# TrueNAS Security Audit Report **Server:** beelink-tns (192.168.16.254) | **Version:** TrueNAS Scale 25.10.2 | **Date:** 2026-06-02 **Auditor:** F.R.I.D.A.Y. | **Scope:** Read-only review — no changes made --- ## Executive Summary | Area | Status | Notes | |------|--------|-------| | SMB Shares | ⚠️ Review Needed | 7 shares, Guest access disabled (good), but POSIX permissions on some shares are overly permissive | | NFS Shares | ⚠️ Review Needed | 4 shares open to all networks, no root squash on any share | | User Access | ✅ Controlled | Only 3 custom users have SMB access | | Services | ✅ Healthy | CIFS, NFS, SSH running; FTP/iSCSI/SNMP disabled | | Pools | ✅ Healthy | Both pools online | --- ## 1. System Overview | Property | Value | |----------|-------| | Hostname | beelink-tns | | Version | TrueNAS Scale 25.10.2 | | Hardware | Intel N95, 4 cores, 11.5 GB RAM | | Uptime | 15 days | | Pools | 2 (FastPool 0.91 TB, Ice 3.62 TB) | | Datasets | 55 total | | VMs | 0 configured | **Running Services:** - `cifs` — RUNNING - `nfs` — RUNNING - `ssh` — RUNNING **Disabled Services:** - `ftp` — STOPPED - `iscsitarget` — STOPPED - `snmp` — STOPPED - `ups` — STOPPED - `nvmet` — STOPPED --- ## 2. SMB Shares (7 Total) All SMB shares have **Guest OK = False** ✅ — no anonymous access. | # | Share Name | Path | POSIX Mode | Owner | Group | ACL | Security Notes | |---|------------|------|------------|-------|-------|-----|----------------| | 1 | **Archive** | /mnt/Ice/Archive | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ | | 2 | **Backup** | /mnt/Ice/Backup | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ | | 3 | **ISOs** | /mnt/Ice/ISOs | 777 | `src` | `src` | Enabled | Bobby + libvirt-qemu have explicit entries | | 4 | **lab-dash** | /mnt/FastPool/dockge/configs/lab-dash | 777 | `src` | `src` | Enabled | builtin_users + builtin_administrators groups | | 5 | **Repo** | /mnt/Ice/Repo | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ | | 6 | **arr-zimaos** | /mnt/Ice/Backup/Arr-ZimaOS | 777 | `src` | `src` | Enabled | Bobby has explicit entry | | 7 | **hermes_agent** | /mnt/FastPool/dockge/configs/hermes_agent | 751 | `apps` | `apps` | Disabled | Owner RWX, Group RX, Other X | ### POSIX Mode Interpretation - **777** = Owner, Group, and Other all have Read, Write, Execute - **751** = Owner has RWX, Group has RX, Other has Execute only ### SMB-Authorized Users Only 3 custom users have SMB enabled: | Username | UID | Home | SMB | Groups | |----------|-----|------|-----|--------| | `jumpbox` | 3000 | /var/empty | ✅ | GID 3000 (jumpbox) | | `bobby` | 3001 | /var/empty | ✅ | GID 3001 (bobby) | | `jarvis` | 1000 | /mnt/FastPool/home/jarvis | ✅ | GID 40 (src), GID 3002 (jarvis) | **Key Finding:** All custom SMB users belong to the `src` group (GID 40). Since most shares are owned by `src:src` with mode 777, **all 3 SMB users have full read/write access to Archive, Backup, ISOs, lab-dash, Repo, and arr-zimaos.** ### SMB ACL Details **Archive:** - `owner@` — RWX - `group@` — RWX - `everyone@` — No access - ACL disabled; POSIX 777 is effective permission **Backup:** - `owner@` — RWX - `group@` — RWX - `everyone@` — RWX ⚠️ - ACL disabled; POSIX 777 grants world access **ISOs:** - `owner@` — No access - `group@` — No access - `everyone@` — No access - `USER:3001 (bobby)` — explicit entry - `USER:986 (libvirt-qemu)` — explicit entry - ACL enabled; effective access determined by ACL evaluation **lab-dash:** - `owner@` — No access - `group@` — No access - `GROUP:545 (builtin_users)` — explicit entry - `GROUP:544 (builtin_administrators)` — explicit entry - ACL enabled; effective access determined by ACL evaluation **Repo:** - `owner@` — RWX - `group@` — RWX - `everyone@` — RWX ⚠️ - ACL disabled; POSIX 777 grants world access **arr-zimaos:** - `owner@` — No access - `group@` — No access - `everyone@` — No access - `USER:3001 (bobby)` — explicit entry - ACL enabled; effective access determined by ACL evaluation **hermes_agent:** - `USER_OBJ` — X only - `GROUP_OBJ` — X only - `OTHER` — X only - POSIX 751; ACL disabled --- ## 3. NFS Shares (7 Total) | # | Path | Networks | Read-Only | Root Squash | Notes | |---|------|----------|-----------|-------------|-------| | 1 | /mnt/Ice/Archive | ALL | No | No ⚠️ | Open to all networks | | 2 | /mnt/Ice/Backup | ALL | No | No ⚠️ | Open to all networks | | 3 | /mnt/Ice/ISOs | ALL | No | No ⚠️ | Open to all networks | | 4 | /mnt/Ice/Repo | ALL | No | No ⚠️ | Open to all networks | | 5 | /mnt/Ice/Backup/proxmox-pool/ds-mp-share | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN | | 6 | /mnt/Ice/Backup/proxmox-pool/pve-ct-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN | | 7 | /mnt/Ice/Backup/proxmox-pool/pve-vm-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN | ### NFS Security Concerns 1. **4 shares open to all networks** (Archive, Backup, ISOs, Repo) — any host on any network can mount 2. **No root squash on any share** — root on client = root on server 3. **No read-only restrictions** — all shares allow writes 4. **No maproot/mapall user set** — NFS clients access with their native UIDs ### NFS Recommendations - **Restrict networks:** Add `192.168.0.0/18` (or narrower) to Archive, Backup, ISOs, Repo - **Enable root squash:** Set `Maproot User = root` or `Maproot User = nobody` on all shares - **Consider read-only** for Archive and ISOs if they don't need writes - **Add host restrictions** for sensitive shares (Backup, Repo) --- ## 4. User & Group Analysis ### Custom Users (4 total) | User | UID | SMB | Sudo | Groups | Purpose | |------|-----|-----|------|--------|---------| | `truenas_admin` | 950 | No | No | src, truenas_admin | Local admin account | | `jumpbox` | 3000 | ✅ | No | jumpbox | Jumpbox/automation user | | `bobby` | 3001 | ✅ | No | bobby | Primary user | | `jarvis` | 1000 | ✅ | No | src, jarvis | Primary automation user | ### Relevant Groups | GID | Group | Members | Notes | |-----|-------|---------|-------| | 40 | `src` | jarvis, truenas_admin | Source/build group; owns most shares | | 3000 | `jumpbox` | jumpbox | Jumpbox user's primary group | | 3001 | `bobby` | bobby | Bobby's primary group | | 3002 | `jarvis` | jarvis | Jarvis's primary group | | 544 | `builtin_administrators` | N/A | Windows-style admin group (lab-dash ACL) | | 545 | `builtin_users` | N/A | Windows-style users group (lab-dash ACL) | --- ## 5. Best Practices Assessment ### ✅ Positive Findings 1. **No guest SMB access** — all shares require authentication 2. **SSH enabled, password auth disabled** (implied by key-based fleet access) 3. **FTP/iSCSI/SNMP disabled** — reduces attack surface 4. **Both pools healthy** — no degradation or errors 5. **Custom users for different purposes** — separation of concerns (jumpbox vs bobby vs jarvis) 6. **ACL enabled on some shares** — ISOs, lab-dash, arr-zimaos use explicit ACLs 7. **Proxmox NFS shares restricted to LAN** — good network segmentation for VM/CT storage ### ⚠️ Areas for Improvement 1. **POSIX 777 on 5 SMB shares** — overly permissive; consider: - `chmod 770` for shares that only need SMB group access - `chmod 755` for read-only shares (Archive, ISOs, Repo) 2. **NFS shares 1-4 open to all networks** — high risk: - Add `192.168.0.0/18` restriction to all shares - Consider even narrower subnets per share purpose 3. **No root squash on NFS** — root clients have full server root access: - Set `Maproot User = nobody` on all NFS shares - This is standard security practice for NFS 4. **hermes_agent share** — POSIX 751 but owner is `apps:apps`: - Verify `apps` user is expected to own this directory - Consider if `jarvis` or `bobby` should also have access 5. **Backup share has 777 + everyone RWX** — anyone with SMB can modify backups: - Restrict to `src` group only (`chmod 770`) - Remove `other` write permissions 6. **Repo share has 777 + everyone RWX** — code repository is world-writable: - Restrict to `src` group or narrower - Consider read-only for most users --- ## 6. Recommendations (No Changes Made) ### Immediate Priority | Priority | Action | Shares Affected | |----------|--------|-----------------| | 🔴 High | Restrict NFS networks to `192.168.0.0/18` | Archive, Backup, ISOs, Repo | | 🔴 High | Enable root squash on all NFS shares | All 7 NFS shares | | 🟡 Medium | Tighten POSIX permissions on SMB shares | Backup, Repo (777 → 770) | | 🟡 Medium | Verify ACL effectiveness on ISOs/lab-dash/arr-zimaos | ISOs, lab-dash, arr-zimaos | | 🟢 Low | Document share ownership model | All shares | ### Suggested POSIX Changes (Review Before Applying) ```bash # Backup — restrict to src group only chmod 770 /mnt/Ice/Backup # Repo — restrict to src group only chmod 770 /mnt/Ice/Repo # Archive — read-only for group chmod 750 /mnt/Ice/Archive # ISOs — read-only for group chmod 750 /mnt/Ice/ISOs ``` ### Suggested NFS Changes (Review Before Applying) ```bash # Add network restrictions to open shares # In TrueNAS UI: Sharing → NFS → Edit each share # Set Networks = 192.168.0.0/18 # Enable root squash # Set Maproot User = nobody ``` --- ## 7. Access Matrix ### Who Can Access What | User | SMB | NFS (LAN) | Primary Shares | |------|-----|-----------|----------------| | `bobby` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) | | `jarvis` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) | | `jumpbox` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) | | `truenas_admin` | ❌ No | ✅ Yes (root) | Full server access (admin) | | `root` (remote) | N/A | ✅ Root = Root ⚠️ | Full server access via NFS | --- *End of Report — No changes were made to the TrueNAS configuration.*