diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2020-01-27 09:01:16 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2020-01-27 09:01:16 +0000 |
| commit | c229fb7438bb19523ec1dfd2ed63f83a4976a5e5 (patch) | |
| tree | 0d8260b154a3819d6a2528bfde1e20a2947d81c8 | |
| parent | d845b59c1abb0881f655545f097e16f336330d0e (diff) | |
| download | ports-c229fb7438bb19523ec1dfd2ed63f83a4976a5e5.tar.gz ports-c229fb7438bb19523ec1dfd2ed63f83a4976a5e5.zip | |
Notes
| -rw-r--r-- | GIDs | 2 | ||||
| -rw-r--r-- | UIDs | 2 | ||||
| -rw-r--r-- | security/Makefile | 1 | ||||
| -rw-r--r-- | security/imds-filterd/Makefile | 44 | ||||
| -rw-r--r-- | security/imds-filterd/distinfo | 3 | ||||
| -rw-r--r-- | security/imds-filterd/pkg-descr | 12 | ||||
| -rw-r--r-- | security/imds-filterd/pkg-message | 14 |
7 files changed, 76 insertions, 2 deletions
@@ -194,7 +194,7 @@ sems:*:250: # free: 251 # free: 252 _adsuck:*:253: -# free: 254 +imds:*:254: _i2pd:*:255: _tor:*:256: _smtpd:*:257: @@ -199,7 +199,7 @@ sems:*:250:250::0:0:SIP Express Media Server:/nonexistent:/usr/sbin/nologin # free: 251 # free: 252 _adsuck:*:253:253::0:0:Adsuck ad blocking user:/nonexistent:/usr/sbin/nologin -# free: 254 +imds:*:254:254::0:0:Instance Metadata Service filter:/nonexistent:/usr/sbin/nologin _i2pd:*:255:255::0:0:I2P daemon:/var/db/i2pd:/usr/sbin/nologin _tor:*:256:256::0:0:Tor anonymizing router:/var/db/tor:/usr/sbin/nologin _smtpd:*:257:257::0:0:OpenSMTPD:/var/empty:/usr/sbin/nologin diff --git a/security/Makefile b/security/Makefile index 2caa964693f3..ba7dc3883e5d 100644 --- a/security/Makefile +++ b/security/Makefile @@ -226,6 +226,7 @@ SUBDIR += idea SUBDIR += identify SUBDIR += ike + SUBDIR += imds-filter SUBDIR += integrit SUBDIR += ipfcount SUBDIR += ipfilter2dshield diff --git a/security/imds-filterd/Makefile b/security/imds-filterd/Makefile new file mode 100644 index 000000000000..d43ebdd232ec --- /dev/null +++ b/security/imds-filterd/Makefile @@ -0,0 +1,44 @@ +# $FreeBSD$ + +PORTNAME= imds-filterd +DISTVERSION= 0.1 +CATEGORIES= security + +MAINTAINER= cperciva@FreeBSD.org +COMMENT= Provides per user/group access controls to the EC2 IMDS + +LICENSE= BSD2CLAUSE +LICENSE_FILE= ${WRKSRC}/COPYRIGHT + +USE_GITHUB= YES +GH_ACCOUNT= cperciva + +# Install binaries into ${STAGEDIR}${PREFIX}/sbin +MAKE_ARGS+= BINDIR=${STAGEDIR}${PREFIX}/sbin + +PORTDOCS= README.md USAGE +PLIST_FILES= etc/rc.d/imds-filterd \ + etc/rc.d/imds-proxy \ + sbin/imds-filterd \ + sbin/imds-proxy \ + "@sample etc/newsyslog.conf.d/imds.conf.sample" \ + "@sample etc/syslog.d/imds.conf.sample" \ + "@sample etc/imds.conf.sample" + +OPTIONS_DEFINE= DOCS + +USERS= imds +GROUPS= imds + +post-install: + @${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR} + @${MKDIR} ${STAGEDIR}${PREFIX}/etc/syslog.d + ${INSTALL_DATA} ${WRKSRC}/freebsd-conf/syslog-imds.conf ${STAGEDIR}${PREFIX}/etc/syslog.d/imds.conf.sample + @${MKDIR} ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d + ${INSTALL_DATA} ${WRKSRC}/freebsd-conf/newsyslog-imds.conf ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/imds.conf.sample + ${INSTALL_DATA} ${WRKSRC}/imds.conf ${STAGEDIR}${PREFIX}/etc/imds.conf.sample + ${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-filterd ${STAGEDIR}${PREFIX}/etc/rc.d/imds-filterd + ${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-proxy ${STAGEDIR}${PREFIX}/etc/rc.d/imds-proxy + +.include <bsd.port.mk> diff --git a/security/imds-filterd/distinfo b/security/imds-filterd/distinfo new file mode 100644 index 000000000000..f73b37bf1732 --- /dev/null +++ b/security/imds-filterd/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1580074291 +SHA256 (cperciva-imds-filterd-0.1_GH0.tar.gz) = e0e8b28046b2a917e110d1313242947aa6901635e81552107ab2f6a2fba83441 +SIZE (cperciva-imds-filterd-0.1_GH0.tar.gz) = 64011 diff --git a/security/imds-filterd/pkg-descr b/security/imds-filterd/pkg-descr new file mode 100644 index 000000000000..af8b6b6a54ee --- /dev/null +++ b/security/imds-filterd/pkg-descr @@ -0,0 +1,12 @@ +imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which +work together to intercept and filter requests to the EC2 Instance Metadata +Service -- or theoretically any other service at 169.254.169.254:80. + +It validates requests against a configured ruleset which specifies whether +given users and groups should be allowed or denied access to certain prefixes +in the Instance Metadata Service. For example, "root" could be granted +access to everything; most unprivileged users granted access to everything +except IAM role credentials; but the www user denied access to the entire +Instance Metadata Service in order to guard against SSRF and similar attacks. + +WWW: http://github.com/cperciva/imds-filterd diff --git a/security/imds-filterd/pkg-message b/security/imds-filterd/pkg-message new file mode 100644 index 000000000000..7b680f611530 --- /dev/null +++ b/security/imds-filterd/pkg-message @@ -0,0 +1,14 @@ +[ +{ type: install + message: <<EOM +To enable imds-filterd, add imds_filterd_enable=YES to /etc/rc.conf. + +To configure imds-filterd, edit $PREFIX/etc/imds.conf. + +imds-filterd ships with configurations for syslogd and newsyslog which log +accesses to the Instance Metadata Service to /var/log/imds.log and rotate +this file upon reaching 1 MB; these settings can be modified via +$PREFIX/etc/{syslog.d, newsyslog.conf.d}/imds.conf. +EOM +} +] |