with setrlimit NPROC.
So that, if Suricata wants to execve or such to create a new process
the OS will forbid it so that RCE exploits are more painful to write.
Ticket: #5373
AC_CHECK_FUNCS([gethostname inet_ntoa uname])
AC_CHECK_FUNCS([gettimeofday clock_gettime utime strptime tzset localtime_r])
AC_CHECK_FUNCS([socket setenv select putenv dup2 endgrent endpwent atexit munmap])
+ AC_CHECK_FUNCS([setrlimit])
AC_CHECK_FUNCS([fwrite_unlocked])
+.. _landlock:
+
Using Landlock LSM
==================
mind that a rule reload temporary doubles the states requirement.
.. _deprecation policy: https://suricata.io/about/deprecation-policy/
+
+.. _suricata-yaml-config-hardening:
+
+Configuration hardening
+-----------------------
+
+The `security` section of suricata.yaml is meant to provide in-depth security configuration options.
+
+Besides landlock, (see :ref:`landlock`), one setting is available.
+`limit-noproc` is a boolean to prevent process creation by Suricata.
+If you do not need Suricata to create other processes or threads
+(you may need it for LUA scripts for instance or plugins), enable this to
+call `setrlimit` with `RLIMIT_NPROC` argument (see `man setrlimit`).
+This prevents potential exploits against Suricata to fork a new process,
+even if it does not prevent the call of `exec`.
+
+Warning! This has no effect on Linux when running as root. If you want a hardened configuration,
+you probably want to set `run-as` configuration parameter so as to drop root privileges.
+
+Beyond suricata.yaml, other ways to harden Suricata are
+- compilation : enabling ASLR and other exploit mitigation techniques.
+- environment : running Suricata on a device that has no direct access to Internet.
~~~~~~~~~~~~~
- Upgrade of PCRE1 to PCRE2. See :ref:`pcre-update-v1-to-v2` for more details.
+Security changes
+~~~~~~~~~~~~~~~~
+- suricata.yaml now prevents process creation by Suricata by default with `security.limit-noproc`.
+ For more info, see :ref:`suricata-yaml-config-hardening`.
+
Removals
~~~~~~~~
- The libprelude output plugin has been removed.
#if HAVE_SIGNAL_H
#include <signal.h>
#endif
+#ifndef OS_WIN32
+#ifdef HAVE_SYS_RESOURCE_H
+// setrlimit
+#include <sys/resource.h>
+#endif
+#endif
#if HAVE_LIBSYSTEMD
#include <systemd/sd-daemon.h>
"aborting...");
}
+ int limit_nproc = 0;
+ if (ConfGetBool("security.limit-noproc", &limit_nproc) == 0) {
+ limit_nproc = 0;
+ }
+ if (limit_nproc) {
+#ifdef HAVE_SYS_RESOURCE_H
+#ifdef linux
+ if (geteuid() == 0) {
+ SCLogWarning(SC_ERR_SYSCONF, "setrlimit has no effet when running as root.");
+ }
+#endif
+ struct rlimit r = { 0, 0 };
+ if (setrlimit(RLIMIT_NPROC, &r) != 0) {
+ SCLogWarning(SC_ERR_SYSCONF, "setrlimit failed to prevent process creation.");
+ }
+#else
+ SCLogWarning(SC_ERR_SYSCONF, "setrlimit unavailable.");
+#endif
+ }
+
SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
PacketPoolPostRunmodes();
# group: suri
security:
+ # if true, prevents process creation from Suricata by calling
+ # setrlimit(RLIMIT_NPROC, 0)
+ limit-noproc: true
# Use landlock security module under Linux
landlock:
enabled: no
projects / thirdparty / suricata.git / commitdiff
