Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ef8314c0e8c1c456d5aa633f88d6b9d32933205
documentation/audits/2026-06-02-truenas-security-audit.md
F.R.I.D.A.Y. ce06f845e0 Add TrueNAS security audit report - 2026-06-02
2026-06-02 08:31:47 -04:00

9.7 KiB
Raw Blame History

TrueNAS Security Audit Report

Server: beelink-tns (192.168.16.254) | Version: TrueNAS Scale 25.10.2 | Date: 2026-06-02 Auditor: F.R.I.D.A.Y. | Scope: Read-only review — no changes made

Executive Summary

Area Status Notes
SMB Shares ⚠️ Review Needed 7 shares, Guest access disabled (good), but POSIX permissions on some shares are overly permissive
NFS Shares ⚠️ Review Needed 4 shares open to all networks, no root squash on any share
User Access Controlled Only 3 custom users have SMB access
Services Healthy CIFS, NFS, SSH running; FTP/iSCSI/SNMP disabled
Pools Healthy Both pools online

1. System Overview

Property Value
Hostname beelink-tns
Version TrueNAS Scale 25.10.2
Hardware Intel N95, 4 cores, 11.5 GB RAM
Uptime 15 days
Pools 2 (FastPool 0.91 TB, Ice 3.62 TB)
Datasets 55 total
VMs 0 configured

Running Services:

  • cifs — RUNNING
  • nfs — RUNNING
  • ssh — RUNNING

Disabled Services:

  • ftp — STOPPED
  • iscsitarget — STOPPED
  • snmp — STOPPED
  • ups — STOPPED
  • nvmet — STOPPED

2. SMB Shares (7 Total)

All SMB shares have Guest OK = False — no anonymous access.

# Share Name Path POSIX Mode Owner Group ACL Security Notes
1 Archive /mnt/Ice/Archive 777 src src Disabled Everyone has RWX ⚠️
2 Backup /mnt/Ice/Backup 777 src src Disabled Everyone has RWX ⚠️
3 ISOs /mnt/Ice/ISOs 777 src src Enabled Bobby + libvirt-qemu have explicit entries
4 lab-dash /mnt/FastPool/dockge/configs/lab-dash 777 src src Enabled builtin_users + builtin_administrators groups
5 Repo /mnt/Ice/Repo 777 src src Disabled Everyone has RWX ⚠️
6 arr-zimaos /mnt/Ice/Backup/Arr-ZimaOS 777 src src Enabled Bobby has explicit entry
7 hermes_agent /mnt/FastPool/dockge/configs/hermes_agent 751 apps apps Disabled Owner RWX, Group RX, Other X

POSIX Mode Interpretation

  • 777 = Owner, Group, and Other all have Read, Write, Execute
  • 751 = Owner has RWX, Group has RX, Other has Execute only

SMB-Authorized Users

Only 3 custom users have SMB enabled:

Username UID Home SMB Groups
jumpbox 3000 /var/empty GID 3000 (jumpbox)
bobby 3001 /var/empty GID 3001 (bobby)
jarvis 1000 /mnt/FastPool/home/jarvis GID 40 (src), GID 3002 (jarvis)

Key Finding: All custom SMB users belong to the src group (GID 40). Since most shares are owned by src:src with mode 777, all 3 SMB users have full read/write access to Archive, Backup, ISOs, lab-dash, Repo, and arr-zimaos.

SMB ACL Details

Archive:

  • owner@ — RWX
  • group@ — RWX
  • everyone@ — No access
  • ACL disabled; POSIX 777 is effective permission

Backup:

  • owner@ — RWX
  • group@ — RWX
  • everyone@ — RWX ⚠️
  • ACL disabled; POSIX 777 grants world access

ISOs:

  • owner@ — No access
  • group@ — No access
  • everyone@ — No access
  • USER:3001 (bobby) — explicit entry
  • USER:986 (libvirt-qemu) — explicit entry
  • ACL enabled; effective access determined by ACL evaluation

lab-dash:

  • owner@ — No access
  • group@ — No access
  • GROUP:545 (builtin_users) — explicit entry
  • GROUP:544 (builtin_administrators) — explicit entry
  • ACL enabled; effective access determined by ACL evaluation

Repo:

  • owner@ — RWX
  • group@ — RWX
  • everyone@ — RWX ⚠️
  • ACL disabled; POSIX 777 grants world access

arr-zimaos:

  • owner@ — No access
  • group@ — No access
  • everyone@ — No access
  • USER:3001 (bobby) — explicit entry
  • ACL enabled; effective access determined by ACL evaluation

hermes_agent:

  • USER_OBJ — X only
  • GROUP_OBJ — X only
  • OTHER — X only
  • POSIX 751; ACL disabled

3. NFS Shares (7 Total)

# Path Networks Read-Only Root Squash Notes
1 /mnt/Ice/Archive ALL No No ⚠️ Open to all networks
2 /mnt/Ice/Backup ALL No No ⚠️ Open to all networks
3 /mnt/Ice/ISOs ALL No No ⚠️ Open to all networks
4 /mnt/Ice/Repo ALL No No ⚠️ Open to all networks
5 /mnt/Ice/Backup/proxmox-pool/ds-mp-share 192.168.0.0/18 No No ⚠️ Restricted to LAN
6 /mnt/Ice/Backup/proxmox-pool/pve-ct-stor 192.168.0.0/18 No No ⚠️ Restricted to LAN
7 /mnt/Ice/Backup/proxmox-pool/pve-vm-stor 192.168.0.0/18 No No ⚠️ Restricted to LAN

NFS Security Concerns

  1. 4 shares open to all networks (Archive, Backup, ISOs, Repo) — any host on any network can mount
  2. No root squash on any share — root on client = root on server
  3. No read-only restrictions — all shares allow writes
  4. No maproot/mapall user set — NFS clients access with their native UIDs

NFS Recommendations

  • Restrict networks: Add 192.168.0.0/18 (or narrower) to Archive, Backup, ISOs, Repo
  • Enable root squash: Set Maproot User = root or Maproot User = nobody on all shares
  • Consider read-only for Archive and ISOs if they don't need writes
  • Add host restrictions for sensitive shares (Backup, Repo)

4. User & Group Analysis

Custom Users (4 total)

User UID SMB Sudo Groups Purpose
truenas_admin 950 No No src, truenas_admin Local admin account
jumpbox 3000 No jumpbox Jumpbox/automation user
bobby 3001 No bobby Primary user
jarvis 1000 No src, jarvis Primary automation user

Relevant Groups

GID Group Members Notes
40 src jarvis, truenas_admin Source/build group; owns most shares
3000 jumpbox jumpbox Jumpbox user's primary group
3001 bobby bobby Bobby's primary group
3002 jarvis jarvis Jarvis's primary group
544 builtin_administrators N/A Windows-style admin group (lab-dash ACL)
545 builtin_users N/A Windows-style users group (lab-dash ACL)

5. Best Practices Assessment

Positive Findings

  1. No guest SMB access — all shares require authentication
  2. SSH enabled, password auth disabled (implied by key-based fleet access)
  3. FTP/iSCSI/SNMP disabled — reduces attack surface
  4. Both pools healthy — no degradation or errors
  5. Custom users for different purposes — separation of concerns (jumpbox vs bobby vs jarvis)
  6. ACL enabled on some shares — ISOs, lab-dash, arr-zimaos use explicit ACLs
  7. Proxmox NFS shares restricted to LAN — good network segmentation for VM/CT storage

⚠️ Areas for Improvement

  1. POSIX 777 on 5 SMB shares — overly permissive; consider:

    • chmod 770 for shares that only need SMB group access
    • chmod 755 for read-only shares (Archive, ISOs, Repo)

  2. NFS shares 1-4 open to all networks — high risk:

    • Add 192.168.0.0/18 restriction to all shares
    • Consider even narrower subnets per share purpose

  3. No root squash on NFS — root clients have full server root access:

    • Set Maproot User = nobody on all NFS shares
    • This is standard security practice for NFS

  4. hermes_agent share — POSIX 751 but owner is apps:apps:

    • Verify apps user is expected to own this directory
    • Consider if jarvis or bobby should also have access

  5. Backup share has 777 + everyone RWX — anyone with SMB can modify backups:

    • Restrict to src group only (chmod 770)
    • Remove other write permissions

  6. Repo share has 777 + everyone RWX — code repository is world-writable:

    • Restrict to src group or narrower
    • Consider read-only for most users

6. Recommendations (No Changes Made)

Immediate Priority

Priority Action Shares Affected
🔴 High Restrict NFS networks to 192.168.0.0/18 Archive, Backup, ISOs, Repo
🔴 High Enable root squash on all NFS shares All 7 NFS shares
🟡 Medium Tighten POSIX permissions on SMB shares Backup, Repo (777 → 770)
🟡 Medium Verify ACL effectiveness on ISOs/lab-dash/arr-zimaos ISOs, lab-dash, arr-zimaos
🟢 Low Document share ownership model All shares

Suggested POSIX Changes (Review Before Applying)

# Backup — restrict to src group only
chmod 770 /mnt/Ice/Backup

# Repo — restrict to src group only  
chmod 770 /mnt/Ice/Repo

# Archive — read-only for group
chmod 750 /mnt/Ice/Archive

# ISOs — read-only for group
chmod 750 /mnt/Ice/ISOs

Suggested NFS Changes (Review Before Applying)

# Add network restrictions to open shares
# In TrueNAS UI: Sharing → NFS → Edit each share
# Set Networks = 192.168.0.0/18

# Enable root squash
# Set Maproot User = nobody

7. Access Matrix

Who Can Access What

User SMB NFS (LAN) Primary Shares
bobby Yes Yes (all LAN) All SMB shares (member of src group)
jarvis Yes Yes (all LAN) All SMB shares (member of src group)
jumpbox Yes Yes (all LAN) All SMB shares (member of src group)
truenas_admin No Yes (root) Full server access (admin)
root (remote) N/A Root = Root ⚠️ Full server access via NFS

End of Report — No changes were made to the TrueNAS configuration.

Reference in New Issue View Git Blame Copy Permalink