diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2020-01-27 09:01:16 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2020-01-27 09:01:16 +0000 |
| commit | c229fb7438bb19523ec1dfd2ed63f83a4976a5e5 (patch) | |
| tree | 0d8260b154a3819d6a2528bfde1e20a2947d81c8 | |
| parent | d845b59c1abb0881f655545f097e16f336330d0e (diff) | |
Add imds-filterd.
The imds-filterd tool allows administrators of EC2 instances to lock down
which data from the Instance Metadata Service can be accessed by specified
system users and groups, thereby making the EC2 Instance Metadata Service
compatible with traditional UNIX privilege separation.
Reviewed by: otis, dizzy, lwhsu
Sponsored by: Tarsnap Backup Inc.
Notes
Notes:
svn path=/head/; revision=524248
| -rw-r--r-- | GIDs | 2 | ||||
| -rw-r--r-- | UIDs | 2 | ||||
| -rw-r--r-- | security/Makefile | 1 | ||||
| -rw-r--r-- | security/imds-filterd/Makefile | 44 | ||||
| -rw-r--r-- | security/imds-filterd/distinfo | 3 | ||||
| -rw-r--r-- | security/imds-filterd/pkg-descr | 12 | ||||
| -rw-r--r-- | security/imds-filterd/pkg-message | 14 |
7 files changed, 76 insertions, 2 deletions
@@ -194,7 +194,7 @@ sems:*:250: # free: 251 # free: 252 _adsuck:*:253: -# free: 254 +imds:*:254: _i2pd:*:255: _tor:*:256: _smtpd:*:257: @@ -199,7 +199,7 @@ sems:*:250:250::0:0:SIP Express Media Server:/nonexistent:/usr/sbin/nologin # free: 251 # free: 252 _adsuck:*:253:253::0:0:Adsuck ad blocking user:/nonexistent:/usr/sbin/nologin -# free: 254 +imds:*:254:254::0:0:Instance Metadata Service filter:/nonexistent:/usr/sbin/nologin _i2pd:*:255:255::0:0:I2P daemon:/var/db/i2pd:/usr/sbin/nologin _tor:*:256:256::0:0:Tor anonymizing router:/var/db/tor:/usr/sbin/nologin _smtpd:*:257:257::0:0:OpenSMTPD:/var/empty:/usr/sbin/nologin diff --git a/security/Makefile b/security/Makefile index 2caa964693f3..ba7dc3883e5d 100644 --- a/security/Makefile +++ b/security/Makefile @@ -226,6 +226,7 @@ SUBDIR += idea SUBDIR += identify SUBDIR += ike + SUBDIR += imds-filter SUBDIR += integrit SUBDIR += ipfcount SUBDIR += ipfilter2dshield diff --git a/security/imds-filterd/Makefile b/security/imds-filterd/Makefile new file mode 100644 index 000000000000..d43ebdd232ec --- /dev/null +++ b/security/imds-filterd/Makefile @@ -0,0 +1,44 @@ +# $FreeBSD$ + +PORTNAME= imds-filterd +DISTVERSION= 0.1 +CATEGORIES= security + +MAINTAINER= cperciva@FreeBSD.org +COMMENT= Provides per user/group access controls to the EC2 IMDS + +LICENSE= BSD2CLAUSE +LICENSE_FILE= ${WRKSRC}/COPYRIGHT + +USE_GITHUB= YES +GH_ACCOUNT= cperciva + +# Install binaries into ${STAGEDIR}${PREFIX}/sbin +MAKE_ARGS+= BINDIR=${STAGEDIR}${PREFIX}/sbin + +PORTDOCS= README.md USAGE +PLIST_FILES= etc/rc.d/imds-filterd \ + etc/rc.d/imds-proxy \ + sbin/imds-filterd \ + sbin/imds-proxy \ + "@sample etc/newsyslog.conf.d/imds.conf.sample" \ + "@sample etc/syslog.d/imds.conf.sample" \ + "@sample etc/imds.conf.sample" + +OPTIONS_DEFINE= DOCS + +USERS= imds +GROUPS= imds + +post-install: + @${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR} + @${MKDIR} ${STAGEDIR}${PREFIX}/etc/syslog.d + ${INSTALL_DATA} ${WRKSRC}/freebsd-conf/syslog-imds.conf ${STAGEDIR}${PREFIX}/etc/syslog.d/imds.conf.sample + @${MKDIR} ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d + ${INSTALL_DATA} ${WRKSRC}/freebsd-conf/newsyslog-imds.conf ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/imds.conf.sample + ${INSTALL_DATA} ${WRKSRC}/imds.conf ${STAGEDIR}${PREFIX}/etc/imds.conf.sample + ${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-filterd ${STAGEDIR}${PREFIX}/etc/rc.d/imds-filterd + ${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-proxy ${STAGEDIR}${PREFIX}/etc/rc.d/imds-proxy + +.include <bsd.port.mk> diff --git a/security/imds-filterd/distinfo b/security/imds-filterd/distinfo new file mode 100644 index 000000000000..f73b37bf1732 --- /dev/null +++ b/security/imds-filterd/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1580074291 +SHA256 (cperciva-imds-filterd-0.1_GH0.tar.gz) = e0e8b28046b2a917e110d1313242947aa6901635e81552107ab2f6a2fba83441 +SIZE (cperciva-imds-filterd-0.1_GH0.tar.gz) = 64011 diff --git a/security/imds-filterd/pkg-descr b/security/imds-filterd/pkg-descr new file mode 100644 index 000000000000..af8b6b6a54ee --- /dev/null +++ b/security/imds-filterd/pkg-descr @@ -0,0 +1,12 @@ +imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which +work together to intercept and filter requests to the EC2 Instance Metadata +Service -- or theoretically any other service at 169.254.169.254:80. + +It validates requests against a configured ruleset which specifies whether +given users and groups should be allowed or denied access to certain prefixes +in the Instance Metadata Service. For example, "root" could be granted +access to everything; most unprivileged users granted access to everything +except IAM role credentials; but the www user denied access to the entire +Instance Metadata Service in order to guard against SSRF and similar attacks. + +WWW: http://github.com/cperciva/imds-filterd diff --git a/security/imds-filterd/pkg-message b/security/imds-filterd/pkg-message new file mode 100644 index 000000000000..7b680f611530 --- /dev/null +++ b/security/imds-filterd/pkg-message @@ -0,0 +1,14 @@ +[ +{ type: install + message: <<EOM +To enable imds-filterd, add imds_filterd_enable=YES to /etc/rc.conf. + +To configure imds-filterd, edit $PREFIX/etc/imds.conf. + +imds-filterd ships with configurations for syslogd and newsyslog which log +accesses to the Instance Metadata Service to /var/log/imds.log and rotate +this file upon reaching 1 MB; these settings can be modified via +$PREFIX/etc/{syslog.d, newsyslog.conf.d}/imds.conf. +EOM +} +] |