Forum: 

TKL image security

NowellMorris's picture

Does TKL have a network security scan run against it on candidate/release?  I would be interested to know how the core stands up against the usual security scanning tools in the industry.  Essentially, does core represent a fairly secure image, or is it running wide open asking for attacks?  I am sure it is not running wide open, but I am sure you can understand where I am coming from.  

Is there a 'hardening' or security state that has to be met before core is graduated to a release and used for downstream apps/images?  Maybe I have overlooked this somewhere?

Jeremy Davis's picture

We double check for errant open ports as a matter of course. And starting with v14.0 we also run the servers through SSL tests (e.g. SSLLabs). To date we have only tested the self-signed certs that are generated on firstboot. That means that the overall score is not super great (self-signed certs can't ever get a decent score). However, ignoring the score reduction due to self-signed certs, all our v14.1 servers got highest possible marks related to SSL configuration (at the time of release). AFAIK they are not currently vulnerable to any known patchable SSL attacks.

The vast majority of software (generally all fundamental components) comes direct from the Debian repos. All packages are signed by Debian release team and signatures and checksums are auto-verified by apt during install. So we mostly piggy back off their incredible security track record. FTR it's not that they don't ever have security bugs, but that they quickly release patched updates and TurnKey is configured to auto install them!

Both Alon and Liraz are very security conscious (both have history working in the InfoSec realm prior to TurnKey). We audit our own software and do the best we can to verify upstream software is legitimate. It should be noted that we do not do a full code review of all the upstream software we use.

So I would assert that TurnKey image security is "pretty good" and in context, OOTB a fresh release should be on par with any other Debian based distro. The possible/probable exception is on appliances that are getting a bit long in the tooth and include old versions of upstream software installed from source. Assuming that the end user takes responsibility for updating third party upstream software, then I would argue that the security of our images would be totally adequate for most purposes.

Having said all the above, I'm sure we could do better!

For starters, doing more regular releases (with up to date upstream source) is something that I have been working towards in the background for a long while now (improving our build infrastructure and workflow to reduce friction). Also better documenting what software isn't from the Debian repos (and where/how it is installed, how to update it, etc) is also something that needs serious improvement. We have been doing that app-by-app over the last year or so, but we haven't got as far as I'd like so after the next release I'm hoping that I can

Also there are steps that can be taken to harden things. Such as disabling/removing unrequired services; e.g. Webshell, Webmin, etc. Also enabling the firewall (it's configured by default, but not enabled). That all needs to be clearly documented somewhere though. Some sort of TurnKey hardening/"security best practices" documentation. It's been on my todo list for years now (literally) but I am yet to find the time.

So bottom line, yes we take security seriously. However we do have a labour bottleneck. Anything the community can do to help out is always warmly welcomed. Obviously, users getting their hands dirty and getting into the code is ideal. But every little bit helps. Providing feedback, noting issues and asking good questions (like your post here) all help. So thanks!

If you have suggestions on what you would like to see (e.g. specific tests and/or test suites) and/or assist us in testing etc we'd love your input! :)

Post new comment