Security ideas for hardening the OS

[delta1512]

Current ideas that will be implemented with upcoming updates are:

• Locking the root account

• Creating strict sudo permissions that only allow for certain actions to be elevated without a password

• Possibly a firewall or boinc.service argument to prevent RPCs to the client

• Randomisation on a per-OS basis:

  • gui_rpc_auth.cfg randomisation

  • SSH keys (if key-based auth enabled)

  • Possible solution is to add a script that runs and disables itself after running at boot

• Forced password reset (consideration)

---

Any ideas posted here will be amended to this post and implemented in a future update.

[delta1512]

Locked the root account, created sudoer rules and added a large gui_rpc_auth to the boinc data directory

[tomasbrod]

How you are solving the auth file? If I am not mistaken, BOINC generates random one on first startup. If you just include pre-generated file to image, then it will be same for all installations.

[delta1512]

@tomasbrod BOINC does generate a random auth file, however it is only done when I make the image and doesn't deviate between images that people download. This will be solved with an installer but as we have a raw, prepackaged image, it is difficult. The reason we need to do this is because an attacker can know the RPC password by simply downloading the BOINCOS image.

Off the top of my head I'm thinking of adding a systemd unit or something similar that will only run once and jumble up the auth file to something different when the OS is first booted. My current method and what I plan to do with what I just described is to simply feed a sha512 hash function with a bunch of random bits and place that in the user home and BOINC data directory.

[tcblack]

FWIW I would not encourage the firewall, unless it is easily disabled. I already have a network firewall and really don't want to have to debug problems related to both of them causing problems.

[tcblack]

Here's another thought: I have a custom gui_rpc_auth.cfg that I put on my clients already for remote access. Is there a way you can provide a directory accessible on the thumb drive for me to input such files as gui_rpc_auth.cfg, Acct_mgr_login.xml, etc?

[delta1512]

@tcblack Firewall is easily disabled through fwset on the minimal spin and the current version of the standard spin does not include a firewall.

As for the USB query, I have removed the ability to mount file systems as to completely isolate the BOINC OS system from any memory on the permanent system.

I believe the implemented permissions on the BOINC data directory are sufficient enough for importing those files. I typically use some sort of networking transfer using netcat or ftp but I understand that users may not run unix systems nor have access to a personal FTP server which is an obvious limitation to usability.

If you know of any way to allow mounting of only USB devices, your knowledge will be very much appreciated!

[delta1512]

Changed firewal ease of use and default behavior here and here

[delta1512]

RPC password randomisation functionality is now in the code here