14
August 2017

So What’s Wrong with Blacklisting Commands?

Andy Harris

Blacklisting is one of those feature comparisons that really gets Osiriumites annoyed. It is pointless, you can drive a bus through it, and most of the time it stops sensible work getting done.

We could go on ad infinitum, but here are a few basic points:

It is Stupid – and gets in the way

For example, your organisation thinks it is a good idea to blacklist the ‘rm’ command. Let’s consider the difference between these command sequences:

cd /var/log/apache2
rm error*.*.log

then

cd /var/log/log
rm syslog-20170801

and …

rm ../log*.log
cd ../..
rm -f *.log

The first is almost harmless – most likely recovering vital disk space, the second is probably dodgy, and you have no idea what the third does (unless you’ve managed to keep track of the working directory). So if you blacklist the rm command, It just gets in the way of real work.

How about only blacklisting for non-privileged users? Great now everyone needs privileged access to clean up their log files! Of course, if that second example was an insider cleaning up after nefarious activity you will have actually increased your attack surface!

Slippery but not full devious

There’s more that one way of deleting a file on a system, here are a few options:

  • unlink the file
  • use shred -u
  • use find -name filename -delete
  • move it to /tmp
  • put a mount infront of the file
  • use a graphical tool
  • alias rm to something else
  • hide it in a one off cron job
  • write a program in Bash, C, Python, Java …. to delete files.

os.remove(file)
os.unlink(file)
os.removedirs(directory) # recursively
shutil.remtree(directory) # recursively

We are not even getting devious so if that’s not enough, just Google it!

Tasks are a better way

Sysadmins need to do System Administration; they need those commands. Everyone else can use tasks, just write a safe task to delete debug log files and delegate to the people who need it. No direct system access, no issuing commands in the wrong directory and no prodding around in sensitive parts of your system.

The best way of really reducing the attack surface of your systems is to work out what you want your users to be able to do on your systems rather than creating a list of all the bad things they could do. That is why we built Privileged Task Management (PTM).