diff --git a/docs/security.md b/docs/security.md index f29cc9e1..6103366b 100644 --- a/docs/security.md +++ b/docs/security.md @@ -50,30 +50,43 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The This list gives you an overview of default security settings and if they comply with security standards: -| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | -|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| -| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | -| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 | -| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | -| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | -| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | -| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | -| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 | -| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | -| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - | -| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | +|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| +| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | +| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 | +| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 | +| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | +| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | +| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | +| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | +| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | +| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | +| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | +| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 | +| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | +| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | +| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | +| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - | +| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - | +| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml b/helmfile/apps/open-xchange/values-dovecot.yaml index 225c0648..856f5184 100644 --- a/helmfile/apps/open-xchange/values-dovecot.yaml +++ b/helmfile/apps/open-xchange/values-dovecot.yaml @@ -1,6 +1,24 @@ # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "KILL" + - "NET_BIND_SERVICE" + - "SETGID" + - "SETUID" + - "SYS_CHROOT" + enabled: true + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + dovecot: ldap: enabled: true @@ -16,4 +34,8 @@ dovecot: enabled: true ssl: "no" host: "postfix:25" + +podSecurityContext: + enabled: true + fsGroup: 1000 ... diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml b/helmfile/apps/open-xchange/values-openxchange.yaml index 23a3a1c1..6a19ccec 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml +++ b/helmfile/apps/open-xchange/values-openxchange.yaml @@ -14,6 +14,17 @@ appsuite: masterAdmin: "admin" gotenberg: enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: "RuntimeDefault" features: status: # enable admin pack @@ -27,6 +38,7 @@ appsuite: open-xchange-authentication-oauth: "enabled" properties: com.openexchange.UIWebPath: "/appsuite/" + com.openexchange.showAdmin: "false" # PDF Export com.openexchange.capability.mail_export_pdf: "true" com.openexchange.mail.exportpdf.gotenberg.enabled: "true" @@ -158,8 +170,23 @@ appsuite: mkdir -p /opt/open-xchange/guard-files chown open-xchange:open-xchange /opt/open-xchange/guard-files + # Security context for core-mw has no effect yet + # podSecurityContext: {} + # securityContext: {} + core-ui: enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" core-ui-middleware: enabled: true @@ -170,15 +197,62 @@ appsuite: - "redis-master:6379" auth: enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" core-guidedtours: enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + guard-ui: enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + core-cacheservice: enabled: false + core-user-guide: enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" core-imageconverter: enabled: true @@ -188,6 +262,19 @@ appsuite: endpoint: "." accessKey: "." secretKey: "." + podSecurityContext: + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 987 + seccompProfile: + type: "RuntimeDefault" + securityContext: + # missing: + # readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" core-spellcheck: enabled: false @@ -198,6 +285,19 @@ appsuite: cache: remoteCache: enabled: false + podSecurityContext: + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 987 + seccompProfile: + type: "RuntimeDefault" + securityContext: + # missing: + # readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" core-documents-collaboration: enabled: false @@ -213,3 +313,30 @@ appsuite: enabled: false core-drive-help: enabled: false + +nextcloud-integration-ui: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" + +public-sector-ui: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: "RuntimeDefault" +...