Script security and logging

One of the major differences between OpenVPN 2.0 and later versions is related to the security when running scripts. With OpenVPN 2.0, all scripts were executed using a system call and the entire set of server environment variables was passed to each script. Starting with OpenVPN 2.1, the script-security configuration directive is introduced and the default for executing scripts is now the execv call, which is more secure. Also, it is advisable to log output of your scripts for security reasons. With script logging output, including timestamps, it becomes much easier to track down problems and possible security incidents. Starting with OpenVPN 2.3, it is no longer possible to add the system option to the script-security configuration directive.

In this recipe, we will focus on the different options for the script-security configuration directive and on the methods to ease the logging of script output.

Getting ready

Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentSO 6 Linux and OpenVPN 2.3.10, and the client was running Fedora 22 and OpenVPN 2.3.10. For the server, keep the server configuration file, basic-udp-server.conf, from the Server-side routing recipe, from Chapter 2Client-server IP-only Networks.

How to do it...

  1. Start the OpenVPN server using the configuration file from the Using a client-side up/down script recipe:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Create the client configuration file:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
     
            dev tun 
            nobind 
     
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/client1.crt 
            key      /etc/openvpn/cookbook/client1.key 
            tls-auth /etc/openvpn/cookbook/ta.key 1 
     
            remote-cert-tls server 
            up "/etc/openvpn/cookbook/example5-7-up.sh arg1 arg2" 
    
  3. Save it as example5-7-client.conf. Notice the lack of the script-security directive.
  4. Create the up script:
            #!/bin/bash 
     
            exec >> /etc/openvpn/cookbook/example5-7.log 2>&1 
            date +"%H:%M:%S: START $script_type script ===" 
            echo "argv = [$0] [$1] [$2] [$3] [$4]" 
            pstree $PPID 
            date +"%H:%M:%S: END $script_type script ===" 
    
  5. Save it as example5-7-up.sh and make sure that it is executable.
  6. Start the OpenVPN client:
    [client]$ openvpn --config example5-7-client.conf
    
  7. The client appears to connect successfully until the up script needs to be executed:
            ... /etc/openvpn/cookbook/example5-7-up.sh [arguments] 
            ... WARNING: External program may not be called unless '--
            script-security 2' or higher is enabled. See --help text or 
            man page for detailed info.  
            ... WARNING: Failed running command (--up/--down): external 
            program fork failed  
            ... Exiting due to fatal error  
    
  8. When we repeat the preceding with an extra command-line parameter, --script-security 2, the client can connect successfully:
                [client]$ openvpn --config example5-7-client.conf  
                   --script-security 2
    

The /etc/openvpn/cookbook/example5-7.log log file now shows the following:

05:25:33: START up script === 
argv = [/etc/openvpn/cookbook/example5-7-up.sh] [argument1] [argument2] [tun0] [1500] 
openvpn---example5-7-up.s---pstree 
05:25:33: END up script ===  

If we repeat this preceding exercise using --script-security 3, we would get a similar output.

How it works...

In order to execute the scripts on either the client or the server, the directive, script-security 2 (or 3) must be specified; otherwise, OpenVPN 2.1 or higher will refuse to start. The following parameters can be specified for the script-security directive:

  • 0: This parameter specifies that no external programs can be called. This means that OpenVPN cannot successfully start up, except on Microsoft Windows under certain circumstances.
  • 1: This parameter specifies that only built-in external programs (such as /sbin/ifconfig, and /sbin/ip on Linux, and netsh.exe, and route.exe on Windows) can be called.
  • 2: This parameter specifies that built-ins and scripts can be called.
  • 3: This is the same as 2, but now here, passwords can be passed to scripts via environment variables as well.

There's more...

There are subtle differences between running scripts on Linux/NetBSD/Mac OS and on Windows. On Windows, the system call, CreateProcess , is used by default. This makes it impossible to pass extra parameters to some scripts, such as the up script, as the entire text enclosed with quotes after the up directive is considered as the name of the executable or script.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.194.180