LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-18-2018, 10:59 AM   #1
dcbdbis
LQ Newbie
 
Registered: Dec 2008
Location: Aurora, CO
Distribution: MX-Linux
Posts: 17

Rep: Reputation: 0
[SOLVED] SystemD Penetration Testing Results Inquiry


Good Morning Community,

Lets set the stage first: I have no interest in flame wars nor baiting. I just want facts.

Currently using MX-Linux 17.1. Need something with more current libs like Manjaro. I am under a contract to develop some highly secure HIPAA based medical software. My office rig is going to be penetration tested for security by security professionals - which I am not. I am an application engineer.

Outside of an air-gap model.....which I'll use if I have no other choice....I have this question:

Has SystemD shown any vulnerabilities (other than the DNS attack which I read about) in penetration testing?

It's got a wider attack surface, and it's on PID-1. But outside of emotional outbursts on either side of systemd issue - I can't seem to find test results. They seem to be buried in all the "noise" around systemd.

I need help ascertaining facts. Cold hard facts.

The answer will tell me if I need to build an air-gap machine for this highly secure project I'm under contract for, or if I can install an additional drive in my main system and dual-boot.

Assistance and pointers to articles would be very much appreciated.


Sincerely and respectfully,

Dave

Last edited by dcbdbis; 10-20-2018 at 01:30 PM. Reason: Solved
 
Old 10-18-2018, 02:06 PM   #2
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
A quick google revealed: https://www.exploit-db.com/exploits/43935/ and https://www.exploit-db.com/exploits/41171/

Granted those are software vulns that resulted in exploits, thus their existence in exploitdb...I am a pen tester but not OS, only web app. I can pound the cr*p out of something in a VM though but I am only one person and may not find anything.

So, given that systemd is an init kitchen sink, is your machine to be physically accessible to others? Is it behind a firewall, not in a dmz and not accessible remotely? What I am saying is someone will have to have remote access to the OS level to exploit, or have physical access.

Attack vectors from both of these are local.

Last edited by sevendogsbsd; 10-18-2018 at 02:37 PM. Reason: Additional info
 
Old 10-20-2018, 01:26 PM   #3
dcbdbis
LQ Newbie
 
Registered: Dec 2008
Location: Aurora, CO
Distribution: MX-Linux
Posts: 17

Original Poster
Rep: Reputation: 0
THANK YOU @sevendogsbsd,

I apologize for the late reply. I am older and ended up in the VA hospital with cardiac rhythm issues right after this post. Got released last night. New meds, and I'm doing fine.

Answers:
This machine will not be accessible to others, will be behind a statefull firewall, not in a DMZ, and not accessible remotely.

It will exist in my office. Internet access limited to software updates.

And I was totally unaware of the existence of "exploit-db.com". I bookmarked it and I will be perusing it. So once again THANK YOU!


Sincerely and respectfully,

Dave
 
Old 10-21-2018, 07:01 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Please look at the "big picture" always

Quote:
Originally Posted by dcbdbis View Post
I am an application engineer.
...which to me means you have had to invest much to maintain and grow your business. You'll want to invest time and effort protecting that to ensure you can concentrate on what you do best (without worrying about the rest). Please look at the "big picture" always.


Quote:
Originally Posted by dcbdbis View Post
I am under a contract to develop some highly secure HIPAA based medical software.
This sentence signifies at least two facts: you've entered into contractual obligations (which means liabilities, accountability and a certain "duty of care") and you may (or may not) have to be Standards compliant. To tackle the last one first: please assess what your obligations are under Law. I'd start with this section before reading the rest (they really made an effort to avoid legalese and use straight forward plain language so). If you think you might be (sorry to hear that) then head over to HHS (may take the mobile app test regardless as it may help understand what federal laws and regulations are involved).
If you still think you might have to be HIPAA-compliant (double sorry to hear that) then all that remains is this bottom line: prove your compliance.


The upside of having no official legally recognized HIPAA compliance certification process or accreditation is that you may be able to "write your way out of it", providing you know what key controls you have to address, and for the latter you may have to (partially) implement one of say these: the CIS 20 Controls Version 7 or NIST SP-800-53 Revision 5 or ISO/IEC 27001:2013. To put it simply proving your compliance then may boil down to knowing which controls to address, how you deal with those and how you provide evidence to show you do.


If this looks like as significant investment then you may want to start eliminating as much as possible to make your "compliance footprint" smaller:
- consult with someone knowledgeable on all things HIPAA (maybe start at the local Linux User Group chapter?) to ensure you got it right,
- regardless of if you're working standalone, if you're subcontracting or working in-house for a vendor or institution, check if you can piggyback, wheel re-invention-wise, on their certification efforts,
- check your contract details for any loopholes, vagueness, absence of liability limitations and anything else that might come back to bite you,
- assess what you can outsource (I'm not saying the Cloud is the way to go, far from it, but for example AWS offers to take at least control of (heh) some controls for you.) and like they say: less is more,
- then I'd start reading the CIS 20 Controls as I'm guessing that will cover most controls while being "the least painful" most effective start.


*Note I've been involved with information security and compliance "for a while" now and I don't know exactly what it is you do so I'd better make it clear all I offer is suggestions, OK?
Good luck!
 
2 members found this post helpful.
Old 10-21-2018, 08:26 AM   #5
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Quote:
Originally Posted by dcbdbis View Post
THANK YOU @sevendogsbsd,

I apologize for the late reply. I am older and ended up in the VA hospital with cardiac rhythm issues right after this post. Got released last night. New meds, and I'm doing fine.

Answers:
This machine will not be accessible to others, will be behind a statefull firewall, not in a DMZ, and not accessible remotely.

It will exist in my office. Internet access limited to software updates.

And I was totally unaware of the existence of "exploit-db.com". I bookmarked it and I will be perusing it. So once again THANK YOU!


Sincerely and respectfully,

Dave
You are welcome! Veteran here too, thanks for your service. Sorry to hear you are having health issues, good to hear you are doing better.

I have been involved in cybersecurity at multiple levels for a long time (>10 years). unSpawn makes some very good points. I know zilch about HIPAA but have done DoD compliance for a decade. Some other things to consider: physical security, backups (offsite), disaster recovery, too many others to list.

I am no longer involved in compliance (yay!) so my focus is very narrow (attack only) so I was just getting you to think about some of the security issues from an architectural and attack vector standpoint. I did not even consider the contractual issues, which unSpawn thankfully brought up.

Good luck!
 
Old 10-21-2018, 03:22 PM   #6
dcbdbis
LQ Newbie
 
Registered: Dec 2008
Location: Aurora, CO
Distribution: MX-Linux
Posts: 17

Original Poster
Rep: Reputation: 0
Thank you to all who responded.

Thank you to unSpawn,

For compliance, the group that I work with has a high-end lawyer involved who specializes in medical software. And she's expensive @ $600/hr. So it will be up to her to define some of the specifics with what I need to do to be in compliance. HIPAA is a requirement. An encrypted database is a requirement. And multiple levels of security access is another feature we have identified. And a secure installation/authentication procedure is yet another to prevent theft of the db encryption keys.

The more homework I do, the less the lawyer will need to do @ $600/hr.

We have a meeting pending with the attorney to talk tech.

With all the noise around SystemD, I needed to know in a factual manner if SystemD presented any vulnerabilities. I am acutely aware that it sits on PID1, and has spread it's control into many other areas of an installed linux system. That presents an attack surface significantly larger than the older SysV init and I needed hard data on. The exploit-db site provided me with factual data - exactly what I needed.

One more piece of info I can give to the lawyer in our upcoming meeting.

Thank you all again,


Sincerely and respectfully,

Dave
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Penetration Testing SteelCitySteve Linux - Security 27 04-22-2018 08:29 PM
LXer: How to use Zarp for penetration testing LXer Syndicated Linux News 0 01-31-2017 08:40 AM
what is the procedure of penetration testing? zerop Linux - Security 7 05-16-2016 11:33 AM
penetration testing on home network nightphreak Linux - Security 5 10-24-2009 01:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration