β Overall exposure level for cosmian_kms.service: 9.6 UNSAFE π¨Β #710
Description
Dear Cosmian KMS,
The Overall exposure level for cosmian_kms.service on Debian is UNSAFE.
Step to reproduce :
- download the latest Debian GNU/Linux packages on Github with wget :
$ wget https://github.com/Cosmian/kms/releases/download/5.15.0/cosmian-kms-server-non-fips-static-openssl_5.15.0_amd64.deb
- Install with dpkg -i as root :
# dpkg -i cosmian-kms-server-non-fips-static-openssl_5.15.0_amd64.deb
Selecting previously unselected package cosmian-kms-server.
(Reading database ... 212901 files and directories currently installed.)
Preparing to unpack cosmian-kms-server-non-fips-static-openssl_5.15.0_amd64.deb ...
+ KMS_CONFIG=/etc/cosmian/kms.toml
+ [ -f /etc/cosmian/kms.toml ]
Unpacking cosmian-kms-server (5.15.0-1) ...
Setting up cosmian-kms-server (5.15.0-1) ...
+ KMS_CONFIG=/etc/cosmian/kms.toml.bak
+ [ -f /etc/cosmian/kms.toml.bak ]
+ systemctl unmask cosmian_kms.service
+ systemctl enable cosmian_kms.service
Created symlink '/etc/systemd/system/multi-user.target.wants/cosmian_kms.service' β '/u sr/lib/systemd/system/cosmian_kms.service'.
+ systemctl stop cosmian_kms.service
+ systemctl daemon-reload
+ [ configure = configure ]
+ deb-systemd-helper unmask cosmian_kms.service
+ deb-systemd-helper --quiet was-enabled cosmian_kms.service
+ deb-systemd-helper enable cosmian_kms.service
- Check Systemd security status :
# systemd-analyze security cosmian_kms.service
...
β CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1
β CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1
β RestrictNamespaces=~cgroup Service may create cgroup namespaces 0.1
β RestrictSUIDSGID= Service may create SUID/SGID files 0.2
β RestrictNamespaces=~ipc Service may create IPC namespaces 0.1
β ProtectHostname= Service may change system host/domainname 0.1
β CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2
β CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
β LockPersonality= Service may change ABI personality 0.1
β ProtectKernelTunables= Service may alter kernel tunables 0.2
β RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
β RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
β RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
β RestrictAddressFamilies=~β¦ Service may allocate exotic sockets 0.3
β RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
β CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1
β RestrictRealtime= Service may acquire realtime scheduling 0.1
β CapabilityBoundingSet=~CAP_SYS_RAWIO Service has raw I/O access 0.2
β CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3
β CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1
β DeviceAllow= Service has no device ACL 0.2
β CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2
β ProtectSystem= Service has full access to the OS file hierarchy 0.2
β ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2
β ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
β ProtectHome= Service has full access to home directories 0.2
β CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
β CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1
β CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3
β PrivateNetwork= Service has access to the host's network 0.5
β PrivateUsers= Service has access to other users 0.2
β PrivateTmp= Service has access to other software's temporary files 0.2
β CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1
β KeyringMode= Service doesn't share key material with other services
β Delegate= Service does not maintain its own delegated control group subtree
β SystemCallFilter=~@clock Service does not filter system calls 0.2
β SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1
β SystemCallFilter=~@debug Service does not filter system calls 0.2
β SystemCallFilter=~@module Service does not filter system calls 0.2
β SystemCallFilter=~@mount Service does not filter system calls 0.2
β SystemCallFilter=~@obsolete Service does not filter system calls 0.1
β SystemCallFilter=~@privileged Service does not filter system calls 0.2
β SystemCallFilter=~@raw-io Service does not filter system calls 0.2
β SystemCallFilter=~@reboot Service does not filter system calls 0.2
β SystemCallFilter=~@resources Service does not filter system calls 0.2
β SystemCallFilter=~@swap Service does not filter system calls 0.2
β IPAddressDeny= Service does not define an IP address allow list 0.2
β NotifyAccess= Service child processes cannot alter service state
β UMask= Files created by service are world-readable by default 0.1
β Overall exposure level for cosmian_kms.service: 9.6 UNSAFE π¨
Expected result :
- As the KMS is network facing ;
- As the KMS is keeping "Les bijoux de famille" ;
Some minimal hardening is needed IMO.
Please take a look at this documentation :
Linux system hardening thanks to systemd
Best Regards,