Page MenuHomePhabricator
Create Task
Maniphest T102104

Monitoring outgoing traffic for hosts with risky services
Open, MediumPublic
Actions

Description

Some services need to use software components with a higher risk profile or with a history of security problems (e.g. in media-processing libs like ffmpeg or libtiff).

We should create iptables profiles to restrict outgoing traffic and report potential violations. This can obviously be circumvented by attackers which manage to escalate their privileges to root, but it's a useful countermeasure against an attacker exploiting a vulnerability in an unprivileged service and attacking further systems from that host.

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.Jun 11 2015, 8:27 AM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff raised the priority of this task from to Needs Triage.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff added a project: acl*sre-team.
MoritzMuehlenhoff added subscribers: MoritzMuehlenhoff, faidon, csteipp, Joe.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 11 2015, 8:27 AM
MoritzMuehlenhoff triaged this task as Medium priority.Jun 11 2015, 8:27 AM
MoritzMuehlenhoff set Security to None.
Matanya subscribed.Jun 11 2015, 8:28 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:09 PM
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Jun 19 2020, 4:25 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

LSobanski added a project: Infrastructure-Foundations.Jan 3 2023, 2:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL