Le-Guichet

Le-Guichet is a decontamination station prototype aka "white station" written in Rust, fast, secure and multithreaded.

Untrusted files are deposited (via rsync over ssh) in the entry window (in) and automatically scanned by an antivirus server (clamav-daemon API). If a file is considered unhealthy, it is logged/hashed and immediately deleted. Files considered as healthy are also logged and hashed (sha512) but sent (with associated hashes) to the transit window through a unidirectional software diode (named pipe) where they are logged and hashed again. Finally, files in transit are transfered to the output window through another software diode.

Security

• Memory-safe

• Thread-safe

• No unsafe block

• Tested with cargo audit & Clippy

• Daemons are all running with unprivileged users

• Systemd protections per daemon:

  • SystemCallFilter=~ptrace ( Disable ptrace )
  • PrivateDevices=yes ( Limited access to /dev )
  • ProtectSystem=full ( /usr, /boot and /etc are mounted read-only )
  • InaccessiblePaths=/proc ( /proc is simply unreachable )
  • RemoveIPC=true (All POSIX IPCs are removed when the unit is stopped)
  • RestrictSUIDSGID=true (SUID/SGID are simply forbidden)
  • ProtectKernelModules=true (Explicit module loading is denied)

Network flow charts:

```mermaid

graph LR

A(Untrusted files) -- rsync/ssh --> B

B[Guichet-In] -- Scan --> C((Clamd))

C -- Ok/Suppress --> B

B -- Write only access --> E{Diode}

F[Guichet-Transit] -- Read only access --> E

F -- Write only access --> G{Diode}

H[Guichet-Out] -- Read only access --> G

I(Trusted files + sha512) -- ssh/scp --> H

```

Demo Video

Installation

• You must have clamav-daemon, clamav-freshclam, pkg-config, cargo and rustc already installed on your system.
• Add the following to /etc/clamav/clamd.conf and restart the daemon :
  • TCPSocket 3310
  • TCPAddr 127.0.0.1

Note: If you have already installed Clamav daemon on a remote server, you can modify LeGuichet's default parameters according to your needs, by editing the following file:

bash sudo vi /etc/default/leguichet-in Clone the repo:

bash git clone https://gitlab.com/r3dlight/leguichet.git - Get some help:

bash make help

• Audit the security of the code (run cargo install cargo-audit before):

bash make audit

• Build Le-Guichet binaries:

bash make build

• Install on Debian or Debian based like Ubuntu (not tested on other GNU/Linux distributions)

bash sudo make install

Now, you might want to create new users belonging to the group "leguichet-in" to be able to deposit files into /home/in/, for exemple:

bash sudo adduser --home /home/in --gid [LEGUICHET-IN_GID] user-in (where LEGUICHET-IN_GID is the ID of the group leguichet-in)  

You also need to create new users belonging to group leguichet-out to be able to retrieve files from /home/out/

bash sudo adduser --home /home/out --gid [LEGUICHET-OUT_GID] user-out (where LEGUICHET-OUT_GID is the ID of the group leguichet-out)

Usage

In order to avoid leguichet-in daemon to be running under root privileges, we take advantage of the rsync binary:

To send a directory into /home/in , use rsync over ssh with --chmod=ug=rwx option : bash rsync -r -e ssh --chmod=ug=rwx /path/MyFolder user-in@IP-in: To send a file : bash rsync -e ssh --chmod=ug=rwx /path/MyFile.docx user-in@IP-in: To send every files in a directory: bash rsync -r -e ssh --chmod=ug=rwx /path/MyFolder/ user-in@IP-in:

user-out can simply login with ssh to get the files back.  

To uninstall Le-Guichet:

bash sudo make uninstall

To do

• Create bindings for yara / static analysis

• Switch from fifo to posix mqueues

• Be able to read a config.toml

• Debian packaging via Cargo

• unshare Namespaces / cgroups