openbmc-specific dynamic security scanner
Joseph Reynolds
jrey at linux.ibm.com
Wed Mar 18 02:01:18 AEDT 2020
Team,
The OpenBMC security working group "end of release checklist" [1] calls
for a report of basic security facts. I would like to create a dynamic
scan tool (okay, it's a shell script) to scan a running OpenBMC system
and report these facts. It would not reveal any vulnerabilities that
are not already well-known. I believe it would not be much of a head
start to attackers.
Once the tool was published, the idea is to run it on various platforms,
fix any issues that need fixing (typically tightening a configuration),
and reporting to the email list so folks could give their opinions for
the OpenBMC release process [2].
[1]:
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-end-of-release-checklist
[2]: https://github.com/openbmc/docs/blob/master/release/release-process.md
Tool operation:
The tool would be given an admin account and use that probe the BMC, and
create additional accounts for Operator and ReadOnly access.
It would report items such as which network services are running, what
transport layer security is offered, which accounts can access various
services, what URLs are accessible, etc.
For web access, it can report on HTTP port 80 redirection, HTTP
headers, etc.
With access to the BMC's shell, it can report which files are readable,
writable, and which have sensitive data (like private keys).
In summary, a catalog of OpenBMC security settings.
I realize a tool like this may fall under the test team's province. I
want this to be *trivial* for someone with limited OpenBMC experience to
be able to use. Setting up a robot environment may be a barrier for
some, and running a shell script to connect to the BMC may be much easier.
I realize there are existing open source scanners. Once again, I want
this to be very easy to use, and be customized for OpenBMC. I would be
happy to abandon this project if such a scanner meets my needs. It
would need to be customized for OpenBMC, and be very easy to use. If
that ever happens, the tool I am proposing today would be a good start.
And if you did not already guess, I've already cobbled together a number
of shell commands for this, so making the script would be relatively easy.
I think the script would help further the security awareness of the project.
And I am looking for your feedback.
- Joseph
More information about the openbmc
mailing list