threatmodel Linux EN - edamametechnologies/threatmodels GitHub Wiki
Linux Threat Model (EN)
Contents
- EDAMAME helper inactive
- No antivirus enabled
- Potentially compromised email address
- Unverified network environment
- File permissions /etc/passwd
- File permissions /etc/shadow
- File permissions /etc/fstab
- File permissions /etc/group
- Group Ownership of /etc/group
- Group Ownership of /etc/shadow
- Cron is not restricted to root only
- Missing system updates
- Uncomplicated firewall (ufw) not installed
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for maximum Security Score analysis.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | user | helper_check |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | user | https://github.com/edamametechnologies/edamame_helper/releases/download |
Rollback
No antivirus enabled
Threat
Dimension : applications / Severity : 4
Tags : ISO 27001/2,Malware Protection, PCI-DSS,Requirement-5, SOC 2,CC-Malware Protection
You don't have any antivirus enabled (Sentinel One...). We recommend you to enable one.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | admin | sentinelctl version 2>/dev/null | grep -q "Agent version" || echo noepp |
Remediation
https://help.ubuntu.com/community/Antivirus
Rollback
https://help.ubuntu.com/community/Antivirus
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture
Your email address might have recently appeared in a data breach. Please set your email in the Identity tab, review the breaches if any and follow instructions.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | user | pwned -i 365 |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | digitalidentity_manager |
Rollback
https://en.wikipedia.org/wiki/Have_I_Been_Pwned
Unverified network environment
Threat
Dimension : network / Severity : 1
Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture
The network you are connected to is not a known one. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | user | lanscan |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | network_manager |
Rollback
https://en.wikipedia.org/wiki/Port_scanner
File permissions /etc/passwd
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,File Permissions, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-System Operations
The /etc/passwd file in Unix and Linux systems contains user account information. The recommended permissions for this file are 644. This means: The owner (usually root) has read and write permissions (6). The group and other users have read-only permissions (4). This setup ensures that only the superuser can modify the file, preserving system security. Meanwhile, other users and processes can still read the information they need from the file. This balance of functionality and security is why 644 permissions are considered good practice for the /etc/passwd file.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | stat /etc/passwd | grep '(0644/-rw-r--r--)' | grep -v grep > /dev/null || echo bad_permissions |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | chmod 664 /etc/passwd |
Rollback
File permissions /etc/shadow
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,File Permissions, ISO 27001/2,Access Control, PCI-DSS,Requirement-7, SOC 2,CC-System Operations
The /etc/shadow file in Unix and Linux systems stores encrypted password data for each user and has stricter permissions than /etc/passwd. This is because /etc/shadow contains sensitive data. The recommended permissions for the /etc/shadow file are 600: 6 (read and write) for the owner, who should be the root or superuser. This allows the system to modify the file when passwords are changed. 0 for the group and others. This means no permissions are given to the group or others, meaning they cannot read, write, or execute the file.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | stat /etc/shadow | grep '(0600/-rw-------)' | grep -v grep > /dev/null || echo bad_permissions |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | chmod 600 /etc/shadow |
Rollback
File permissions /etc/fstab
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Filesystem Configuration, ISO 27001/2,System Acquisition, Development and Maintenance, PCI-DSS,Requirement-2, SOC 2,CC-Configuration Management
The /etc/fstab
file in Unix and Linux systems provides a table of filesystems that should be mounted automatically at system startup. This file contains important information like what filesystems to mount, where to mount them, and what options to use.
Given its significance, the recommended permissions for the /etc/fstab
file are 644
:
6
(read and write) for the owner, which should be the root or superuser. This allows the system to modify the file when filesystems are added or removed.4
(read-only) for the group and others. This allows users and processes to read the file and understand the system's filesystems, but prevents them from making potentially harmful changes. This setup ensures only the root user can modify the file, protecting the system's filesystem configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to filesystem information.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | stat /etc/fstab | grep '(0644/-rw-r--r--)' | grep -v grep > /dev/null || echo bad_permissions |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | chmod 644 /etc/fstab |
Rollback
File permissions /etc/group
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,User and Group Settings, ISO 27001/2,Access Control, PCI-DSS,Requirement-7, SOC 2,CC-Access Control
The /etc/group
file in Unix and Linux systems stores group information or data. It contains a list of all the groups on the system, along with each group's associated users.
Given its importance, the recommended permissions for the /etc/group
file are 644
:
6
(read and write) for the owner, which should be the root or superuser. This allows the system to add or remove groups or modify group membership.4
(read-only) for the group and others. This allows users and processes to read the file and understand the system's group memberships, but prevents them from making unauthorized changes. This setup ensures only the root user can modify the file, protecting the system's group configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to group information.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | stat /etc/group | grep '(0644/-rw-r--r--)' | grep -v grep > /dev/null || echo bad_permissions |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | chmod 644 /etc/group |
Rollback
Group Ownership of /etc/group
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,File Ownership and Permissions, ISO 27001/2,Information Security Policies, PCI-DSS,Requirement-2, SOC 2,CC-System Operations
The /etc/group
file should be owned by the root group to maintain the integrity and confidentiality of group information stored within. Incorrect group ownership could lead to unauthorized access or modification of this sensitive file, compromising system security.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | ls -l /etc/group | grep 'root root' | grep -v grep > /dev/null || echo bad_group |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | chown root /etc/group |
Rollback
Group Ownership of /etc/shadow
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,File Ownership and Permissions, ISO 27001/2,Access Control, PCI-DSS,Requirement-7, SOC 2,CC-System Operations
The /etc/shadow
file should be owned by the root group or a specific security or system group. This file contains sensitive user information such as encrypted passwords. Incorrect group ownership could lead to unauthorized access or potential manipulation of this critical file, compromising system security and user confidentiality.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | ls -l /etc/shadow | grep 'root root' | grep -v grep > /dev/null || echo bad_group |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | chown root /etc/shadow |
Rollback
Cron is not restricted to root only
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Job Scheduling, ISO 27001/2,Operations Security, PCI-DSS,Requirement-6, SOC 2,CC-System Operations
Cron is a time-based job scheduler in Unix-like operating systems. Users can schedule jobs (commands or scripts) to run periodically at fixed times, dates, or intervals. It's a powerful tool, but can also pose security risks if not managed properly. Restricting cron jobs to the root user is generally considered good practice.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | admin | cd /etc ; [ -f cron.deny ] && echo bad_config ; grep -v root cron.allow |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | cd /etc ; [ -f cron.deny ] && mv cron.deny cron.deny.edamame_save ; [ -f cron.allow ] && mv cron.allow cron.allow.edamame_save ; echo root > cron.allow ; chown root cron.allow ; chmod 400 cron.allow |
Rollback
Missing system updates
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,System Patching, ISO 27001/2,Information Systems Maintenance, PCI-DSS,Requirement-6, SOC 2,CC-System Operations
Keeping a Linux system (or any operating system) up-to-date is crucial for several reasons, particularly when it comes to security: developers regularly find and fix security vulnerabilities in software. These fixes, known as patches, are distributed via updates. By regularly updating your system, you ensure these patches are applied promptly, reducing the chance of a successful attack.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | checkupdates; [ $? -eq 0 ] && echo updates_required |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | pacman -Syu --noconfirm |
Rollback
Uncomplicated firewall (ufw) not installed
Threat
Dimension : network / Severity : 3
Tags : CIS Benchmark Level 1,Firewall Configuration, ISO 27001/2,Network Security, PCI-DSS,Requirement-1, SOC 2,CC-Network Security
A firewall is a crucial part of any network security framework. Firewalls control the incoming and outgoing network traffic based on predetermined security rules. They establish a barrier between trusted internal networks and untrusted external networks. It can also block unauthorized access to or from private networks, preventing intruders from accessing sensitive information. Uncomplicated firewall provides a command line interface and aims to be uncomplicated and easy to use.
Implementation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | pacman -Qi ufw > /dev/null || echo not_found |
Remediation
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | system | pacman -S ufw; ufw enable; ufw default deny; ufw allow from 192.168.0.0/24; ufw allow Deluge; ufw limit ssh |
Rollback
Tested for | Action | Elevation | Script |
---|---|---|---|
Linux 6 | Command line | pacman -R ufw |