From: Thomas Markwalder <tmark@isc.org>
Date: Thu, 12 Jun 2025 15:36:37 +0000 (-0400)
Subject: [#3848] Updated the ARM
X-Git-Tag: Kea-3.1.0~64
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ba41dcfaf083aea1ae94372920913e49d551377;p=thirdparty%2Fkea.git

[#3848] Updated the ARM

new file:   changelog_unreleased/3848-security-policy-security-strict-relaxed
modified:   doc/sphinx/arm/agent.rst
modified:   doc/sphinx/arm/ddns.rst
modified:   doc/sphinx/arm/dhcp4-srv.rst
modified:   doc/sphinx/arm/dhcp6-srv.rst
modified:   doc/sphinx/arm/security.rst
---

diff --git a/changelog_unreleased/3848-security-policy-security-strict-relaxed b/changelog_unreleased/3848-security-policy-security-strict-relaxed
new file mode 100644
index 0000000000..c4a4c213b0
--- /dev/null
+++ b/changelog_unreleased/3848-security-policy-security-strict-relaxed
@@ -0,0 +1,5 @@
+[sec]*		tmark
+	Additional runtime security checks were added
+	to kea-dhcp4,kea-dhcp6,kea-dhcp-ddns, and
+	kea-ctrl-agent
+	(Gitlab #3848)
diff --git a/doc/sphinx/arm/agent.rst b/doc/sphinx/arm/agent.rst
index ec8c013270..e331f41958 100644
--- a/doc/sphinx/arm/agent.rst
+++ b/doc/sphinx/arm/agent.rst
@@ -285,12 +285,10 @@ Starting and Stopping the Control Agent
     # from sources using libcfgrpt.a
     $ strings src/lib/process/cfgrpt/.libs/libcfgrpt.a | sed -n 's/;;;; //p'
 
--  ``-X`` - As of Kea 3.0, disables path and permissions restrictions.
-   The server will emit a warning at startup that sercurity restrictions
-   have been disabled. Do not use this mode of operation without careful
-   consideration and taking any necessary precautions. Failure to do so can
-   expose deployments to security vulnerabilities. For more information
-   please read section :ref:`securing-a-kea-deployment`.
+-  ``-X`` - As of Kea 3.0, disables secruity restrictions.  The server will 
+   still check for violations but will emit warning logs when they are found
+   rather than fail with an error. Please see 
+   :ref:`sec-kea-runtime-security-risk-checking` for details.
 
 The CA is started by running its binary and specifying the configuration
 file it should use. For example:
diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst
index 43e8702c45..9e39a4b775 100644
--- a/doc/sphinx/arm/ddns.rst
+++ b/doc/sphinx/arm/ddns.rst
@@ -163,12 +163,10 @@ directly. It accepts the following command-line switches:
     # from sources using libcfgrpt.a
     $ strings src/lib/process/cfgrpt/.libs/libcfgrpt.a | sed -n 's/;;;; //p'
 
--  ``-X`` - As of Kea 3.0, disables path and permissions restrictions.
-   The server will emit a warning at startup that sercurity restrictions
-   have been disabled. Do not use this mode of operation without careful
-   consideration and taking any necessary precautions. Failure to do so can
-   expose deployments to security vulnerabilities. For more information
-   please read section :ref:`securing-a-kea-deployment`.
+-  ``-X`` - As of Kea 3.0, disables secruity restrictions.  The server will 
+   still check for violations but will emit warning logs when they are found
+   rather than fail with an error. Please see 
+   :ref:`sec-kea-runtime-security-risk-checking` for details.
 
 Upon startup, the module loads its configuration and begins listening
 for NCRs based on that configuration.
diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst
index 5cb383b299..95413590d0 100644
--- a/doc/sphinx/arm/dhcp4-srv.rst
+++ b/doc/sphinx/arm/dhcp4-srv.rst
@@ -78,12 +78,10 @@ the following command-line switches:
     # from sources using libcfgrpt.a
     $ strings src/lib/process/cfgrpt/.libs/libcfgrpt.a | sed -n 's/;;;; //p'
 
--  ``-X`` - As of Kea 3.0, disables path and permissions restrictions.
-   The server will emit a warning at startup that sercurity restrictions
-   have been disabled. Do not use this mode of operation without careful
-   consideration and taking any necessary precautions. Failure to do so can
-   expose deployments to security vulnerabilities. For more information
-   please read section :ref:`securing-a-kea-deployment`.
+-  ``-X`` - As of Kea 3.0, disables secruity restrictions.  The server will 
+   still check for violations but will emit warning logs when they are found
+   rather than fail with an error. Please see
+   :ref:`sec-kea-runtime-security-risk-checking` for details.
 
 On startup, the server detects available network interfaces and
 attempts to open UDP sockets on all interfaces listed in the
diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst
index e6e770045a..06c0e3d0b0 100644
--- a/doc/sphinx/arm/dhcp6-srv.rst
+++ b/doc/sphinx/arm/dhcp6-srv.rst
@@ -78,12 +78,10 @@ the following command-line switches:
     # from sources using libcfgrpt.a
     $ strings src/lib/process/cfgrpt/.libs/libcfgrpt.a | sed -n 's/;;;; //p'
 
--  ``-X`` - As of Kea 3.0, disables path and permissions restrictions.
-   The server will emit a warning at startup that sercurity restrictions
-   have been disabled. Do not use this mode of operation without careful
-   consideration and taking any necessary precautions. Failure to do so can
-   expose deployments to security vulnerabilities. For more information
-   please read section :ref:`securing-a-kea-deployment`.
+-  ``-X`` - As of Kea 3.0, disables secruity restrictions.  The server will 
+   still check for violations but will emit warning logs when they are found
+   rather than fail with an error. Please see 
+   :ref:`sec-kea-runtime-security-risk-checking` for details.
 
 On startup, the server detects available network interfaces and
 attempts to open UDP sockets on all interfaces listed in the
diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst
index 8817da7107..c9cdce5829 100644
--- a/doc/sphinx/arm/security.rst
+++ b/doc/sphinx/arm/security.rst
@@ -405,6 +405,8 @@ stdout/stderr and files. Syslog may export the logs over the network, exposing t
     running, log an unrecoverable error. For ease of use simply omit the ``path``
     parameter.
 
+.. _sec-summary-of-path-restrictions:
+
 Summary of Path Restrictions
 ----------------------------
 
@@ -551,6 +553,40 @@ and DDNS servers since Kea version 2.7.2.
     to load the library. For ease of use ``library`` elements may simply omit path
     components.
 
+The three primary Kea daemons (:iscman:`kea-dhcp4`, :iscman:`kea-dhcp6` and :iscman:`kea-dhcp-ddns`) all support a control
+channel, which is implemented as a UNIX socket. The control channel, which opens a UNIX socket, is disabled by default;
+
+.. _sec-kea-runtime-security-risk-checking:
+
+Kea Runtime Security Risk Checking
+==================================
+
+Runtime security risk checking was initially added to Kea daemons :iscman:`kea-dhcp4`,
+:iscman:`kea-dhcp6`, :iscman:`kea-dhcp-ddns`, :iscman:`kea-ctrl-agent`. in 2.7.9.
+In Kea 3.0 additional checks were added. By default, when a daemon detects a security
+risk it emits an error log and exits. The following checks are performed:
+
+- Use of unsupported file paths or permissions as detailed in :ref:`sec-summary-of-path-restrictions`
+
+- Use of clear text 'user' or 'password' in HTTP authentication  (Kea 3.0)
+
+- Use of clear text 'secret' in TSIG key configuration  (Kea 3.0)
+
+- Use of HTTP API channels without authentication  (Kea 3.0)
+
+- Kea server running as root user. (Note this only causes a warning log and is never fatal)
+
+As of Kea 3.0, starting the daemons with the command line option, '-X',
+instructs them to warn about security risks but continue operating anyway.
+The message IDs for all such warnings are suffixed with "_SECURITY_WARN".
+
+.. warning::
+
+   Do not run servers with the '-X' option without careful consideration and taking
+   any necessary precautions. Failure to do so can expose deployments to security
+   vulnerabilities.
+
+
 Kea Security Processes
 ======================