Introduction and Principle of Least Privilege
Overview and Principle of Least Privilege
Jerome Saltzer,美国计算机科学家。
Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job
最小权限保证了被攻破时影响最小。
Redis Horror Story #2
ransom:赎金
https://duo.com/decipher/over-18000-redis-instances-targeted-by-fake-ransomware
教训:
- 启用认证或ACL
- 不用特权用户(root或具有sudo权限的用户)运行Redis
- 最小权限原则
一些危险的命令如CONFIG,在企业版已完全禁用。
Access Control Lists
ACL命令属于server类:
127.0.0.1:6379> help @server
ACL CAT [categoryname]
summary: List the ACL categories or the commands inside a category
since: 6.0.0
ACL DELUSER username [username ...]
summary: Remove the specified ACL users and the associated rules
since: 6.0.0
ACL GENPASS [bits]
summary: Generate a pseudorandom secure password to use for ACL users
since: 6.0.0
ACL GETUSER username
summary: Get the rules for a specific ACL user
since: 6.0.0
ACL HELP -
summary: Show helpful text about the different subcommands
since: 6.0.0
ACL LIST -
summary: List the current ACL rules in ACL config file format
since: 6.0.0
ACL LOAD -
summary: Reload the ACLs from the configured ACL file
since: 6.0.0
ACL LOG [count or RESET]
summary: List latest events denied because of ACLs in place
since: 6.0.0
ACL SAVE -
summary: Save the current ACL rules in the configured ACL file
since: 6.0.0
ACL SETUSER username [rule [rule ...]]
summary: Modify or create the rules for a specific ACL user
since: 6.0.0
ACL USERS -
summary: List the username of all the configured ACL rules
since: 6.0.0
ACL WHOAMI -
summary: Return the name of the user associated to the current connection
since: 6.0.0
BGREWRITEAOF -
summary: Asynchronously rewrite the append-only file
since: 1.0.0
BGSAVE [SCHEDULE]
summary: Asynchronously save the dataset to disk
since: 1.0.0
COMMAND -
summary: Get array of Redis command details
since: 2.8.13
COMMAND COUNT -
summary: Get total number of Redis commands
since: 2.8.13
COMMAND GETKEYS -
summary: Extract keys given a full Redis command
since: 2.8.13
COMMAND INFO command-name [command-name ...]
summary: Get array of specific Redis command details
since: 2.8.13
CONFIG GET parameter
summary: Get the value of a configuration parameter
since: 2.0.0
CONFIG RESETSTAT -
summary: Reset the stats returned by INFO
since: 2.0.0
CONFIG REWRITE -
summary: Rewrite the configuration file with the in memory configuration
since: 2.8.0
CONFIG SET parameter value
summary: Set a configuration parameter to the given value
since: 2.0.0
DBSIZE -
summary: Return the number of keys in the selected database
since: 1.0.0
DEBUG OBJECT key
summary: Get debugging information about a key
since: 1.0.0
DEBUG SEGFAULT -
summary: Make the server crash
since: 1.0.0
FLUSHALL [ASYNC]
summary: Remove all keys from all databases
since: 1.0.0
FLUSHDB [ASYNC]
summary: Remove all keys from the current database
since: 1.0.0
INFO [section]
summary: Get information and statistics about the server
since: 1.0.0
LASTSAVE -
summary: Get the UNIX time stamp of the last successful save to disk
since: 1.0.0
LATENCY DOCTOR -
summary: Return a human readable latency analysis report.
since: 2.8.13
LATENCY GRAPH event
summary: Return a latency graph for the event.
since: 2.8.13
LATENCY HELP -
summary: Show helpful text about the different subcommands.
since: 2.8.13
LATENCY HISTORY event
summary: Return timestamp-latency samples for the event.
since: 2.8.13
LATENCY LATEST -
summary: Return the latest latency samples for all events.
since: 2.8.13
LATENCY RESET [event [event ...]]
summary: Reset latency data for one or more events.
since: 2.8.13
LOLWUT [VERSION version]
summary: Display some computer art and the Redis version
since: 5.0.0
MEMORY DOCTOR -
summary: Outputs memory problems report
since: 4.0.0
MEMORY HELP -
summary: Show helpful text about the different subcommands
since: 4.0.0
MEMORY MALLOC-STATS -
summary: Show allocator internal stats
since: 4.0.0
MEMORY PURGE -
summary: Ask the allocator to release memory
since: 4.0.0
MEMORY STATS -
summary: Show memory usage details
since: 4.0.0
MEMORY USAGE key [SAMPLES count]
summary: Estimate the memory usage of a key
since: 4.0.0
MODULE LIST -
summary: List all modules loaded by the server
since: 4.0.0
MODULE LOAD path [arg]
summary: Load a module
since: 4.0.0
MODULE UNLOAD name
summary: Unload a module
since: 4.0.0
MONITOR -
summary: Listen for all requests received by the server in real time
since: 1.0.0
PSYNC replicationid offset
summary: Internal command used for replication
since: 2.8.0
REPLICAOF host port
summary: Make the server a replica of another instance, or promote it as master.
since: 5.0.0
ROLE -
summary: Return the role of the instance in the context of replication
since: 2.8.12
SAVE -
summary: Synchronously save the dataset to disk
since: 1.0.0
SHUTDOWN [NOSAVE|SAVE]
summary: Synchronously save the dataset to disk and then shut down the server
since: 1.0.0
SLAVEOF host port
summary: Make the server a replica of another instance, or promote it as master. Deprecated starting with Redis 5. Use REPLICAOF instead.
since: 1.0.0
SLOWLOG subcommand [argument]
summary: Manages the Redis slow queries log
since: 2.2.12
SWAPDB index1 index2
summary: Swaps two Redis databases
since: 4.0.0
SYNC -
summary: Internal command used for replication
since: 1.0.0
TIME -
summary: Return the current server time
since: 2.6.0
ACL Concepts
Redis 6.0以后支持ACL,即允许多个用户,可以按用户赋权。
ACL的好处:
- 限制命令和key
- 攻破时限制影响
用户可以分配角色,例如Pub/Sub模型中的只读角色和读写角色。
基于角色的控制(RBAC)只有Redis企业版支持。
Practical ACLs with Redis
首先创建管理员用户:
acl setuser adm01 on >Welcome1 +@admin
然后以管理员用户登录:
127.0.0.1:6379> auth adm01 Welcome1
OK
127.0.0.1:6379> config get *
1) "rdbchecksum"
2) "yes"
3) "daemonize"
4) "no"
...
127.0.0.1:6379> acl list
1) "user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin"
2) "user default on #1b58ee375b42e41f0e48ef2ff27d10a5b1f6924a9acdcdba7cae868e7adce6bf ~* +@all"
创建管理员用户后,按最小权限原则,就可以禁止default用户。
acl setuser default off
然后创建开发用户。
acl setuser dev01 on >Welcome1 allcommands -@dangerous +acl|whoami allkeys
然后用开发者dev01登录,>
后跟的是口令:
127.0.0.1:6379> auth dev01 Welcome1
OK
127.0.0.1:6379> acl whoami
"dev01"
127.0.0.1:6379> acl list
(error) NOPERM this user has no permissions to run the 'acl' command or its subcommand
127.0.0.1:6379> keys *
(error) NOPERM this user has no permissions to run the 'keys' command or its subcommand
127.0.0.1:6379> config get *
(error) NOPERM this user has no permissions to run the 'config' command or its subcommand
127.0.0.1:6379> set foo bar
OK
127.0.0.1:6379> get foo
"bar"
查看属于危险类的命令:
127.0.0.1:6379> acl cat dangerous
1) "role"
2) "acl"
3) "swapdb"
4) "psync"
5) "debug"
6) "pfdebug"
7) "slowlog"
8) "restore"
9) "bgrewriteaof"
10) "keys"
11) "bgsave"
12) "latency"
13) "slaveof"
14) "info"
15) "sort"
16) "flushall"
17) "client"
18) "flushdb"
19) "save"
20) "pfselftest"
21) "cluster"
22) "config"
23) "module"
24) "replconf"
25) "lastsave"
26) "migrate"
27) "shutdown"
28) "replicaof"
29) "restore-asking"
30) "monitor"
31) "sync"
查看ACL命令的分类:
127.0.0.1:6379> acl cat
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
8) "string"
9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"
最后,创建应用用户。
acl setuser app01 on >Welcome1 +set +get ~cache:*
然后以应用用户登录:
127.0.0.1:6379> auth app01 Welcome1
OK
127.0.0.1:6379> set data:123 hello
(error) NOPERM this user has no permissions to access one of the keys used as arguments
127.0.0.1:6379> set cache:123 hello
OK
127.0.0.1:6379> get cache:123
"hello"
Administering Redis ACLs
可以将用户定义在ACL文件中,当然此时不能同时定义user:
$ cat redis.conf |grep ^aclfile
aclfile /home/vagrant/redis-stable/users.acl
# user default on >foobared allcommands allkeys
ACL文件内容:
$ cat users.acl
user default off
user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 +@admin
user dev01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 allcommands -@dangerous +acl|whoami allkeys
user app01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 +set +get ~cache:*
其中#
后跟的是口令,使用sha256sum生成的:
$ echo -n 'Welcome1'|sha256sum
7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -
启用ACL后,一些系统参数需改变,如openfiles等。方法参加这里
新建的用户也会存放在ACL文件中:
$ redis-cli
127.0.0.1:6379> auth adm01 Welcome1
OK
127.0.0.1:6379> acl setuser user01 on >Welcome1 +@admin
OK
127.0.0.1:6379> acl list
1) "user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin"
2) "user app01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~cache:* -@all +set +get"
3) "user default off -@all"
4) "user dev01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~* +@all -@dangerous +acl|whoami"
5) "user user01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin"
127.0.0.1:6379> acl save
OK
127.0.0.1:6379> acl save
OK
127.0.0.1:6379> exit
[vagrant@ol7-vagrant redis-stable]$ cat users.acl
user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin
user app01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~cache:* -@all +set +get
user default off -@all
user dev01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~* +@all -@dangerous +acl|whoami
user user01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin
ACL LOAD
可以将ACL文件加载到生产系统的Redis中。
Security Tip #2: Dangerous Commands
危险命令分为3类:
- 管理命令造成安全风险,如CONFIG,LASTSAVE
- 影响性能,如KEYS
- 影响可用性,如FLUSHDB,FLUSHALL,SHUTDOWN
Security Tip #3: Redis Logging
和安全相关的log包括ACL log和Redis Server Log。
ACL Log会记录所有失败的ACL尝试,包括认证,命令执行和Key访问。ACL Log存于内存,默认128条。ACL LOG可以显示日志。
Redis Log File中的信息对于调试和故障诊断很有用,在redis.conf中可配置4种日志级别:
- WARNING
- NOTICE
- VERBOSE
- DEBUG
也可以将日志发送到远端syslog服务器,详见syslog-enabled, syslog-ident 和 syslog-facility参数。
An Attacker’s Perspective
hit the jackpot:中头彩
有两类攻击者,先来看窃取型:
# 大致了解key
SCAN 0 COUNT 5
# 详细查看key
KEYS *
# 监控所有命令
MONITOR
# 查看key类型
TYPE <keyname>
# 利用相应类型命令查看数据
HGETALL <keyname>
# 建立用户以便后续登录
ACL SETUSER appuser on >password +@all ~*
再来看破坏型:
# 将数据迁移到另一Redis
MIGRATE ...
# 删除数据
FLUSHALL