@neil tis a very tricky one… do you feel you need "technical controls" (ie software based restrictions you self-impose) or would a "paper" process be acceptable?

@neil

I just looked that up:

> Only approved applications, restricted by code signing, are allowed to
execute on devices. You must:
> • actively approve such applications before deploying them to devices
> • maintain a current list of approved applications, users must not be
able to install any application that is unsigned or has an invalid
signature.

That's actually really painful to implement on a lot of systems.

@pbarker @neil depends on interpretation there. Is "user" a normal, unprivileged user? That feels like it might be easier to do on Linux, maybe as simple as mounting /home -o noexec ?

I wonder if standard package manager signing covers the rest.

@neil And let's say a company did implement this perfectly. The effects would be a massive loss in productivity in engineering teams (waiting for whatever new dev tool they need to be approved) and plenty of other users pasting confidential data into web-based tools as they can't install a simple local app to do what they need.

@neil Same here, doesn't map nicely to either Linux or servers!

@neil how do you even do that on Mac? Or Windows?

@neil I don't know anything about CE, sorry, but when I was responsible for other certifications there was always a difference between users of the IT systems and the IT admins. Two roles even if the same person held both.

No sudo access would in those cases be the norm only for the user role.

Anything similar here perhaps?

@neil well those are words I've not seen before… (can you link?)

@neil I don't know about on Windows, but even on macos that is utterly unworkable… you wouldn't be allowed to run ls for instance…!

@neil I don't get it but this sounds wrong on several levels.

@pbarker @neil
I wonder at what level it's expected to be "signed" ?

Surely having the package signed (rpm/dpkg etc) via a repository should be enough
It's verifiable with the package manager etc

The CE stuff needs an update for Linux machines for sure it's a real blocker for things

@neil @troed humm. If you can't sudo doesnt that mean the root admin accounts have to have a shell configured? Seems less secure rather than more so.

@neil

I mean all of this is about following regulations, not actual security since the user is also the admin.

But yes, I would have a sudo-less neil account and a sudo-enabled admin-account.

@pre

@neil well, that was an awful read… assuming you and I are reading it correctly! I don't really have a useful answer but will be doing some checking myself (the section says it applies to Servers too)

@neil @pre @troed My impression, from having taken a brief look at Cyber Essentials several times in the past, is that it has an implicit assumption that you're using MS Windows or Apple, with one of the big cloud providers.

@neil What's "Application allow listing" ?

@neil I assume these rule also don't take into account the fact that in your case the "user" is also the "IT Systems Manager/Senior Techie" so also has complete access to the device in question...

@neil Not sure if this is helpful but two options are (a) take the definition of "Application" very narrowly as "A GUi-based package", in which case most of what you use would be outside the scope
(b) Answer with something like "This is a one-person company run by a risk-averse and tech-savvy person. This level of security is not necessary or appropriate" -- I've used language like this before for friends with a 2-person consultancy and that was accepted by the assessor.

@neil

Does the requirement specifically prohibit sudo, but possibly allow doas (which has a smaller attack-surface)?

Alternatively, sudo/doas can be configured to allow much more limited root-access, specifying which commands (and even which arguments) are permitted, so you don't have to open up *full* root access via sudo/doas. E.g. I give my local user rather limited rights, and my FreeBSD box is configured so dmesg output is limited to root, but I want to let my regular user run that without issue, so I have

gumnos ALL=(ALL) NOPASSWD: /sbin/dmesg

in my /etc/sudoers.d/01_local file, and then

$ alias dmesg='sudo /sbin/dmesg'

so it behaves like I want without exposing access to the other user-accounts on my system or providing full `sudo` access to everything.

@neil @troed Haven't tried this myself yet (it's on my list), but I have heard of people using ssh-as-root (restricted to require key-based login) instead of sudo.

One advantage of that approach I can see is that, if you're ssh'd into a remote machine and use sudo, you have to send your password to the remote machine. Where it could, in theory, be stolen if that machine is compromised. Whereas using an ssh key, your password is only ever handled on your local machine.

On the other hand you lose sudo's audit logging, and it seems like more of faff overall. So, food for thought, more so than a strict recommendation.

@neil is FSFE already aware of this, or would they like to be? If it's impossible for FOSS to pass Cyber Essentials that's up so many peoples alley's

@neil @fooflington

Sysadmin hat on (also doing NIS2 compliance)

If you’re using apt, then everything is signed, but also you could reasonably say that default repos are on the “allowed list”

@pbarker @neil I'm not sure how you'd implement that in any development environment.. by definition everything I compile and test is unsigned..

Also, do shell scripts need to be signed? perl? Does it become illegal to use 'vi' to create a script? (Similar with batch or powershell scripts on windows).

The people that wrote that have no clue.

@neil That should be possible with IMA; not that I've ever heard of anyone setting it up! I think SELinux or AppArmor should also be able to do what you need.

https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture

@revk @neil Only allowed to run applications that are on a pre-approved list?

@falken @neil it's been a while since I did this but we certainly passed cyber essentials with Linux boxes. IIRC the main issue was creating a separate account to run sudo with and installing a virus scanner.

@neil But even without IMA; if you make your home directory noexec, and /tmp, and then make sure that all your RPMs/debs are signed - and don't allow the user to install anything, isn't that the problem covered? Then you have something that keeps a dpkg -l list from your machine and detect any changes.

@neil Yes probably; it's tricky what to do with that - certainly I'd say executable scripts in users home directory are indeed a security risk, so if you want to be careful you shouldn't have that in PATH, and I'd have sympathy with finding some way to stop bash reading from them (which hmm, is that doable with selinux/apparmour?)

@jmtd @neil @penguin42
Well this is fun 🤪
if it helps, I observe that on page 12, anything you develop in-house is out of scope. That may help reduce the scope of malware sources you need to be concerned about/mitigating.

@neil @fooflington
Most frustrating that M$/Apple get a free pass here when there are perfectly good anti-malware solutions for other OS.
e.g. I use clamav on my setup, it copes admirably with live file scanning.

Perhaps the incentive is that NCSC folks don't have backdoors into FOSS anti-malware? /s

@secretbatcave @neil I had pondered that train of thought but the wording is "allow to be executed" not "allow to be installed" – apt (or dnf etc) doesn't do runtime signature checking, it's not going to stop a user downloading a malicious binary and running it (because some shiny thing suggested doing curl thing | sudo bash

@neil @fooflington @secretbatcave My stuff runs a *lot* of apps that we/I wrote...

With no code signing!

Also, "executes" is a hell of a grey area...

At machine code?
At meta / script code?
At locally compiled script level?
At interpreted code?
At a shell script level?
At config settings level?

What is "executed" in this context?

I mean, if I have Home assistant scripts for my lights coming on, is that non compliant if said script is not signed/checked? What if I wrote it?

@neil @fooflington @secretbatcave My Mac does not "execute" *86 intel code, it translates it to ARM code. So is that OK?

@revk @neil @fooflington @secretbatcave to be fair, most modern Intel chipsets “interpret” x86 code these days, too. Microcode and all that introduced in Core.

@revk @neil @fooflington @secretbatcave Meh the mechanics of machine code/script/interpreted etc seem irrelevant - if someone put a piece of it on your machine is there any possibility that it could do something malicious?
As for home assistant config; in a corporate env I'd say it should be - you wouldn't want an ISP shutdown because no one could turn the lights on.

@neil @revk @fooflington @secretbatcave I suspect they treat the 3rd party thing as a black-box, get the 3rd party to give them a certificate to say they manage it and do updates, and make sure the thing they receive from the 3rd party is signed. Then they poke their head in the sand.

@neil @fooflington @secretbatcave indeed and also its a point in time assessment...

@penguin42 @neil @fooflington @secretbatcave I am just saying "execute" is incredibly vague. If something simply was text instructions that a person would follow, is that "executing"?

@revk @neil @fooflington @secretbatcave I guess it's purposely vague because there's probably no good technical definition! The 'text instructions that a person would follow' - well this legislation is just covering devices, so the issue is just if your computer can follow them.....now, it's a good point when that's the prompt for an AI!

@penguin42 @neil @fooflington @secretbatcave I was thinking stickers next to a critical computer system power saying "Last person to leave office - turn this off".