Mullvad’s recent audit by Assured AB was a bit concerning to me. Fail2ban and user-writable scripts running as root is not the sort of thing I’d expect in a service whose only job is to provide a secure relay.

Avoiding and guarding root should be Sysadmin 101 material.

I recommend any amateur Linux admins read audit reports like this. While some low-priority recommendations are a but cargo-cultish, most advice is pretty solid. Frankly, much of this is the sort of thing a good admin should catch well before a proper audit.

#POSSE note from https://seirdy.one/notes/2022/06/26/mullvad-audit/

Follow

@Seirdy While I would agree that some recommendations/findings are good and I should even look if my product complies, I am particularly triggered by the compilation flags. "Do some lobbying with the upstream" is idle talk. "Hello Python Debian package maintainers, I know many skilled security folks already asked for the PIE flag over the last decade, and all the Debian core packages use it, but please, can you add it? I've been told it is bad to not have it and I need it because some security auditor wants me to have it." Yeah, that will work, lol.

I've seen a company spend a tremendous energy to try to comply with that recommendation and take terrible decisions with long-lasting consequences, such as moving from a package distro to a source distro just to be able to easily recompile stuff and have these flags. Except they were not prepared for the hassle that is running, and shipping a source distro. It could have killed the company and I'm not even joking. Security auditors should be publicly ashamed for doing that kind of idle security recommendations, especially when they are writing from their ivory tower, with next to no experience of production environments, and development (I'm not talking about scripting but actual development).

@x_cli Yes, compilation flags are a bit cargo-culted especially in server environments.

some of them are really useful (e.g. -fsanitize=cfi in Clang), but it’s not like excluding them is a showstopper when you have bigger issues at hand.

@x_cli wait wtf they literally got paid run checksec.sh

like, uh, thanks. that’s a lot of characters to type, only a professional can do it /s.

if i ever have to get an audit done I’d feel tempted to shoot them an email saying “btw I know how to copy and paste the output of checksec and systemd-analyze myself, I’m not paying you for that”

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.