LDAP Bind credentials world readable in docker #171
Comments
|
Thanks for the report, I'll take a look at it. The one question I have for you: how is the world reading |
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jun 30, 2021
…nd credentials are 600 instead of 644
|
Either way, I've pushed a fix up to a development branch that will be merged in here when I do the next release (in the next week or so). See 02e8f53 if you want the details of the patch for your local instance before that. |
|
Moved to idaholab#47. |
|
@mmguero Thanks! I think it depends how you install docker, but that's an interesting note. Appreciate the push |
Merged
mmguero
added a commit
that referenced
this issue
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and #171) * Deny access to uploaded files (#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (#169)
mmguero
added a commit
to idaholab/Malcolm
that referenced
this issue
Jul 9, 2021
Merge remote-tracking branch 'cisa/master' * New features * ["Best Guess" Fingerprinting for ICS Protocols](#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🐛 Summary
What's wrong? Please be specific.
LDAP Bind credentials in this file are readable by anyone. Can we put some permissions on the file when it gets created in the nginx entrypoint?
-rw-r--r-- /var/lib/docker/overlay2/*****/diff/etc/nginx/nginx_ldap_rt.conf
To reproduce
Steps to reproduce the behavior:
Expected behavior
Readable only by user running nginx
What did you expect to happen that didn't?
Any helpful log output or screenshots
Paste the results here:
Add any screenshots of the problem here.
The text was updated successfully, but these errors were encountered: