Linux host security
This section provides information about the security hardening and changes that
Mirantis applies to the Ubuntu 16.04 base image. MCP leverages the VCP (Virtual
Control Plane) concept. Depending on the node type, MCP installs the Ubuntu
machines as follows:
- Nodes on the bare metal hardware. For example, the Nova compute nodes.
Such nodes are provisioned using the MAAS provisioning software. MAAS uses a
maas-ephemeral
resource for the bare metal nodes installation.
Technically, it includes SquashFS and the Linux kernel, with an Ubuntu mirror
pointed to https://mirror.mirantis.com/ repositories. Mirantis does not
introduce any changes to the maas-ephemeral
resources. All MCP-specific
configuration is applied after the initial installation using the SaltStack
configuration management software. All the SaltStack formulas leveraged by
MCP are available for review at
Mirantis Gerrit.
- Nodes forming the MCP Virtual Control Plane. Essentially, the KVM virtual
machines. Such nodes are installed as VCP nodes and provisioned using the
Mirantis-built KVM
qcow2
images. Mirantis builds these images from the
official Ubuntu cloud-images and installs the SaltStack configuration
management components.
The Salt Master node called cfg01
node includes the SaltStack components
preinstalled along with additional software utilities required to provision an
MCP cluster, for example, the Jenkins master.
MCP with SaltStack applies the following CIS hardening to the Ubuntu bare metal
and VCP nodes:
- CIS 1.1.1.1 - Ensure mounting of
cramfs
filesystems is disabled
(scored).
- CIS 1.1.1.2 - Ensure mounting of
freevxfs
filesystems is disabled
(scored).
- CIS 1.1.1.3 - Ensure mounting of
jffs2
filesystems is disabled (scored).
- CIS 1.1.1.4 - Ensure mounting of
hfs
filesystems is disabled (scored).
- CIS 1.1.1.5 - Ensure mounting of
hfsplus
filesystems is disabled
(scored).
- CIS 1.1.1.6 - Ensure mounting of
squashfs
filesystems is disabled
(scored).
- CIS 1.1.1.7 - Ensure mounting of
udf
filesystems is disabled (scored).
- CIS 1.1.1.8 - Ensure mounting of FAT filesystems is disabled (scored).
- CIS 1.1.14 - Ensure
nodev
option set on /dev/shm
partition (scored).
- CIS 1.1.15 - Ensure
nosuid
option set on /dev/shm
partition (scored).
- CIS 1.1.16 - Ensure
noexec
option set on /dev/shm
partition (scored).
- CIS 1.1.21 - Disable Automounting (scored).
- CIS 1.4.1 - Ensure permissions on bootloader config are configured (scored).
- CIS 1.5.1 - Ensure core dumps are restricted (scored).
- CIS 1.5.2 - Ensure XD/NX support is enabled (not scored).
- CIS 1.5.3 - Ensure address space layout randomization (ASLR) is enabled
(scored).
- CIS 1.5.4 - Ensure prelink is disabled (scored).
- CIS 1.6.2.2 - Ensure all AppArmor Profiles are enforcing (scored).
- CIS 1.7.1.2 - Ensure local login warning banner is configured properly (not
scored).
- CIS 1.7.1.3 - Ensure remote login warning banner is configured properly (not
scored).
- CIS 1.7.1.4 - Ensure permissions on
/etc/motd
are configured (not
scored).
- CIS 1.7.1.6 - Ensure permissions on
/etc/issue.net
are configured (not
scored).
- CIS 2.2.1.1 - Ensure time synchronization is in use (not scored).
- CIS 2.3.1 - Ensure NIS Client is not installed (scored).
- CIS 2.3.3 - Ensure talk client is not installed (scored).
- CIS 2.3.4 - Ensure telnet client is not installed (scored).
- CIS 3.3.3 - Ensure IPv6 is disabled (not scored).
- CIS 3.5.1 - Ensure DCCP is disabled (not scored).
- CIS 3.5.2 - Ensure SCTP is disabled (not scored).
- CIS 3.5.3 - Ensure RDS is disabled (not scored).
- CIS 3.5.4 - Ensure TIPC is disabled (not scored).
- CIS 3.6.1 - Ensure iptables is installed (scored).
- CIS 4.1.1.1 - Ensure audit log storage size is configured (not scored).
- CIS 4.2.2.2 - Ensure logging is configured (not scored).
- CIS 4.2.2.5 - Ensure remote
syslog-ng
messages are only accepted on
designated log hosts (not scored).
- CIS 5.1.8 - Ensure
at
and cron
is restricted to authorized users
(scored).
- CIS 5.2.4 - Ensure SSH X11 forwarding is disabled (scored).
- CIS 5.2.12 - Ensure SSH Idle Timeout Interval is configured (scored).
- CIS 5.2.13 - Ensure SSH
LoginGraceTime
is set to one minute or less
(scored).
- CIS 5.2.15 - Ensure SSH warning banner is configured (scored).
- CIS 5.3.2 - Ensure lockout for failed password attempts is configured (not
scored).
- CIS 5.4.1 - Set Shadow Password Suite Parameters:
- CIS 5.4.1.1 - Ensure password expiration is 90 days or less (scored).
- CIS 5.4.1.2 - Ensure minimum days between password changes is 7 or more
(scored).
- CIS 5.4.1.3 - Ensure password expiration warning days is 7 or more
(scored).
- CIS 5.4.1.4 - Ensure inactive password lock is 30 days or less (scored).
- CIS 5.4.2 - Ensure system accounts are non-login (scored).
- CIS 5.4.4 - Ensure the default user umask is
027
or more restrictive
(scored).
- CIS 6.1.2 - Ensure permissions on
/etc/passwd
are configured (scored).
- CIS 6.1.3 - Ensure permissions on
/etc/shadow
are configured (scored).
- CIS 6.1.3 - Ensure permissions on
/etc/shadow
are configured (scored).
- CIS 6.1.4 - Ensure permissions on
/etc/group
are configured (scored).
- CIS 6.1.5 - Ensure permissions on
/etc/gshadow
are configured (scored).
- CIS 6.1.6 - Ensure permissions on
/etc/passwd-
are configured (scored).
- CIS 6.1.7 - Ensure permissions on
/etc/shadow-
are configured (scored).
- CIS 6.1.8 - Ensure permissions on
/etc/group-
are configured (scored).
- CIS 6.1.9 - Ensure permissions on
/etc/gshadow-
are configured (scored).
- CIS 6.2.6 - Ensure root PATH Integrity (scored).