diff --git a/configure.ac b/configure.ac index d50d565212..c42396cdab 100644 --- a/configure.ac +++ b/configure.ac @@ -209,6 +209,7 @@ AC_CHECK_FUNCS([gethostname inet_ntoa uname]) AC_CHECK_FUNCS([gettimeofday clock_gettime utime strptime tzset localtime_r]) AC_CHECK_FUNCS([socket setenv select putenv dup2 endgrent endpwent atexit munmap]) + AC_CHECK_FUNCS([setrlimit]) AC_CHECK_FUNCS([fwrite_unlocked]) diff --git a/doc/userguide/configuration/landlock.rst b/doc/userguide/configuration/landlock.rst index 00d0660c85..65c7e8135b 100644 --- a/doc/userguide/configuration/landlock.rst +++ b/doc/userguide/configuration/landlock.rst @@ -1,3 +1,5 @@ +.. _landlock: + Using Landlock LSM ================== diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 27d6949b91..5b4caea75b 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -2613,3 +2613,25 @@ detect thread. For each output script, a single state is used. Keep in mind that a rule reload temporary doubles the states requirement. .. _deprecation policy: https://suricata.io/about/deprecation-policy/ + +.. _suricata-yaml-config-hardening: + +Configuration hardening +----------------------- + +The `security` section of suricata.yaml is meant to provide in-depth security configuration options. + +Besides landlock, (see :ref:`landlock`), one setting is available. +`limit-noproc` is a boolean to prevent process creation by Suricata. +If you do not need Suricata to create other processes or threads +(you may need it for LUA scripts for instance or plugins), enable this to +call `setrlimit` with `RLIMIT_NPROC` argument (see `man setrlimit`). +This prevents potential exploits against Suricata to fork a new process, +even if it does not prevent the call of `exec`. + +Warning! This has no effect on Linux when running as root. If you want a hardened configuration, +you probably want to set `run-as` configuration parameter so as to drop root privileges. + +Beyond suricata.yaml, other ways to harden Suricata are +- compilation : enabling ASLR and other exploit mitigation techniques. +- environment : running Suricata on a device that has no direct access to Internet. diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 9f2df10ef5..706ba14a96 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -37,6 +37,11 @@ Major changes ~~~~~~~~~~~~~ - Upgrade of PCRE1 to PCRE2. See :ref:`pcre-update-v1-to-v2` for more details. +Security changes +~~~~~~~~~~~~~~~~ +- suricata.yaml now prevents process creation by Suricata by default with `security.limit-noproc`. + For more info, see :ref:`suricata-yaml-config-hardening`. + Removals ~~~~~~~~ - The libprelude output plugin has been removed. diff --git a/src/suricata.c b/src/suricata.c index 335d6e301f..74078c1d70 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -30,6 +30,12 @@ #if HAVE_SIGNAL_H #include #endif +#ifndef OS_WIN32 +#ifdef HAVE_SYS_RESOURCE_H +// setrlimit +#include +#endif +#endif #if HAVE_LIBSYSTEMD #include @@ -2903,6 +2909,26 @@ int SuricataMain(int argc, char **argv) "aborting..."); } + int limit_nproc = 0; + if (ConfGetBool("security.limit-noproc", &limit_nproc) == 0) { + limit_nproc = 0; + } + if (limit_nproc) { +#ifdef HAVE_SYS_RESOURCE_H +#ifdef linux + if (geteuid() == 0) { + SCLogWarning(SC_ERR_SYSCONF, "setrlimit has no effet when running as root."); + } +#endif + struct rlimit r = { 0, 0 }; + if (setrlimit(RLIMIT_NPROC, &r) != 0) { + SCLogWarning(SC_ERR_SYSCONF, "setrlimit failed to prevent process creation."); + } +#else + SCLogWarning(SC_ERR_SYSCONF, "setrlimit unavailable."); +#endif + } + SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME); PacketPoolPostRunmodes(); diff --git a/suricata.yaml.in b/suricata.yaml.in index a817ad1558..e1a2ca932d 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1104,6 +1104,9 @@ asn1-max-frames: 256 # group: suri security: + # if true, prevents process creation from Suricata by calling + # setrlimit(RLIMIT_NPROC, 0) + limit-noproc: true # Use landlock security module under Linux landlock: enabled: no