Security scanning tools (such as Mythos) may flag BOSH pre-start scripts or rendered templates because they contain sensitive secrets but possess standard file permissions (e.g., 0644). Customers often seek to tighten these permissions to 0700 and change ownership to root:root to mitigate unauthorized access.

Symptoms

• Compliance reports identifying world-readable or group-readable files containing credentials in /var/vcap/jobs/.
• Manual chmod or chown changes being overwritten after a BOSH deploy or recreate.

BOSH rendered templates are generated during the deployment lifecycle. By default, many files are readable by the vcap user to allow processes to start. Because anyone with bosh ssh access can typically escalate to root via sudo -i, simple filesystem permissions provide limited security depth.

Broadcom recommends a two-tiered approach to securing job secrets.

1. Primary Defense: BOSH Process Manager (BPM) The most effective way to secure job files is to utilize BOSH Process Manager (BPM). BPM places a container wrapper around job processes, which:

• Restricts the process's view of the filesystem.
• Ensures the process can only access the specific files and directories explicitly defined in the BPM configuration.
• Prevents path manipulation exploits from reaching sensitive rendered templates elsewhere on the VM.

2. Hardening via os-conf-release (Persistent Permission Changes) If specific file permissions (e.g., 0700) are required for compliance, use the os-conf-release to ensure changes persist across VM recreations.

1. Upload the Release: Ensure the latest os-conf-release is uploaded to your BOSH Director.
2. Define a Runtime Config: Create a runtime-config.yml using the pre-start-script job to apply the changes before the main job starts:

   • ## yaml
     
     releases:
     - name: os-conf
       version: 23.0.0
     addons:
     - name: permission-hardening
       jobs:
       - name: pre-start-script
         release: os-conf
         properties:
           script: |-
             #!/bin/bash
             TARGET="/var/vcap/jobs/<JOB_NAME>/bin/pre-start"
             if [ -f "$TARGET" ]; then
               chown root:root "$TARGET"
               chmod 0700 "$TARGET"
             fi
       include:
         instance_groups: [master, worker] # Adjust to your target groups
     
     

3. Update Runtime Config: bosh update-runtime-config --name=permission-hardening runtime-config.yml
4. Deploy: Redeploy the affected instances to apply the hardening script.

Reference:

• How to use BOSH os-conf release to run script at different deployment stage