Le-Guichet

Le-Guichet is a prototype of a decontamination station aka "white station" written in Rust, fast, secure and multithreaded.

Untrusted files are deposited (via rsync over ssh) in the entry window (in) and scanned by an antivirus server (clamd API). If a file is considered unhealthy, it is logged and immediately deleted. Files considered as healthy are logged and hashed (sha512) and sent to the transit window through a unidirectional software diode (named pipe) where they are logged and hashed again. Finally, files in transit are transfered to the output window through another software diode.

Security

• Memory-safe

• Thread-safe

• No unsafe block

• Tested with cargo audit & Clippy

• Daemons are all running with unprivileged users

• Systemd protections:

  • SystemCallFilter=~ptrace ( Disable ptrace )
  • PrivateDevices=yes ( Limited access to /dev )
  • ProtectSystem=full ( /usr, /boot and /etc are mounted read-only )
  • InaccessiblePaths=/proc ( /proc is simply unreachable )
  • RemoveIPC=true (All POSIX IPCs are removed when the unit is stopped)
  • RestrictSUIDSGID=true (SUID/SGID are simply forbidden)
  • ProtectKernelModules=true (Explicit module loading is denied)

Network flow charts:

```mermaid

graph LR

A(Untrusted files) -- rsync/ssh --> B

B[Guichet-In] -- Scan --> C((Clamd))

C -- Ok/Suppress --> B

B -- Write only access --> E{Diode}

F[Guichet-Transit] -- Read only access --> E

F -- Write only access --> G{Diode}

H[Guichet-Out] -- Read only access --> G

I(Trusted files + sha512) -- ssh/scp --> H

```

Demo Video

Installation

• You must have pkg-config, cargo and rustc already installed on your system.

bash git clone https://gitlab.com/r3dlight/leguichet.git - Get some help:

bash make help

• Test the code:

bash make test

• Audit the code (run cargo install cargo-audit before):

bash make audit

• Build Le-Guichet binaries:

bash make build

• Install on Debian/Ubuntu (not tested on other GNU/Linux distributions)

bash sudo make install

Now, you might want to create new users belonging to the group "leguichet-in" to be able to deposit files into /home/in/, for exemple:

bash sudo adduser --home /home/in --gid [LEGUICHET-IN_GID] user-in (where LEGUICHET-IN_GID is the ID of the group leguichet-in)  

You also need to create new users belonging to group leguichet-out to be able to retrieve files from /home/out/

bash sudo adduser --home /home/out --gid [LEGUICHET-OUT_GID] user-out (where LEGUICHET-OUT_GID is the ID of the group leguichet-out)  

In order to avoid leguichet-in daemon to be running under root privileges, we take advantage of the rsync binary:

To send a directory into /home/in , use rsync over ssh with --chmod=ug=rwx option : bash rsync -r -e ssh --chmod=ug=rwx /path/MyFolder user-in@localhost: To send a file : bash rsync -e ssh --chmod=ug=rwx /path/MyFile.zip user-in@localhost:

user-out can simply login with ssh to get the files back.  

To uninstall Le-Guichet:

bash sudo make uninstall

To do:

• Create bindings for yara / static analysis

• Switch from fifo to posix mqueues

• Be able to read a config.toml

• Debian packaging via Cargo

• Namespaces / cgroups