1 Replies - 1390 Views - Last Post: 06 May 2016 - 07:14 PM Rate Topic: -----

#1 andpou  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 09-January 15

Python Security Hardening

Posted 09 January 2015 - 04:13 AM

I’m working for a large organization which are using some Windows products that require python to work. Python is used to execute built in utility scripts and the user never recognizes that python is involved. Since the security requirements of the system are quite strict we are trying to lock down python as much as possible. We normally don’t allow normal users to use compilers or interpreters since it’s not allowed to add applications or functionality to the system. So we are looking for tips about how to restrict python so that only some scripts are allowed to run while the interactive prompt/interpreter is not available. Is that even possible?

Our first approach was looking into restricting python with group policies, but that is not easily done since Python is not “GPO aware”. Using software restriction policies are basically a block Python for all or allow Python for all. Since python scripts are run through the interpreter (python.exe), the GPO software restriction settings for executable locations only checks the python.exe and not the script location itself (the GPO system only sees the python script as a generic argument to the python.exe executable).
So my question is if anyone has have any experience in tightening the security concerning python? One again, our goal is that only some scripts are allowed to run while the interactive prompt/interpreter is not available. Is that even possible?

Is This A Good Question/Topic? 0
  • +

Replies To: Python Security Hardening

#2 wir3d.gh0st  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 10-December 15

Re: Python Security Hardening

Posted 06 May 2016 - 07:14 PM

Just a theory here....

Python CLI environment
Maybe you could move the link for the interpreter out of the users
$PATH
and place it in a directory that only root can access? That way, if they find out where the directory is, they can't read/write/execute anything from it without root.

Python Interpreter
#!/usr/bin/env python
--> This is obviously your interpreter location. People are probably more accustomed to
#!/usr/bin/python
. The former searches the environment for the interpreter in the event that admins decided to move the default location. I can't think of anything off the top of my head for moving this, because anyone with access to the CLI can go ahead and write a script using vim, nano, etc. and direct it to that interpreter... You could change the location, but anyone who digs deep enough and finds a working script can
cat
it and see the shebang.

My personal suggestion could be to not allow the use of
chmod
without root so that they cannot change permissions, and also again move the link to python because you can run a script without execution rights if you just type
python <script>
.

I would like to apologize to other users, this was on the front page and I just noticed the date it was posted after I replied. I will leave my reply though in case someone has the same question...
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1