Develop to main

Cargo.toml

@@ -11,7 +11,7 @@ members = [
 ]
 
 exclude = [
-    "keysas-usbfilter"
+    "keysas-firewall"
 ]
 
 [patch.crates-io.loopdev]

README.md

@@ -5,21 +5,23 @@
 # USB virus cleaning station
 
 # Main features
+
 - Retrieve untrusted files from USB (via keysas-io) or over the network
 - Perform multiple checks
-    - Run anti-virus check (ClamAV)
-    - Run Yara parsing
-    - Run extensions and size checks
+  - Run anti-virus check (ClamAV)
+  - Run Yara parsing
+  - Run extensions and size checks
 - Signatures (Files and USB keys)
     - Trusted (Outgoing) USB device must be signed with Keysas-admin app
     - Each verified file signature is stored in the corresponding file report  
     - Signatures are post-quantum proof (hybrid Ed25519/Diltithium5 scheme)
     - Private keys are stored using PKCS#8 format
     - x509 certificates are signed by the internal PKI (using Keysas-admin)
 - Authentication
-    - Users can be authenticated using personal Yubikeys 5
+  - Users can be authenticated using personal Yubikeys 5
 
 # Keysas-core
+
 ## Architecture
 
 <div align="center">
@@ -34,6 +36,7 @@ Files are passed between daemons as raw file descriptors and using abstract sock
  - Daemons are sandboxed using Seccomp (x86_64 & aarch64)
 
 ## Other binaries or applications available
+
  - Keysas-io: Daemon watching udev events to verify the signature of any mass storage USB devices and mount it as a IN (no or invalid signature) or OUT device (valid signature).
  - Keysas-sign: Command line utility to import PEM certificate via Keysas-admin
  - Keysas-fido: Command line utility to manage Yubikeys 5 enrollment
@@ -43,8 +46,9 @@ Files are passed between daemons as raw file descriptors and using abstract sock
 
 ## Installation
 
-On Debian stable (Bookwoom):
-```
+On Debian stable (Bookwoom only):
+
+```bash
 apt -qy install -y libyara-dev libyara9 wget cmake make lsb-release software-properties-common libseccomp-dev clamav-daemon clamav-freshclam pkg-config git bash libudev-dev libwebkit2gtk-4.0-dev build-essential curl wget libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev
 bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"
 curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain nightly -y
@@ -54,7 +58,7 @@ make help
 make build
 make install
 ```
+
 ## User documentation
 
 User documentation can be found here : [https://keysas.fr](https://keysas.fr)
-

documentation/user_documentation/conf.py

@@ -24,9 +24,10 @@
 author = 'Stephane N'
 
 # The short X.Y version
-version = '2.0'
+version = '2.1'
 # The full version, including alpha/beta/rc tags
-release = 'v2.0'
+release = 'v2.1'
+
 
 
 # -- General configuration ---------------------------------------------------

documentation/user_documentation/index.rst

@@ -35,5 +35,7 @@ User documentation
    networkgw
    raspberry
    keysas-admin
+   windows_firewall
+
 
 

documentation/user_documentation/installation.rst

@@ -38,8 +38,9 @@ Getting **Keysas**
 -------------------
 
 A pre-compiled **Keysas** binary is at your
-disposal, you can choose and download a specific version of **Keysas**
-using the :ref:`download section <download>`.
+disposal. We recommend using the latest version here:
+https://github.com/r3dlight/keysas/tags
+
 
 Download the following files of lastest stable version.
  * keysas-vx.y.z.zip

documentation/user_documentation/raspberry.rst

@@ -21,8 +21,9 @@ The code is entirely written in Rust, sandboxed, and follows the principle of le
 
 Download
 =========
-- `keysas-sd-v2.0 <https://keysas.fr/download/rasp/keysas-sd-v2.0.tar.gz>`_ (`sha256 <https://keysas.fr/download/rasp/keysas-sd-v2.0.tar.gz.sha256>`_)
-- `keysas-admin-v2.0 (GNU/Linux) <https://keysas.fr/download/keysas-admin/v0.2.0/keysas-admin_2.0_amd64.AppImage>`_ (`sha256 <https://keysas.fr/download/keysas-admin/v2.0/keysas-admin_2.0_amd64.AppImage.sha256>`_)
+- `keysas-sd-v2.1 <https://keysas.fr/download/rasp/keysas-sd-v2.1.tar.gz>`_ (`sha256 <https://keysas.fr/download/rasp/keysas-sd-v2.1.tar.gz.sha256>`_)
+- `keysas-admin-v2.1 (GNU/Linux) <https://keysas.fr/download/keysas-admin/v2.1/keysas-admin_2.1_amd64.AppImage>`_ (`sha256 <https://keysas.fr/download/keysas-admin/v2.1/keysas-admin_2.1_amd64.AppImage.sha256>`_)
+
 
 The downloaded image will automatically resize according to the size of your MicroSD card.
 To copy the **Keysas** station image to your SD card:

documentation/user_documentation/windows_firewall.rst

@@ -0,0 +1,63 @@
+********************
+Windows USB firewall
+********************
+
+**Keysas** system also includes a **USB firewall** for Windows in order to check that:
+- USB stick plugged on user laptop have been checked by a Keysas station;
+- Files on the USB stick have been validated by the station.
+
+.. warning::
+ **USB firewall** has only been tested on Windows 10 laptop in debug mode for now.
+
+Architecture
+============
+
+The firewall is composed of four elements:
+
+- In kernel space
+  - A USB bus filter driver
+  - A minifilter (driver to filter system calls towards the filesystem)
+- In userspace
+  - A daemon supervising the two drivers and checks files and reports based on the system security policy
+  - A tray application to allow the end user to control the security settings
+
+Security Policy configuration
+=============================
+
+System security policy is configured from a TOML file at the base of the Daemon directory.
+The policy is configured with:
+
+- 'disable_unsigned_usb': if set to 'true', unsigned usb devices are allowed. No checks are performed on files on these devices.
+- 'allow_user_usb_authorization': if set to 'true', grant the user the ability to manually allow unsigned USB devices. No checks are performed on files on these devices.
+- 'allow_user_file_read': if set to 'true', grant the user the ability to manually allow read access to an unsigned file.
+- 'allow_user_file_write': if set to 'true', grant the user the ability to manually allow write access to file on a USB device. 'allow_user_file_read' must also be set to true.
+
+If parameters are missing from the configuration file, they are considered to be set to 'false'.
+
+CA certificates must be provided to the daemon. The path to the pem files is given as arguments to the command line.
+
+The complete command line is
+
+```bash
+./keysas-usbfilter-daemon.exe -config <path to security policy file> -ca_cl <path to CA ED25519 certificate> -ca_pq <path to CA Dilithium5 certificate>
+```
+
+Installation
+============
+
+Driver compilation
+------------------
+
+The drivers have been tested on a Windows 10 laptop in debug mode (unsigned driver allowed).
+They have been compiled with Microsoft Visual Studio 2022 with SDK and WDK version 10.0.22621.0.
+
+Service and application compilation
+-----------------------------------
+
+The Keysas daemon and tray application have been compiled and tested on Windows 10 with the following dependencies:
+
+- Rust toolchain: for example <https://learn.microsoft.com/en-us/windows/dev-environment/rust/setup>
+- Clang toolchain: for example <https://rust-lang.github.io/rust-bindgen/requirements.html>
+- CMake: <https://cmake.org/>
+- Tauri: <https://tauri.app/>
+- Npm: for example <https://docs.npmjs.com/downloading-and-installing-node-js-and-npm>

keysas-admin/src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keysas-admin"
-version = "2.0.0"
+version = "2.1.0"
 description = "Keysas stations administration application"
 authors = ["Stephane N", "Luc Bonnafoux"]
 license = "GPL-3.0"

keysas-backend/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keysas-backend"
-version = "2.0.0"
+version = "2.1.0"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

keysas-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "keysas-core"
-version = "2.0.0"
+version = "2.1.0"
 edition = "2021"
 
 [dependencies]

keysas-core/debian/keysas-transit.security

@@ -28,7 +28,6 @@ MemoryDenyWriteExecute=yes
 TemporaryFileSystem=/etc
 BindReadOnlyPaths=/etc/keysas
 TemporaryFileSystem=/var
-BindPaths=/var/local/transit
 IPAddressDeny=any
 RestrictAddressFamilies=AF_INET AF_UNIX
 IPAddressAllow=127.0.0.1/8

keysas-firewall/README.md

@@ -0,0 +1,78 @@
+# Keysas USB firewall
+
+The keysas USB firewall is used on Windows client to control that:
+
+- USB devices connected have been enrolled in the system
+- Files on USB devices have been validated by a Keysas station
+
+## Architecture
+
+The firewall is composed of four elements:
+
+- In kernel space
+  - A USB bus filter driver
+  - A minifilter (driver to filter system calls towards the filesystem)
+- In userspace
+  - A daemon that supervises the two drivers and checks files and reports based on the system security policy
+  - A tray application to allow the end user to control the security settings
+
+## Security Policy configuration
+
+System security policy is configured from a TOML file at the base of the Daemon directory.
+The policy is configured with:
+
+- 'disable_unsigned_usb': if set to 'true' unsigned usb devices are allowed. No checks are performed on files on these devices.
+- 'allow_user_usb_authorization': if set to 'true' grant the user the ability to manually allow unsigned USB devices. No checks are performed on files on these devices.
+- 'allow_user_file_read': if set to 'true' grant the user the ability to manually allow read access to an unsigned file.
+- 'allow_user_file_write': if set to 'true' grant the user the ability to manually allow write access to file on a USB device. 'allow_user_file_read' must also be set to true.
+
+If parameters are missing from the configuration file they are considered to be set to 'false'.
+
+CA certificates must be provided to the daemon. The path to the pem files is given as arguments to the command line.
+
+The comple command line is
+
+```bash
+./keysas-usbfilter-daemon.exe -config <path to security policy file> -ca_cl <path to CA ED25519 certificate> -ca_pq <path to CA Dilithium5 certificate>
+```
+
+## TODO List
+
+ This firewall is still a work in progress.
+
+- USB bus filter driver
+  - [ ] Bus call interception
+- Minifilter
+  - [X] System call interception and filtering
+  - [X] Track per file context
+  - [X] Allow authorization changes
+  - [X] Filter file open and create operations
+  - [X] Filter write operation
+  - [ ] Clean code: check IRQL, check paging, check fastIO, check sparse file API, check all flags in the pre-op filters...
+- Daemon
+  - [X] Check report and files
+  - [X] Use CA certificate to check report certificate
+  - [X] Enforce system security policy
+  - [ ] Check USB devices
+- Tray app
+  - [X] Display files
+  - [~] Display USB devices
+  - [X] Allow authorization changes
+  - [X] Add drop down menu for authorization selection
+
+## Installation
+
+### Driver compilation
+
+The drivers have been tested on a Windows 10 laptop in debug mode (unsigned driver allowed).
+They have been compiled with Microsoft Visual Studio 2022 with SDK and WDK version 10.0.22621.0.
+
+### Service and application compilation
+
+The Keysas daemon and tray application have been compiled and tested on Windows 10 with the following dependencies:
+
+- Rust toolchain: for example <https://learn.microsoft.com/en-us/windows/dev-environment/rust/setup>
+- Clang toolchain: for example <https://rust-lang.github.io/rust-bindgen/requirements.html>
+- CMake: <https://cmake.org/>
+- Tauri: <https://tauri.app/>
+- Npm: for example <https://docs.npmjs.com/downloading-and-installing-node-js-and-npm>

keysas-firewall/daemon/Cargo.toml

@@ -19,6 +19,13 @@ wchar = "0.11"
 mbrman = "0.5"
 libc = "0.2"
 keysas_lib = { path = "../../keysas_lib" }
+serde = "1.0"
+serde_json = "1.0"
+serde_derive = "1.0"
+clap = { version = "4", default-features = false, features = ["std", "cargo"] }
+toml = "0.7"
+libmailslot = {path = "../libmailslot"}
+x509-cert = "0.2"
 
 [dependencies.windows]
 version = "0.48.0"