Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| docs:user-guide:security-features [2017/10/23 21:13] – created still in work hauke | docs:guide-user:security:security-features [2020/03/27 19:00] (current) – [Incident handling] Minor grammar issue jamesmacwhite | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | This page should give an overview of the current features used to secure | + | This page should give an overview of the current features used to secure |
| ===== build system ===== | ===== build system ===== | ||
| ==== package signing ===== | ==== package signing ===== | ||
| - | The list of available packages which a user can later install is digitally signed by default. This way a LEDE instance can verify the integrity of the package list. This package list contains the SHA256 hash values of all available packages. | + | The list of available packages which a user can later install is digitally signed by default. This way a OpenWrt |
| - | The build key used for the LEDE binary releases is signed by many LEDE committers. | + | The build key used for the OpenWrt |
| In private builds the build system automatically generates a private and public key to sign the package list. | In private builds the build system automatically generates a private and public key to sign the package list. | ||
| - | ===== build hardening ===== | + | ===== Build hardening ===== |
| ==== RELRO protection ==== | ==== RELRO protection ==== | ||
| Link-time protection known as RELRO (Relocation Read Only) which helps to protect from certain type of exploitation techniques altering the content of some ELF sections. " | Link-time protection known as RELRO (Relocation Read Only) which helps to protect from certain type of exploitation techniques altering the content of some ELF sections. " | ||
| Full is used by default. | Full is used by default. | ||
| - | ==== buffer-overflows | + | ==== Buffer-overflow |
| The _FORTIFY_SOURCE macro which introduces additional checks to detect buffer-overflows in the following standard library functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets. " | The _FORTIFY_SOURCE macro which introduces additional checks to detect buffer-overflows in the following standard library functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets. " | ||
| Conservative is used by default. | Conservative is used by default. | ||
| Line 25: | Line 25: | ||
| Regular is used by default | Regular is used by default | ||
| - | ==== gcc format-security ==== | + | ==== GCC format-security ==== |
| Add -Wformat -Werror=format-security to the CFLAGS. | Add -Wformat -Werror=format-security to the CFLAGS. | ||
| - | ===== separation | + | ===== Separation |
| - | ==== separate | + | ==== Separate |
| procd can start a process under a different user, this account is automatically created by the build system. | procd can start a process under a different user, this account is automatically created by the build system. | ||
| When someone attacks this application the attacker does not gain root privileges immediately. | When someone attacks this application the attacker does not gain root privileges immediately. | ||
| Line 37: | Line 37: | ||
| In addition to running processes under different users, it is possible to put them into a own chroot environment where they can only access a limited number of resources which are needed by this daemon. | In addition to running processes under different users, it is possible to put them into a own chroot environment where they can only access a limited number of resources which are needed by this daemon. | ||
| - | ===== incident | + | ===== Incident |
| - | Like every Linux distribution | + | Like every Linux distribution, OpenWrt |
| - | ==== user space applications ==== | + | ==== Userspace |
| - | When we get informed by a security problem in some third party application, | + | When we get informed by a security problem in some third party application, |
| In addition we use this uscan tool which checks if new versions of some application are available and the maintainer of such an application gets a mail notification. Then the maintainer should check if this new version contains important updates. uscan is also able to check for CVE numbers, but this does not work very reliable. | In addition we use this uscan tool which checks if new versions of some application are available and the maintainer of such an application gets a mail notification. Then the maintainer should check if this new version contains important updates. uscan is also able to check for CVE numbers, but this does not work very reliable. | ||
| https:// | https:// | ||
| - | For our released | + | For our released |
| TODO: extend opkg | TODO: extend opkg | ||
| - | ==== kernel | + | ==== Kernel |
| - | Update of the Linux kernel is not so easy on most device supported by LEDE, because the kernel is stored directly | + | Update of the Linux kernel is not so easy on most device supported by OpenWrt, because the kernel is stored directly |
| - | This update requires a complete | + | This update requires a complete |
| - | Before a new minor release is done the kernel is upgraded to the latests | + | Before a new minor release is done the kernel is upgraded to the latest |
| - | ===== remote | + | ===== Remote |
| - | By default login via encrypted | + | Login via encrypted |
| When LUCI is installed login with unencrypted HTTP is supported. | When LUCI is installed login with unencrypted HTTP is supported. | ||
| - | When LUCI and SSL package is installed in addition login over TLS encrypted HTTP is supported | + | When LUCI and SSL package is installed in addition login over TLS encrypted HTTP is supported. |
| - | The Server | + | The server |
| - | There is only one account (root) that can be used to log by default. | + | There is only one account (root) that can be used to log in by default. |
| The UART allows passwordless root login all the time, but to access it physical access to the device is needed. This helps for recovery and for debugging. An attacker with physical access could also directly read and write from the flash chip without using the main application processor. | The UART allows passwordless root login all the time, but to access it physical access to the device is needed. This helps for recovery and for debugging. An attacker with physical access could also directly read and write from the flash chip without using the main application processor. | ||
| - | ==== initial | + | ==== Initial |
| - | By default LEDE uses password less SSH provide access. | + | OpenWrt |
| - | LEDE does not use an individual default password because | + | OpenWrt |
| When an image with an Web UI was installed it also allows passwordless login there. | When an image with an Web UI was installed it also allows passwordless login there. | ||
| A warning message that encourages to set a individual password is shown when no password was is set. | A warning message that encourages to set a individual password is shown when no password was is set. | ||
| - | ==== after initial configuration ==== | + | ==== After initial configuration ==== |
| An individual root password should be set by the user, then password less login is not possible any more. | An individual root password should be set by the user, then password less login is not possible any more. | ||
| It is also possible to use SSH private public keys for authentication. | It is also possible to use SSH private public keys for authentication. | ||