threatmodel Linux EN - edamametechnologies/threatmodels GitHub Wiki
Linux Threat Model (EN)
Contents
- EDAMAME helper inactive
- No antivirus enabled
- No password manager installed
- Disk encryption disabled
- Potentially compromised email address
- Unverified or unsafe network environment
- File permissions /etc/passwd
- File permissions /etc/shadow
- File permissions /etc/fstab
- File permissions /etc/group
- Group Ownership of /etc/group
- Group Ownership of /etc/shadow
- Your OS is not up to date
- Local firewall disabled
- Remote login enabled
- Remote desktop enabled
- File sharing enabled
- Screen saver requires password disabled
- Secure boot disabled
- Weak password policy
- Business rule not respected
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | helper_check |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | https://github.com/edamametechnologies/edamame_helper/releases/download |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | system | apt remove edamame-helper |
No antivirus enabled
Threat
Dimension : applications / Severity : 4
Tags : ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection
You don't have any antivirus enabled (Sentinel One...). We recommend you to enable one.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | LANG=C sentinelctl version 2>/dev/null | grep -q 'Agent version' || pgrep -f FortiEDRAvScanner >/dev/null 2>&1 || echo epp_disabled |
Remediation
https://help.ubuntu.com/community/Antivirus
Rollback
No password manager installed
Threat
Dimension : credentials / Severity : 4
You don't have any password manager installed. It's recommended to install one.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | (command -v pass || command -v keepassxc || command -v bw || command -v lpass || command -v gopass || command -v 1password) >/dev/null 2>&1 || echo "No password manager installed" |
Remediation
https://en.wikipedia.org/wiki/Password_manager
Rollback
Disk encryption disabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 2,Configure Disk Encryption, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection
Your main disk and swap are not encrypted. Enabling disk encryption helps protect your data from unauthorized access.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | apt update -qq > /dev/null 2>&1 || true && apt install virt-what -y > /dev/null 2>&1 && [ -z "$(virt-what)" ] && { root_dev=$(findmnt -n -o SOURCE /); swap_dev=$(swapon --show=NAME --noheadings 2>/dev/null | head -n1); root_parent=$(lsblk -n -o NAME,TYPE,MOUNTPOINT -p | grep " $(readlink -f "$root_dev")$" | cut -d" " -f1); lsblk -n -o NAME,TYPE -p | grep -q "^$root_parent.*crypt$" || echo "root_encryption_disabled"; if [ -n "$swap_dev" ]; then swap_parent=$(lsblk -n -o NAME,TYPE,MOUNTPOINT -p | grep " $(readlink -f "$swap_dev")$" | cut -d" " -f1); lsblk -n -o NAME,TYPE -p | grep -q "^$swap_parent.*crypt$" || echo "swap_encryption_disabled"; fi; } |
Remediation
https://help.ubuntu.com/community/FullDiskEncryptionHowto
Rollback
https://help.ubuntu.com/community/FullDiskEncryptionHowto
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : Personal Posture
Check if your email address might have recently appeared in a data breach.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | pwned -i 365 |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | digitalidentity_manager |
Rollback
https://haveibeenpwned.com/
Unverified or unsafe network environment
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | lanscan |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | network_manager |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | network_manager |
File permissions /etc/passwd
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Password File Permissions
The /etc/passwd file in Unix and Linux systems contains user account information. The recommended permissions for this file are 644. This means: The owner (usually root) has read and write permissions (6). The group and other users have read-only permissions (4). This setup ensures that only the superuser can modify the file, preserving system security. Meanwhile, other users and processes can still read the information they need from the file. This balance of functionality and security is why 644 permissions are considered good practice for the /etc/passwd file.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | stat /etc/passwd | grep -q '(0644/-rw-r--r--)' || echo bad_permissions |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | chmod 644 /etc/passwd |
Rollback
File permissions /etc/shadow
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Shadow File Permissions
The /etc/shadow file in Unix and Linux systems stores encrypted password data for each user and has stricter permissions than /etc/passwd. This is because /etc/shadow contains sensitive data. The recommended permissions for the /etc/shadow file are 640: 6 (read and write) for the owner, who should be the root or superuser. This allows the system to modify the file when passwords are changed. 0 for the group and others. This means no permissions are given to the group or others, meaning they cannot read, write, or execute the file.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | stat /etc/shadow | grep -q '(0640/-rw-r-----)' || echo bad_permissions |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | chmod 640 /etc/shadow |
Rollback
File permissions /etc/fstab
Threat
Dimension : system integrity / Severity : 5
The /etc/fstab file in Unix and Linux systems provides a table of filesystems that should be mounted automatically at system startup. This file contains important information like what filesystems to mount, where to mount them, and what options to use.
Given its significance, the recommended permissions for the /etc/fstab file are 644:
6(read and write) for the owner, which should be the root or superuser. This allows the system to modify the file when filesystems are added or removed.4(read-only) for the group and others. This allows users and processes to read the file and understand the system's filesystems, but prevents them from making potentially harmful changes. This setup ensures only the root user can modify the file, protecting the system's filesystem configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to filesystem information.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | stat /etc/fstab | grep -q '(0644/-rw-r--r--)' || echo bad_permissions |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | chmod 644 /etc/fstab |
Rollback
File permissions /etc/group
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Group File Permissions
The /etc/group file in Unix and Linux systems stores group information or data. It contains a list of all the groups on the system, along with each group's associated users.
Given its importance, the recommended permissions for the /etc/group file are 644:
6(read and write) for the owner, which should be the root or superuser. This allows the system to add or remove groups or modify group membership.4(read-only) for the group and others. This allows users and processes to read the file and understand the system's group memberships, but prevents them from making unauthorized changes. This setup ensures only the root user can modify the file, protecting the system's group configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to group information.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | stat /etc/group | grep -q '(0644/-rw-r--r--)' || echo bad_permissions |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | chmod 644 /etc/group |
Rollback
Group Ownership of /etc/group
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Group File Ownership
The /etc/group file should be owned by the root group to maintain the integrity and confidentiality of group information stored within. Incorrect group ownership could lead to unauthorized access or modification of this sensitive file, compromising system security.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | ls -l /etc/group | grep -q 'root root' || echo bad_group |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | chown root:root /etc/group |
Rollback
Group Ownership of /etc/shadow
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Shadow File Group Ownership
The /etc/shadow file should be owned by the root group or a specific security or system group. This file contains sensitive user information such as encrypted passwords. Incorrect group ownership could lead to unauthorized access or potential manipulation of this critical file, compromising system security and user confidentiality.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | ls -l /etc/shadow | grep -q 'root shadow' || echo bad_group |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | chown root:shadow /etc/shadow |
Rollback
Your OS is not up to date
Threat
Dimension : system integrity / Severity : 2
Tags : CIS Benchmark Level 1,Ensure package manager repositories are configured
Your operating system is not up to date, please proceed to upgrade to get the latest security patches.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | LANG=C apt update -qq > /dev/null 2>&1 || true && apt list --upgradeable 2>/dev/null | grep -q 'upgradable' && echo os_outdated |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | apt update -qq > /dev/null 2>&1 || true && apt upgrade -y |
Rollback
Local firewall disabled
Threat
Dimension : network / Severity : 3
Tags : CIS Benchmark Level 1,Ensure UFW is installed
Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | if command -v ufw >/dev/null 2>&1; then output=$(LANG=C ufw status 2>&1); ufw_exit_code=$?; if [ $ufw_exit_code -eq 0 ]; then echo "$output" | grep -qi 'Status: active' || echo firewall_disabled; fi; fi |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | apt update -qq > /dev/null 2>&1 || true && apt install ufw -y > /dev/null 2>&1 && ufw enable |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | ufw disable |
Remote login enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure SSH Server is configured with appropriate ciphers
Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | LANG=C systemctl is-active ssh | grep -q 'inactive' || echo remote_login_enabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | systemctl stop ssh && systemctl disable ssh |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | systemctl enable ssh && systemctl start ssh |
Remote desktop enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure remote administration tools are not installed
Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | LANG=C systemctl is-active xrdp 2>/dev/null | grep -q 'inactive' || echo rdp_enabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | systemctl stop xrdp && systemctl disable xrdp |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | apt update -qq > /dev/null 2>&1 || true && apt install xrdp -y > /dev/null 2>&1 && systemctl start xrdp && systemctl enable xrdp |
File sharing enabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Ensure NFS and RPC are not enabled
File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | LANG=C systemctl is-active nfs-kernel-server 2>/dev/null | grep -q 'inactive' || echo nfs_enabled; LANG=C systemctl is-active smbd 2>/dev/null | grep -q 'inactive' || echo smb_enabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | systemctl stop smbd && systemctl disable smbd; systemctl stop nfs-kernel-server && systemctl disable nfs-kernel-server |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | admin | apt update -qq > /dev/null 2>&1 || true && apt install samba -y > /dev/null 2>&1 && systemctl start smbd && systemctl enable smbd && apt install nfs-kernel-server -y > /dev/null 2>&1 && systemctl start nfs-kernel-server && systemctl enable nfs-kernel-server |
Screen saver requires password disabled
Threat
Dimension : credentials / Severity : 3
Tags : CIS Benchmark Level 1,Lock inactive user accounts, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Logical Access
When the screen saver is active, we recommend that a password is required to exit it. Otherwise anyone could access your computer while you are away.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | LANG=C gsettings get org.gnome.desktop.screensaver lock-enabled | grep -q 'true' || echo screensaver_lock_disabled |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | gsettings set org.gnome.desktop.screensaver lock-enabled true |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | gsettings set org.gnome.desktop.screensaver lock-enabled false |
Secure boot disabled
Threat
Dimension : system services / Severity : 5
Tags : CIS Benchmark Level 2,Ensure Secure Boot is enabled
Secure Boot is a security standard developed to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). Enabling Secure Boot helps protect against bootloader attacks.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | LANG=C mokutil --sb-state | grep -q 'SecureBoot enabled' || echo secure_boot_disabled |
Remediation
https://wiki.debian.org/SecureBoot
Rollback
https://wiki.debian.org/SecureBoot
Weak password policy
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Configure Password Policy Requirements
Enforcing a strong password policy is essential to protect against unauthorized access. Ensure that the system has a robust password policy implemented.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | [ ! -f /etc/security/pwquality.conf ] && echo 'weak password_policy: pwquality is not in use' || ! grep -qvE '^\s*#|^\s*$' /etc/security/pwquality.conf && echo 'weak password policy: conf file uses defaults' |
Remediation
https://manpages.ubuntu.com/manpages/oracular/en/man3/pwquality.3.html
Rollback
https://manpages.ubuntu.com/manpages/oracular/en/man3/pwquality.3.html
Business rule not respected
Threat
Dimension : applications / Severity : 1
One or more business rules are not respected. Please check the command output for more details.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Linux 3 | Command line | user | business_rules |
Remediation
Refer to the business rules documentation for more details.
Rollback
Refer to the business rules documentation for more details.