openbmc-specific dynamic security scanner

Joseph Reynolds jrey at linux.ibm.com
Wed Mar 18 02:01:18 AEDT 2020


Team,

The OpenBMC security working group "end of release checklist" [1] calls 
for a report of basic security facts.  I would like to create a dynamic 
scan tool (okay, it's a shell script) to scan a running OpenBMC system 
and report these facts.  It would not reveal any vulnerabilities that 
are not already well-known.  I believe it would not be much of a head 
start to attackers.

Once the tool was published, the idea is to run it on various platforms, 
fix any issues that need fixing (typically tightening a configuration), 
and reporting to the email list so folks could give their opinions for 
the OpenBMC release process [2].

[1]: 
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-end-of-release-checklist
[2]: https://github.com/openbmc/docs/blob/master/release/release-process.md

Tool operation:
The tool would be given an admin account and use that probe the BMC, and 
create additional accounts for Operator and ReadOnly access.
It would report items such as which network services are running, what 
transport layer security is offered, which accounts can access various 
services, what URLs are accessible, etc.
For web access, it can report on HTTP port 80 redirection,  HTTP 
headers, etc.
With access to the BMC's shell, it can report which files are readable, 
writable, and which have sensitive data (like private keys).
In summary, a catalog of OpenBMC security settings.

I realize a tool like this may fall under the test team's province. I 
want this to be *trivial* for someone with limited OpenBMC experience to 
be able to use.  Setting up a robot environment may be a barrier for 
some, and running a shell script to connect to the BMC may be much easier.

I realize there are existing open source scanners.  Once again, I want 
this to be very easy to use, and be customized for OpenBMC.  I would be 
happy to abandon this project if such a scanner meets my needs.  It 
would need to be customized for OpenBMC, and be very easy to use.  If 
that ever happens, the tool I am proposing today would be a good start.

And if you did not already guess, I've already cobbled together a number 
of shell commands for this, so making the script would be relatively easy.

I think the script would help further the security awareness of the project.

And I am looking for your feedback.

- Joseph



More information about the openbmc mailing list