Security hardening recommendations from auditors

[olljanat]

RancherOS Version: (ros os version)
1.5.1 + Ubuntu console

Security auditors did give us following recommendations about Rancher OS hardening.
Would it be possible to get at least some of these to official version?

Severity: Medium

PAM

/etc/pam.d/system-auth

# require at least one uppercase character, lowercase
# character, digit, and other (special) character
password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

# use the SHA-512 algorithm, remembered 12 recent passwords
password required pam_unix.so sha512 remember=12

# set the number of attempts permitted before the account
# is locked to 6 and the time before the account is
# automatically unlocked to 900 s
auth required pam_tally2.so deny=6 onerr=fail unlock_time=900
account required pam_tally2.so

password requisite pam_pwquality.so try_first_pass retry=3
# use the SHA-512 algorithm, remembered 12 recent passwords
password required pam_unix.so sha512 remember=12

# attempts permitted before the account is locked to 6
# and the time before the account is automatically unlocked to 900 s
auth required pam_faillock.so preauth audit silent deny=6 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=6 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=6 unlock_time=900

/etc/pam.d/password-auth

password requisite pam_pwquality.so try_first_pass retry=3
# attempts permitted before the account is locked to 6
# and the time before the account is automatically unlocked to 900 s
auth required pam_faillock.so preauth audit silent deny=6 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=6 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=6 unlock_time=900

/etc/security/pwquality.conf

minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1

Password policy

/etc/login.defs

PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 8
PASS_WARN_AGE 7

SSH

/etc/ssh/sshd_config

# Only SSH protocol version 2 connections allowed
Protocol 2

# Disable .rhosts files
IgnoreRhosts yes

# Disable host-based authentication
HostbasedAuthentication no

# Disable root login via SSH
PermitRootLogin no

# Disable empty passwords
PermitEmptyPasswords no

# Disable SSH X11 Forwarding
X11Forwarding no

# Maximum number of authentication attempts permitted per connection
MaxAuthTries 4

# Do Not Allow Users to Set Environment Options
PermitUserEnvironment no

# Set Idle Timeout Interval for User Login
ClientAliveInterval 300
ClientAliveCountMax 0

# Privilege separation.
UsePrivilegeSeparation sandbox
AllowTcpForwarding no

Severity: Low

Mount

add the text ',nodev' to the list of mount options in column 4.
Consider also applying the following mount options for data and log file systems: noexec, nosuid

Core dumps

/etc/security/limits.conf

* hard core 0

SELinux

/etc/sysconfig/selinux

SELINUX=enforcing
SELINUXTYPE=targeted

Log files

Access rights

Remove unnecessary access rights from log files. Allow access only to a specific user and group, not all users of the system.

Log rotate

To ensure that all important messages are captured consider to apply the configuration
suggested by "Guide to the Secure Configuration of Red Hat Enterprise Linux 5"

Verify that each log file referenced in /etc/rsyslog.conf is also rotated - listed in the
/etc/logrotate.d/syslog file. Make sure that there is reasonable history of log data
available - 2 months is recommended.

[nvx]

Half of that seems to be related to passwords. I don't know about you but I run my RancherOS hosts with no password auth permitted, ssh key only. This seems to be the recommended configuration.

As for the ssh configuration changes, I know personally I've made use of SSH port forwarding on Rancher before when debugging services, so it would be annoying having this change made as a default because someones audit tool made some general recommendations.

[olljanat]

@nvx good point but then probably PasswordAuthentication no should be included to sshd_config by default? Then setting password for user rancher (which is needed example for enabling console access) does not weaken security.

What is optimal level of hardening by default is of course good question but IMO nowadays best practice is enable security hardenings by default and create guidance how to disable those in-case it is needed. Especially on this kind of "one purpose" operating systems like Rancher OS is.

[Exadra37]

Since I started as a developer in 2010 and saw how insecure the software is by default that I advocate for this type of policy suggested by @olljanat to be the default in every product release of any software:

but IMO nowadays best practice is enable security hardenings by default and create guidance how to disable those in-case it is needed. Especially on this kind of "one purpose" operating systems like Rancher OS is.

Lot of the security issues the companies face nowadays in terms of security stem from security being opt-in, instead of opt-out.

So, secure defaults are not worthwhile to be considered?

It's preferred developer convenience over security?

[olljanat]

@Exadra37 problem here (and the reason why I closed this issue) is that Rancher OS is EOL #3000

On our fork BurmillaOS side I did enforce some of those settings already:

• https://github.com/burmilla/os/releases/tag/v1.9.0
• https://github.com/burmilla/os/blob/15639e103fe01e5ac35784793ad4731e5cd889b4/images/02-console/sshd_config.append.tpl#L16-L23
  but change on there is that there is no enough maintainers Wanted: Maintainers burmilla/os#2 so it is currently matter of my free time and interest about which improvements gets included to it.

[Exadra37]

Thanks for letting me know, and now I am really pissed of for having spent so much time fiddling with RancherOS to write a guide for it and to setup it to run my workloads on DigitalOcean.

I hope that BurnillaOS is adopted by DigitalOcean for the 1 click install.