Airship Ubuntu/MAAS security guide
Security item list for how Ubuntu is configured on Airship deployed nodes. Change-Id: I8a784f01d4487658f23d6901a8bb3f4702887e19
This commit is contained in:
parent
75ff600a20
commit
9e48ddfe0c
|
@ -35,6 +35,7 @@ be listed as well as the project scope.
|
||||||
* Solution: The solution is how this security concern is addressed in the platform
|
* Solution: The solution is how this security concern is addressed in the platform
|
||||||
* Remediated: The item is solved for automatically
|
* Remediated: The item is solved for automatically
|
||||||
* Configurable: The item is based on configuration. Guidance will be provided.
|
* Configurable: The item is based on configuration. Guidance will be provided.
|
||||||
|
* Mitigated: The item currently mitigated while a permanent remediation is in progress.
|
||||||
* Pending: Addressing the item is in-progress
|
* Pending: Addressing the item is in-progress
|
||||||
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
|
* Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
|
||||||
* Testing: The item is tested for in an automated test pipeline during development
|
* Testing: The item is tested for in an automated test pipeline during development
|
||||||
|
@ -49,3 +50,4 @@ Airship Security Topics
|
||||||
|
|
||||||
template
|
template
|
||||||
haproxy
|
haproxy
|
||||||
|
ubuntu
|
||||||
|
|
|
@ -0,0 +1,244 @@
|
||||||
|
..
|
||||||
|
Copyright 2018 AT&T Intellectual Property.
|
||||||
|
All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
License for the specific language governing permissions and limitations
|
||||||
|
under the License.
|
||||||
|
|
||||||
|
.. _ubuntu_security_guide:
|
||||||
|
|
||||||
|
Canonical Ubuntu/MAAS Security Guide
|
||||||
|
====================================
|
||||||
|
|
||||||
|
Updated: 6-AUG-2018
|
||||||
|
|
||||||
|
This guide covers the configuration of MAAS to run securely and to deploy
|
||||||
|
secure installations of Ubuntu 16.04.x. Some items are above and beyond MAAS
|
||||||
|
when MAAS does not offer the functionality needed to fully secure a
|
||||||
|
newly provisioned server.
|
||||||
|
|
||||||
|
.. contents:: :depth: 2
|
||||||
|
|
||||||
|
Security Item List
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Filesystem Permissions
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Many files on the filesystem can contain sensitive data that can hasten a malignant
|
||||||
|
attack on a host. Ensure the below files have appropriate ownership and permissions
|
||||||
|
|
||||||
|
================================== ========= ========= ===============
|
||||||
|
Filesystem Path Owner Group Permissions
|
||||||
|
================================== ========= ========= ===============
|
||||||
|
``/boot/System.map-*`` root root ``0600``
|
||||||
|
``/etc/shadow`` root shadow ``0640``
|
||||||
|
``/etc/gshadow`` root shadow ``0640``
|
||||||
|
``/etc/passwwd`` root root ``0644``
|
||||||
|
``/etc/group`` root root ``0644``
|
||||||
|
``/var/log/kern.log`` root root ``0640``
|
||||||
|
``/var/log/auth.log`` root root ``0640``
|
||||||
|
``/var/log/syslog`` root root ``0640``
|
||||||
|
================================== ========= ========= ===============
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Configurable*: A bootaction will be run to enforce this on first boot
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
||||||
|
|
||||||
|
Filesystem Partitioning
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` should be
|
||||||
|
individual file systems.
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_.
|
||||||
|
- Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
|
||||||
|
as described in the site definition.
|
||||||
|
|
||||||
|
Filesystem Hardening
|
||||||
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protected_symlinks`` and
|
||||||
|
``fs.protected_hardlinks`` to ``1``.
|
||||||
|
|
||||||
|
- Project Scope: Diving Bell
|
||||||
|
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
|
||||||
|
MAAS deploys nodes in compliance.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
||||||
|
|
||||||
|
Execution Environment Hardening
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
The kernel tunable ``fs.suid_dumpable`` must be set to ``0`` and there must be a hard limit
|
||||||
|
disabling core dumps (``hard core 0``)
|
||||||
|
|
||||||
|
- Project Scope: DivingBell, Drydock
|
||||||
|
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
|
||||||
|
MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place
|
||||||
|
the hard limit.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
||||||
|
|
||||||
|
Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
|
||||||
|
the kernel tunable ``kernel.randomize_va_space = 2``.
|
||||||
|
|
||||||
|
- Project Scope: DivingBell
|
||||||
|
- Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
|
||||||
|
MAAS deploys nodes in compliance.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
|
||||||
|
|
||||||
|
Mandatory Access Control
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Put in place the approved default AppArmor profile and ensure that Docker is configured
|
||||||
|
to use it.
|
||||||
|
|
||||||
|
- Project Scope: Drydock, Promenade
|
||||||
|
- Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
|
||||||
|
will deploy a Docker configuration to enforce the default policy.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
|
||||||
|
``/proc/<pid>/attr/current``.
|
||||||
|
|
||||||
|
Put in place an approved AppArmor profile to be used by containers that will manipulate the
|
||||||
|
on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
|
||||||
|
profile in place and load them.
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
|
||||||
|
load it on each boot.
|
||||||
|
- Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
|
||||||
|
|
||||||
|
.. IMPORTANT::
|
||||||
|
|
||||||
|
All other AppArmor profiles must be delivered and loaded by an init container in the Pod
|
||||||
|
that requires them. The Pod must also be decorated with the appropriate annotation to specify
|
||||||
|
the custom profile.
|
||||||
|
|
||||||
|
System Monitoring
|
||||||
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Run `rsyslogd` to log events.
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Remediated*: MAAS installs rsyslog by default.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
||||||
|
|
||||||
|
Run a monitor for logging kernel audit events such as auditd.
|
||||||
|
|
||||||
|
- Project Scope: Non-Airship
|
||||||
|
- Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
|
||||||
|
|
||||||
|
Watch the watchers. Ensure that monitoring services are up and responsive.
|
||||||
|
|
||||||
|
- Project Scope: Non-Airship
|
||||||
|
- Solution *Remediated*: Nagios will monitor host services and Kubernetes resources
|
||||||
|
- Audit: *Validation*: Internal corporate systems track Nagios heartbeats to ensure Nagios is responsive
|
||||||
|
|
||||||
|
Blacklisted Services
|
||||||
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
The below services are deprecated and should not be enabled or installed on hosts.
|
||||||
|
|
||||||
|
================ ====================
|
||||||
|
Service Ubuntu Package
|
||||||
|
================ ====================
|
||||||
|
telnet telnetd
|
||||||
|
inet telnet inetutils-telnetd
|
||||||
|
SSL telnet telnetd-ssl
|
||||||
|
NIS nis
|
||||||
|
NTP date ntpdate
|
||||||
|
================ ====================
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Configurable*: A boot action will be used to enforce this on first boot.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
|
||||||
|
|
||||||
|
Required System Services
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
``cron`` and ``ntpd`` **must** be installed and enabled on all hosts. Only administrative
|
||||||
|
accounts should have access to cron. ``ntpd -q`` should show time synchronization is active.
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Remediated*: A MAAS deployed node runs cron and configured ntpd by default.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
|
||||||
|
|
||||||
|
System Service Configuration
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
If ``sshd`` is enabled, ensure it is securely configured:
|
||||||
|
|
||||||
|
- **Must** only support protocol verison 2 (``Protocol 2``)
|
||||||
|
- **Must** disallow root SSH logins (``PermitRootLogin no``)
|
||||||
|
- **Must** disallow empty passwords (``PermitEmptyPasswords no``)
|
||||||
|
- **Should** set a idle timeout interval (``ClientAliveInterval 600`` and ``ClientAliveCountMax 0``)
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Configurable*: A boot action will install an explicit configuration file
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
|
||||||
|
|
||||||
|
Network Security
|
||||||
|
^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
.. IMPORTANT::
|
||||||
|
|
||||||
|
Calico network policies will be used to secure host-level network access. Nothing will
|
||||||
|
be orchestrated outside of Calico to enforce host-level network policy.
|
||||||
|
|
||||||
|
Secure the transport of traffic between nodes and MAAS/Drydock during node deployment.
|
||||||
|
|
||||||
|
- Project Scope: Drydock, MAAS
|
||||||
|
- Solution *Pending*: The Drydock and MAAS charts will be updated to include an Ingress
|
||||||
|
port utilizing TLS 1.2 and a publicly signed certificate. Also the service will enable
|
||||||
|
TLS on the pod IP.
|
||||||
|
- Audit: *Testing*: The testing pipeline will validate the deployment is using TLS to
|
||||||
|
access the Drydock and MAAS APIs.
|
||||||
|
|
||||||
|
.. DANGER::
|
||||||
|
|
||||||
|
Some traffic, such as iPXE, DHCP, TFTP, will utilize node ports and is not encrypted. This
|
||||||
|
is not configurable. However, this traffic traverses the private PXE network.
|
||||||
|
|
||||||
|
Secure Accounts
|
||||||
|
^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Enforce a minimum password length of 8 characters
|
||||||
|
|
||||||
|
- Project Scope: Drydock
|
||||||
|
- Solution *Configurable*: A boot action will update ``/etc/pam.d/common-password`` to specify ``minlen=8`` for ``pam_unix.so``.
|
||||||
|
- Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
|
||||||
|
|
||||||
|
Configuration Guidance
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
Filesystem Configuration
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
The filesystem partitioning strategy should be sure to protect the ability for the host to
|
||||||
|
log critical information, both for security and reliability. The log data should not risk
|
||||||
|
filling up the root filesystem (``/``) and non-critical log data should not risk crowding out
|
||||||
|
critical log data. If you are shipping log data to a remote store, the latter concern is
|
||||||
|
less critical. Because Airship nodes are built to **ONLY** run Kubernetes, isolating filesystems
|
||||||
|
such as ``/home`` is not as critical since there is no direct user access and applications
|
||||||
|
are running in a containerized environment.
|
||||||
|
|
||||||
|
Temporary Mitigation Status
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
----------
|
||||||
|
|
||||||
|
OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html
|
||||||
|
Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html
|
||||||
|
Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl
|
Loading…
Reference in New Issue