j2 P /et$8apparmor.d/ae-slapd >nused stuQ with “deny rS to a+oid audit log entries: 8et$8ssl8openssl)cnf 8et$8gss8mech)d8 STROEDER.COM - 10 - ODD 2018-10-08 +ro,'le"shootin* AppArmor auditd is your friend T-6 grep DENIED /var/log/audit/audit.log|ausearch -i .rying to ha+e no false positives when alarming systemd units for Python9 Environment=PYTHONDONTWRITEBYTECODE=1 %ometimes in+estigating on some strange DHE!HD lines although e+erything just wor=s... Uou $an easily mask audit message with deny but))) STROEDER.COM - 11 - ODD 2018-10-08 systemd (1) #uch systemd concerns0 :ut it’s used anyway %tum:led on some options in systemd.exe$2469 ProtectCL PrivateC= und Mount-lags=private EoEewPrivileges=yes %ystem7allFilter=… "estrictAddress-amilies=A-K!EH. A-K!EH.G A-K>E!3 STROEDER.COM - 12 - ODD 2018-10-08 systemd (2) >ses namespaces(F6 and se$comp-:pf PrivateDe+ices=yes $onnects /de+/log to Oournald #y /et$8systemd/Oournald.conf9 [Journal] Storage=none ForwardToSyslog=yes U##B regarding log performance STROEDER.COM - 13 - ODD 2018-10-08 systemd (3) !nit scripts and systemd units shipped with OS packages are disa:led8remo+edJ %eparate systemd units allow $ustom config Also helps a+oiding in$idents $aused by o+er-zealous pseudo conAg management in O% pa$=ages %e$urity options $onfigura:le by ansible +ars STROEDER.COM - 14 - ODD 2018-10-08 .A Hna:le all prote$tion shields during integration tests Disa:le during pen-Testing in DHB-/QA stage ansible role ae-dir-server apparmor_enabled9 -alse aedir_systemd_hardening9 YZ "e-ena:le for testing protection against actual findings Hardening might help until real security Ax is a+aila:le STROEDER.COM - 15 - ODD 2018-10-08 Conclusion %mall eQort for me as de+eloper9 ~ ;d + [1)4d %eparation of $omponents needed %till more Ane-grained settings left to do Hardening does not or only partially protect against9 ]roken applications, missing updates, et$) 7onfiguration management rocks! Own $ustomization generally better than OS defaults STROEDER.COM - 16 - ODD 2018-10-08 /"0 ? … ! STROEDER.COM - 17 - ODD 2018-10-08.