Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4d0e7d8ff195a67f032c5b5d619dc7486c418632
documentation/audits/2026-06-02-truenas-hardening-chart.md
F.R.I.D.A.Y. 9372e0fe69 Add TrueNAS hardening execution chart - 2026-06-02
2026-06-02 09:34:38 -04:00

4.0 KiB
Raw Blame History

TrueNAS Security Hardening Chart — 2026-06-02

Dataset: beelink-tns (192.168.16.254) | Hardened by: Hermes Agent (Iron Legion) | Total Changes: 16

Execution Summary (Low-to-High Risk Order)

Priority Dataset Risk Level NFS Restricted SMB Enum SMB Read-Only ACL Hardened Status
1 ISOs Very Low Complete
2 Archive Low Complete
3 lab-dash Low-Medium Complete
4 arr-zimaos Low-Medium Complete
5 hermes_agent Medium N/A (POSIX) Complete
6 Repo Medium-High Complete
7 Backup High ⚠️ Blocked (API limit) Partial

Changes Applied

Dataset Action Before After
ISOs NFS restrict Open to ALL networks 192.168.0.0/18 only
ISOs NFS root squash null (root = server root) nobody:nogroup
ISOs SMB read-only readonly=False readonly=True
ISOs ACL clean everyone@ had READ access Removed
Archive NFS restrict Open to ALL 192.168.0.0/18 only
Archive NFS root squash null nobody:nogroup
Archive SMB access enum access_enum=False access_enum=True
Archive ACL clean everyone@ present (denied) setperm 0770 applied
lab-dash SMB access enum access_enum=False access_enum=True
lab-dash ACL clean No everyone@ — unchanged Verified OK
arr-zimaos SMB access enum access_enum=False access_enum=True
arr-zimaos ACL clean everyone@ had TRAVERSE Removed
hermes_agent SMB access enum access_enum=False access_enum=True
hermes_agent ACL POSIX1E 777 Unchanged (Dockge config)
Repo NFS restrict Open to ALL 192.168.0.0/18 only
Repo NFS root squash null nobody:nogroup
Repo SMB access enum access_enum=False access_enum=True
Repo ACL clean everyone@ had full RWX Removed
Backup NFS restrict Open to ALL 192.168.0.0/18 only
Backup NFS root squash null nobody:nogroup
Backup SMB access enum access_enum=False HTTP 422 — blocked
Backup ACL clean everyone@ had full RWX setperm 0770 applied

Known Limitations

  1. Backup SMB Access Enumeration (HTTP 422): Blocked by TrueNAS API due to child dataset proxmox-pool at /mnt/Ice/Backup/proxmox-pool having a POSIX/NFSv4 ACL type mismatch. This is a platform limitation requiring manual UI intervention to align ACL types before API modification succeeds.

  2. hermes_agent ACL: Uses POSIX1E (traditional Unix) ACLs. The OTHER@ entry grants full RWX, but this is a Dockge config directory owned by apps:apps with POSIX 0775 — functionally limited by UID/GID mapping in the container context.

  3. Proxmox NFS shares (IDs 7-9): Already network-restricted to 192.168.0.0/18. Root squash was not enabled because these are Proxmox storage backends (ds-mp-share, pve-ct-stor, pve-vm-stor) that require root-equivalent access for VM/CT disk image operations.

Recommendations for Future Hardening

  1. Resolve Backup SMB ACL mismatch via TrueNAS UI: Check child dataset Ice/Backup/proxmox-pool ACL type. Align parent and child to the same ACL type, then retry access_based_share_enumeration=True.

  2. POSIX → NFSv4 migration on hermes_agent if tighter control is desired. Current POSIX 0775 is acceptable for a single-user apps directory.

  3. Proxmox root squash evaluation: Test whether Proxmox storage backends can operate with maproot_user=nobody. If not, document the permanent exception.

  4. Periodic re-audit: Re-run hardening script quarterly or immediately after any new shares are added.

Generated: 2026-06-02 | Changelog: /tmp/truenas_hardening_changelog.jsonl on Hermes portable host

Reference in New Issue View Git Blame Copy Permalink