Linux host security

Linux host securityΒΆ

This section provides information about the security hardening and changes that Mirantis applies to the Ubuntu 16.04 base image. MCP leverages the VCP (Virtual Control Plane) concept. Depending on the node type, MCP installs the Ubuntu machines as follows:

  • Nodes on the bare metal hardware. For example, the Nova compute nodes. Such nodes are provisioned using the MAAS provisioning software. MAAS uses a maas-ephemeral resource for the bare metal nodes installation. Technically, it includes SquashFS and the Linux kernel, with an Ubuntu mirror pointed to https://mirror.mirantis.com/ repositories. Mirantis does not introduce any changes to the maas-ephemeral resources. All MCP-specific configuration is applied after the initial installation using the SaltStack configuration management software. All the SaltStack formulas leveraged by MCP are available for review at Mirantis Gerrit.
  • Nodes forming the MCP Virtual Control Plane. Essentially, the KVM virtual machines. Such nodes are installed as VCP nodes and provisioned using the Mirantis-built KVM qcow2 images. Mirantis builds these images from the official Ubuntu cloud-images and installs the SaltStack configuration management components.

The Salt Master node called cfg01 node includes the SaltStack components preinstalled along with additional software utilities required to provision an MCP cluster, for example, the Jenkins master.

MCP with SaltStack applies the following CIS hardening to the Ubuntu bare metal and VCP nodes:

  • CIS 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled (scored).
  • CIS 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled (scored).
  • CIS 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled (scored).
  • CIS 1.1.1.4 - Ensure mounting of hfs filesystems is disabled (scored).
  • CIS 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled (scored).
  • CIS 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled (scored).
  • CIS 1.1.1.7 - Ensure mounting of udf filesystems is disabled (scored).
  • CIS 1.1.1.8 - Ensure mounting of FAT filesystems is disabled (scored).
  • CIS 1.1.14 - Ensure nodev option set on /dev/shm partition (scored).
  • CIS 1.1.15 - Ensure nosuid option set on /dev/shm partition (scored).
  • CIS 1.1.16 - Ensure noexec option set on /dev/shm partition (scored).
  • CIS 1.1.21 - Disable Automounting (scored).
  • CIS 1.4.1 - Ensure permissions on bootloader config are configured (scored).
  • CIS 1.5.1 - Ensure core dumps are restricted (scored).
  • CIS 1.5.2 - Ensure XD/NX support is enabled (not scored).
  • CIS 1.5.3 - Ensure address space layout randomization (ASLR) is enabled (scored).
  • CIS 1.5.4 - Ensure prelink is disabled (scored).
  • CIS 1.6.2.2 - Ensure all AppArmor Profiles are enforcing (scored).
  • CIS 1.7.1.2 - Ensure local login warning banner is configured properly (not scored).
  • CIS 1.7.1.3 - Ensure remote login warning banner is configured properly (not scored).
  • CIS 1.7.1.4 - Ensure permissions on /etc/motd are configured (not scored).
  • CIS 1.7.1.6 - Ensure permissions on /etc/issue.net are configured (not scored).
  • CIS 2.2.1.1 - Ensure time synchronization is in use (not scored).
  • CIS 2.3.1 - Ensure NIS Client is not installed (scored).
  • CIS 2.3.3 - Ensure talk client is not installed (scored).
  • CIS 2.3.4 - Ensure telnet client is not installed (scored).
  • CIS 3.3.3 - Ensure IPv6 is disabled (not scored).
  • CIS 3.5.1 - Ensure DCCP is disabled (not scored).
  • CIS 3.5.2 - Ensure SCTP is disabled (not scored).
  • CIS 3.5.3 - Ensure RDS is disabled (not scored).
  • CIS 3.5.4 - Ensure TIPC is disabled (not scored).
  • CIS 3.6.1 - Ensure iptables is installed (scored).
  • CIS 4.1.1.1 - Ensure audit log storage size is configured (not scored).
  • CIS 4.2.2.2 - Ensure logging is configured (not scored).
  • CIS 4.2.2.5 - Ensure remote syslog-ng messages are only accepted on designated log hosts (not scored).
  • CIS 5.1.8 - Ensure at and cron is restricted to authorized users (scored).
  • CIS 5.2.4 - Ensure SSH X11 forwarding is disabled (scored).
  • CIS 5.2.12 - Ensure SSH Idle Timeout Interval is configured (scored).
  • CIS 5.2.13 - Ensure SSH LoginGraceTime is set to one minute or less (scored).
  • CIS 5.2.15 - Ensure SSH warning banner is configured (scored).
  • CIS 5.3.2 - Ensure lockout for failed password attempts is configured (not scored).
  • CIS 5.4.1 - Set Shadow Password Suite Parameters:
    • CIS 5.4.1.1 - Ensure password expiration is 90 days or less (scored).
    • CIS 5.4.1.2 - Ensure minimum days between password changes is 7 or more (scored).
    • CIS 5.4.1.3 - Ensure password expiration warning days is 7 or more (scored).
    • CIS 5.4.1.4 - Ensure inactive password lock is 30 days or less (scored).
  • CIS 5.4.2 - Ensure system accounts are non-login (scored).
  • CIS 5.4.4 - Ensure the default user umask is 027 or more restrictive (scored).
  • CIS 6.1.2 - Ensure permissions on /etc/passwd are configured (scored).
  • CIS 6.1.3 - Ensure permissions on /etc/shadow are configured (scored).
  • CIS 6.1.3 - Ensure permissions on /etc/shadow are configured (scored).
  • CIS 6.1.4 - Ensure permissions on /etc/group are configured (scored).
  • CIS 6.1.5 - Ensure permissions on /etc/gshadow are configured (scored).
  • CIS 6.1.6 - Ensure permissions on /etc/passwd- are configured (scored).
  • CIS 6.1.7 - Ensure permissions on /etc/shadow- are configured (scored).
  • CIS 6.1.8 - Ensure permissions on /etc/group- are configured (scored).
  • CIS 6.1.9 - Ensure permissions on /etc/gshadow- are configured (scored).
  • CIS 6.2.6 - Ensure root PATH Integrity (scored).