threatmodel Linux EN - edamametechnologies/threatmodels GitHub Wiki

Linux Threat Model (EN)

Contents

EDAMAME helper inactive

Threat

Dimension : system services / Severity : 5

EDAMAME's Helper software is not running or requires an update. It's required for maximum Security Score analysis.

Implementation

Tested for Action Elevation Script
Linux 6 Command line user helper_check

Remediation

Tested for Action Elevation Script
Linux 6 Command line user https://github.com/edamametechnologies/edamame_helper/releases/download

Rollback

No antivirus enabled

Threat

Dimension : applications / Severity : 4

Tags : ISO 27001/2,Malware Protection, PCI-DSS,Requirement-5, SOC 2,CC-Malware Protection

You don't have any antivirus enabled (Sentinel One...). We recommend you to enable one.

Implementation

Tested for Action Elevation Script
Linux 6 Command line admin sentinelctl version 2>/dev/null | grep -q "Agent version" || echo noepp

Remediation

https://help.ubuntu.com/community/Antivirus

Rollback

https://help.ubuntu.com/community/Antivirus

Potentially compromised email address

Threat

Dimension : credentials / Severity : 1

Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture

Your email address might have recently appeared in a data breach. Please set your email in the Identity tab, review the breaches if any and follow instructions.

Implementation

Tested for Action Elevation Script
Linux 6 Command line user pwned -i 365

Remediation

Tested for Action Elevation Script
Linux 6 Command line digitalidentity_manager

Rollback

https://en.wikipedia.org/wiki/Have_I_Been_Pwned

Unverified network environment

Threat

Dimension : network / Severity : 1

Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture

The network you are connected to is not a known one. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.

Implementation

Tested for Action Elevation Script
Linux 6 Command line user lanscan

Remediation

Tested for Action Elevation Script
Linux 6 Command line network_manager

Rollback

https://en.wikipedia.org/wiki/Port_scanner

File permissions /etc/passwd

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,File Permissions, ISO 27001/2,Communications Security, PCI-DSS,Requirement-1, SOC 2,CC-System Operations

The /etc/passwd file in Unix and Linux systems contains user account information. The recommended permissions for this file are 644. This means: The owner (usually root) has read and write permissions (6). The group and other users have read-only permissions (4). This setup ensures that only the superuser can modify the file, preserving system security. Meanwhile, other users and processes can still read the information they need from the file. This balance of functionality and security is why 644 permissions are considered good practice for the /etc/passwd file.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system stat /etc/passwd | grep '(0644/-rw-r--r--)' | grep -v grep > /dev/null || echo bad_permissions

Remediation

Tested for Action Elevation Script
Linux 6 Command line system chmod 664 /etc/passwd

Rollback

File permissions /etc/shadow

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,File Permissions, ISO 27001/2,Access Control, PCI-DSS,Requirement-7, SOC 2,CC-System Operations

The /etc/shadow file in Unix and Linux systems stores encrypted password data for each user and has stricter permissions than /etc/passwd. This is because /etc/shadow contains sensitive data. The recommended permissions for the /etc/shadow file are 600: 6 (read and write) for the owner, who should be the root or superuser. This allows the system to modify the file when passwords are changed. 0 for the group and others. This means no permissions are given to the group or others, meaning they cannot read, write, or execute the file.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system stat /etc/shadow | grep '(0600/-rw-------)' | grep -v grep > /dev/null || echo bad_permissions

Remediation

Tested for Action Elevation Script
Linux 6 Command line system chmod 600 /etc/shadow

Rollback

File permissions /etc/fstab

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,Filesystem Configuration, ISO 27001/2,System Acquisition, Development and Maintenance, PCI-DSS,Requirement-2, SOC 2,CC-Configuration Management

The /etc/fstab file in Unix and Linux systems provides a table of filesystems that should be mounted automatically at system startup. This file contains important information like what filesystems to mount, where to mount them, and what options to use. Given its significance, the recommended permissions for the /etc/fstab file are 644:

  • 6 (read and write) for the owner, which should be the root or superuser. This allows the system to modify the file when filesystems are added or removed.
  • 4 (read-only) for the group and others. This allows users and processes to read the file and understand the system's filesystems, but prevents them from making potentially harmful changes. This setup ensures only the root user can modify the file, protecting the system's filesystem configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to filesystem information.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system stat /etc/fstab | grep '(0644/-rw-r--r--)' | grep -v grep > /dev/null || echo bad_permissions

Remediation

Tested for Action Elevation Script
Linux 6 Command line system chmod 644 /etc/fstab

Rollback

File permissions /etc/group

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,User and Group Settings, ISO 27001/2,Access Control, PCI-DSS,Requirement-7, SOC 2,CC-Access Control

The /etc/group file in Unix and Linux systems stores group information or data. It contains a list of all the groups on the system, along with each group's associated users. Given its importance, the recommended permissions for the /etc/group file are 644:

  • 6 (read and write) for the owner, which should be the root or superuser. This allows the system to add or remove groups or modify group membership.
  • 4 (read-only) for the group and others. This allows users and processes to read the file and understand the system's group memberships, but prevents them from making unauthorized changes. This setup ensures only the root user can modify the file, protecting the system's group configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to group information.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system stat /etc/group | grep '(0644/-rw-r--r--)' | grep -v grep > /dev/null || echo bad_permissions

Remediation

Tested for Action Elevation Script
Linux 6 Command line system chmod 644 /etc/group

Rollback

Group Ownership of /etc/group

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,File Ownership and Permissions, ISO 27001/2,Information Security Policies, PCI-DSS,Requirement-2, SOC 2,CC-System Operations

The /etc/group file should be owned by the root group to maintain the integrity and confidentiality of group information stored within. Incorrect group ownership could lead to unauthorized access or modification of this sensitive file, compromising system security.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system ls -l /etc/group | grep 'root root' | grep -v grep > /dev/null || echo bad_group

Remediation

Tested for Action Elevation Script
Linux 6 Command line system chown root /etc/group

Rollback

Group Ownership of /etc/shadow

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,File Ownership and Permissions, ISO 27001/2,Access Control, PCI-DSS,Requirement-7, SOC 2,CC-System Operations

The /etc/shadow file should be owned by the root group or a specific security or system group. This file contains sensitive user information such as encrypted passwords. Incorrect group ownership could lead to unauthorized access or potential manipulation of this critical file, compromising system security and user confidentiality.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system ls -l /etc/shadow | grep 'root root' | grep -v grep > /dev/null || echo bad_group

Remediation

Tested for Action Elevation Script
Linux 6 Command line system chown root /etc/shadow

Rollback

Cron is not restricted to root only

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,Job Scheduling, ISO 27001/2,Operations Security, PCI-DSS,Requirement-6, SOC 2,CC-System Operations

Cron is a time-based job scheduler in Unix-like operating systems. Users can schedule jobs (commands or scripts) to run periodically at fixed times, dates, or intervals. It's a powerful tool, but can also pose security risks if not managed properly. Restricting cron jobs to the root user is generally considered good practice.

Implementation

Tested for Action Elevation Script
Linux 6 Command line admin cd /etc ; [ -f cron.deny ] && echo bad_config ; grep -v root cron.allow

Remediation

Tested for Action Elevation Script
Linux 6 Command line system cd /etc ; [ -f cron.deny ] && mv cron.deny cron.deny.edamame_save ; [ -f cron.allow ] && mv cron.allow cron.allow.edamame_save ; echo root > cron.allow ; chown root cron.allow ; chmod 400 cron.allow

Rollback

Missing system updates

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,System Patching, ISO 27001/2,Information Systems Maintenance, PCI-DSS,Requirement-6, SOC 2,CC-System Operations

Keeping a Linux system (or any operating system) up-to-date is crucial for several reasons, particularly when it comes to security: developers regularly find and fix security vulnerabilities in software. These fixes, known as patches, are distributed via updates. By regularly updating your system, you ensure these patches are applied promptly, reducing the chance of a successful attack.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system checkupdates; [ $? -eq 0 ] && echo updates_required

Remediation

Tested for Action Elevation Script
Linux 6 Command line system pacman -Syu --noconfirm

Rollback

Uncomplicated firewall (ufw) not installed

Threat

Dimension : network / Severity : 3

Tags : CIS Benchmark Level 1,Firewall Configuration, ISO 27001/2,Network Security, PCI-DSS,Requirement-1, SOC 2,CC-Network Security

A firewall is a crucial part of any network security framework. Firewalls control the incoming and outgoing network traffic based on predetermined security rules. They establish a barrier between trusted internal networks and untrusted external networks. It can also block unauthorized access to or from private networks, preventing intruders from accessing sensitive information. Uncomplicated firewall provides a command line interface and aims to be uncomplicated and easy to use.

Implementation

Tested for Action Elevation Script
Linux 6 Command line system pacman -Qi ufw > /dev/null || echo not_found

Remediation

Tested for Action Elevation Script
Linux 6 Command line system pacman -S ufw; ufw enable; ufw default deny; ufw allow from 192.168.0.0/24; ufw allow Deluge; ufw limit ssh

Rollback

Tested for Action Elevation Script
Linux 6 Command line pacman -R ufw