inspec icon indicating copy to clipboard operation
inspec copied to clipboard

Published 20 hours ago verified publisher icon inspec

WireGuard and network-namespace support

Open bbros-dev opened this issue 4 years ago • 2 comments

Support inspec exec ... where the transport/connection is via WireGuard and Network Namespaces, setup in the usual way.

Detailed Description

inspec exec options:

  • -n --network-namespace=NETWORK_NAMESPACE
  • -t --target=TARGET

Given a remote-peer:

  • With WireGuard interface wg0

  • Listening for connections:

    /usr/bin/socat exec:'/bin/bash -li',pty,stderr,setsid,sigint,sane \
               tcp:2222,bind=10.10.10.1,forever,reuseaddr,range=10.10.10.2/32,keepalive,keepidle=10,keepintvl=10,keepcnt=2

On the InSpec side, a remote shell can be opened with:

sudo /usr/bin/nsenter --setuid 1000 --setgid 1000 --net=/var/run/netns/wgsh-izhi -- socat file:$(tty),raw,echo=0 tcp:10.10.10.1:2222

The corresponding InSpec configuration is:

inspec exec profiles/myapp  --network-namespace=wgsh-myapp --target=tcp:10.10.10.1:2222

The network-namespace and target values can passed through to:

sudo /usr/bin/nsenter --setuid 1000 --setgid 1000 --net=/var/run/netns/${NETWORK_NAMESPACE}-- socat file:$(tty),raw,echo=0 ${TARGET}

The setuid and setgid values can be obtained by InSpec as the user ID that started InSpec. The sudo permission can be prompted for by InSpec, or error out if not run with sudo.

Context

WireGuard connections allow the removal of SSH from server infrastructure. This reduces the attack surface of server instances from the SSH code base to the WireGuard code base of approx 4K lines.

It is not difficult to compose a remote Shell more secure than SSH using WireGuard + Network-Namespace (inspec-side) + Socat (remote-side) + Shell (remote-side) + FireJail (remote-side): Reverse Shells used for good.

This change would support InSpec use in such cases.

bbros-dev avatar Dec 13 '20 03:12 bbros-dev

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We value your input and contribution. Please leave a comment if this issue still affects you.

stale[bot] avatar Jan 08 '22 22:01 stale[bot]

not stale. Would appreciate some feedback since this is driven by a working setup and not vapor-ware.

bbros-dev avatar Jan 26 '22 23:01 bbros-dev