Lib.rs

Cryptography
#file #antivirus #security #secure #yara #scanning #static-analysis

app leguichet

One way diodes with antiviral and yara scanning

Owned by sn-anssi.

4 releases

0.1.9 Jun 28, 2020
0.1.8 Jul 16, 2019
0.1.7 Jul 15, 2019
0.1.6 Jul 13, 2019

#1288 in Cryptography

GPL-3.0 license

105KB
2K SLoC

Dependency Status Build Status License: GPL v3 codecov

LeGuichet RER

Le-Guichet

Le-Guichet is a decontamination station prototype aka "white station" written in Rust, fast, secure and multithreaded.

Untrusted files are deposited (via rsync over ssh) in the entry window (in) and automatically scanned by an antivirus server (clamav-daemon API). If a file is considered unhealthy, it is logged/hashed and immediately deleted. Files considered as healthy are also logged and hashed (sha256) but sent (with associated hashes) to the transit window through an unidirectional software diode (named pipe) where they are logged and hashed again. A static analysis is made on files using libyara and a report is generated if one rule or more matched. Finally, files in transit are transfered to the output window through another software diode.

Security

  • Memory-safe

  • Thread-safe

  • No unsafe code

  • Mode 2 seccomp (x86_64 and aarch64 supported)

  • Tested with cargo audit & Clippy

  • Daemons are all running with unprivileged users

  • Systemd protections per daemon:

    • SystemCallFilter=~ptrace ( Disable ptrace )
    • PrivateDevices=yes ( Limited access to /dev )
    • ProtectSystem=full ( /usr, /boot and /etc are mounted read-only )
    • InaccessiblePaths=/proc ( /proc is simply unreachable )
    • RemoveIPC=true (All POSIX IPCs are removed when the unit is stopped)
    • RestrictSUIDSGID=true (SUID/SGID are simply forbidden)
    • ProtectKernelModules=true (Explicit module loading is denied)

Note: LeGuichet has been tested with Grsecurity kernel patch. It just requires MPROTECT to be disabled on ELF binaries.

Flow chart:

LeGuichet schema

Demo Video

Le-Guichet demo video

Installation

  • Download the latest build artefact and unzip it (see the picture below) Download

  • Install required dependencies

apt-get install clamav-daemon clamav-freshclam pkg-config libyara3 git bash acl adduser

  • Update your freshclam database

  • Add the following to /etc/clamav/clamd.conf and restart the daemon :

    • TCPSocket 3310
    • TCPAddr 127.0.0.1

  • Install (tested on Debian or Debian based like Ubuntu)

sudo make install

Note: You might want to modify LeGuichet's default parameters according to your needs, by editing the following files:

sudo vi /etc/default/leguichet-in

sudo vi /etc/default/leguichet-transit

sudo vi /etc/default/leguichet-out

Installation (from sources)

  • You must have the following packages already installed on your system :
    • cargo
    • rustc

Then install the following dependencies (Debian Buster):

apt-get install clamav-daemon clamav-freshclam pkg-config libyara3 libyara-dev git bash clang-7 libclang-common-7-dev libclang-7-dev libclang-dev libclang1-7 liblzma-dev liblzma5 llvm-dev libllvm7 llvm
  • Add the following to /etc/clamav/clamd.conf and restart the daemon :
    • TCPSocket 3310
    • TCPAddr 127.0.0.1

Clone the repo:

git clone --depth=1 https://gitlab.com/r3dlight/leguichet.git
  • Get some help:
make help
  • Audit the security of the code (run cargo install cargo-audit before):
make audit
  • Build Le-Guichet binaries:
make build
  • Install on Debian or Debian based like Ubuntu (not tested on other GNU/Linux distributions)
sudo make install

Add your users

You might want to create new users belonging to the group "leguichet-in" to be able to deposit files into /home/in/, for exemple:

sudo adduser  --home /home/in --gid [LEGUICHET-IN_GID] user-in

(where LEGUICHET-IN_GID is the ID of the group leguichet-in)  

You also need to create new users belonging to group leguichet-out to be able to retrieve files from /home/out/

sudo adduser  --home /home/out --gid [LEGUICHET-OUT_GID] user-out

(where LEGUICHET-OUT_GID is the ID of the group leguichet-out)

Usage (clients)

In order to avoid leguichet-in daemon to be running under root privileges, we take advantage of the rsync binary:

To send a directory into /home/in , use rsync over ssh with --chmod=ug=rwx option :

rsync -r -e ssh --chmod=ug=rwx /path/MyFolder  user-in@IP-in:

To send a file :

rsync -e ssh --chmod=ug=rwx /path/MyFile.docx  user-in@IP-in:

To send every files in a directory:

rsync -r -e ssh --chmod=ug=rwx /path/MyFolder/  user-in@IP-in:

user-out can simply login with ssh to get the files back.  

To uninstall Le-Guichet:

sudo make uninstall

To do

  • Add entropy detection for transiting files
  • Be able to read a config.toml
  • Debian packaging via Cargo

Dependencies

~23–36MB
~700K SLoC