Browse Source

Merge "Airship Ubuntu/MAAS security guide"

Zuul 6 months ago
parent
commit
cabbd0d129
2 changed files with 246 additions and 0 deletions
  1. 2
    0
      doc/source/security/guide.rst
  2. 244
    0
      doc/source/security/ubuntu.rst

+ 2
- 0
doc/source/security/guide.rst View File

@@ -35,6 +35,7 @@ be listed as well as the project scope.
35 35
   * Solution: The solution is how this security concern is addressed in the platform
36 36
     * Remediated: The item is solved for automatically
37 37
     * Configurable: The item is based on configuration. Guidance will be provided.
38
+    * Mitigated: The item currently mitigated while a permanent remediation is in progress.
38 39
     * Pending: Addressing the item is in-progress
39 40
   * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
40 41
     * Testing: The item is tested for in an automated test pipeline during development
@@ -49,3 +50,4 @@ Airship Security Topics
49 50
 
50 51
   template
51 52
   haproxy
53
+  ubuntu

+ 244
- 0
doc/source/security/ubuntu.rst View File

@@ -0,0 +1,244 @@
1
+..
2
+      Copyright 2018 AT&T Intellectual Property.
3
+      All Rights Reserved.
4
+
5
+      Licensed under the Apache License, Version 2.0 (the "License"); you may
6
+      not use this file except in compliance with the License. You may obtain
7
+      a copy of the License at
8
+
9
+          http://www.apache.org/licenses/LICENSE-2.0
10
+
11
+      Unless required by applicable law or agreed to in writing, software
12
+      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13
+      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14
+      License for the specific language governing permissions and limitations
15
+      under the License.
16
+
17
+.. _ubuntu_security_guide:
18
+
19
+Canonical Ubuntu/MAAS Security Guide
20
+====================================
21
+
22
+Updated: 6-AUG-2018
23
+
24
+This guide covers the configuration of MAAS to run securely and to deploy
25
+secure installations of Ubuntu 16.04.x. Some items are above and beyond MAAS
26
+when MAAS does not offer the functionality needed to fully secure a
27
+newly provisioned server.
28
+
29
+.. contents:: :depth: 2
30
+
31
+Security Item List
32
+------------------
33
+
34
+Filesystem Permissions
35
+^^^^^^^^^^^^^^^^^^^^^^
36
+
37
+Many files on the filesystem can contain sensitive data that can hasten a malignant
38
+attack on a host. Ensure the below files have appropriate ownership and permissions
39
+
40
+================================== ========= ========= ===============
41
+  Filesystem Path                    Owner     Group     Permissions
42
+================================== ========= ========= ===============
43
+``/boot/System.map-*``               root      root      ``0600``
44
+``/etc/shadow``                      root      shadow    ``0640``
45
+``/etc/gshadow``                     root      shadow    ``0640``
46
+``/etc/passwwd``                     root      root      ``0644``
47
+``/etc/group``                       root      root      ``0644``
48
+``/var/log/kern.log``                root      root      ``0640``
49
+``/var/log/auth.log``                root      root      ``0640``
50
+``/var/log/syslog``                  root      root      ``0640``
51
+================================== ========= ========= ===============
52
+
53
+  - Project Scope: Drydock
54
+  - Solution *Configurable*: A bootaction will be run to enforce this on first boot
55
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
56
+
57
+Filesystem Partitioning
58
+^^^^^^^^^^^^^^^^^^^^^^^
59
+
60
+The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` should be
61
+individual file systems.
62
+
63
+  - Project Scope: Drydock
64
+  - Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_.
65
+  - Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
66
+           as described in the site definition.
67
+
68
+Filesystem Hardening
69
+^^^^^^^^^^^^^^^^^^^^
70
+
71
+Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protected_symlinks`` and
72
+``fs.protected_hardlinks`` to ``1``.
73
+
74
+  - Project Scope: Diving Bell
75
+  - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
76
+             MAAS deploys nodes in compliance.
77
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
78
+
79
+Execution Environment Hardening
80
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
81
+
82
+The kernel tunable ``fs.suid_dumpable`` must be set to ``0`` and there must be a hard limit
83
+disabling core dumps (``hard core 0``)
84
+
85
+  - Project Scope: DivingBell, Drydock
86
+  - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
87
+             MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place
88
+             the hard limit.
89
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
90
+
91
+Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
92
+the kernel tunable ``kernel.randomize_va_space = 2``.
93
+
94
+  - Project Scope: DivingBell
95
+  - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
96
+             MAAS deploys nodes in compliance.
97
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
98
+
99
+Mandatory Access Control
100
+^^^^^^^^^^^^^^^^^^^^^^^^
101
+
102
+Put in place the approved default AppArmor profile and ensure that Docker is configured
103
+to use it.
104
+
105
+  - Project Scope: Drydock, Promenade
106
+  - Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
107
+             will deploy a Docker configuration to enforce the default policy.
108
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
109
+           ``/proc/<pid>/attr/current``.
110
+
111
+Put in place an approved AppArmor profile to be used by containers that will manipulate the
112
+on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
113
+profile in place and load them.
114
+
115
+  - Project Scope: Drydock
116
+  - Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
117
+             load it on each boot.
118
+  - Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
119
+
120
+.. IMPORTANT::
121
+
122
+  All other AppArmor profiles must be delivered and loaded by an init container in the Pod
123
+  that requires them. The Pod must also be decorated with the appropriate annotation to specify
124
+  the custom profile.
125
+
126
+System Monitoring
127
+^^^^^^^^^^^^^^^^^
128
+
129
+Run `rsyslogd` to log events.
130
+
131
+  - Project Scope: Drydock
132
+  - Solution *Remediated*: MAAS installs rsyslog by default.
133
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
134
+
135
+Run a monitor for logging kernel audit events such as auditd.
136
+
137
+  - Project Scope: Non-Airship
138
+  - Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and
139
+  - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
140
+
141
+Watch the watchers. Ensure that monitoring services are up and responsive.
142
+
143
+  - Project Scope: Non-Airship
144
+  - Solution *Remediated*: Nagios will monitor host services and Kubernetes resources
145
+  - Audit: *Validation*: Internal corporate systems track Nagios heartbeats to ensure Nagios is responsive
146
+
147
+Blacklisted Services
148
+^^^^^^^^^^^^^^^^^^^^
149
+
150
+The below services are deprecated and should not be enabled or installed on hosts.
151
+
152
+================ ====================
153
+  Service          Ubuntu Package
154
+================ ====================
155
+ telnet           telnetd
156
+ inet telnet      inetutils-telnetd
157
+ SSL telnet       telnetd-ssl
158
+ NIS              nis
159
+ NTP date         ntpdate
160
+================ ====================
161
+
162
+  - Project Scope: Drydock
163
+  - Solution *Configurable*: A boot action will be used to enforce this on first boot.
164
+  - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
165
+
166
+Required System Services
167
+^^^^^^^^^^^^^^^^^^^^^^^^
168
+
169
+``cron`` and ``ntpd`` **must** be installed and enabled on all hosts. Only administrative
170
+accounts should have access to cron. ``ntpd -q`` should show time synchronization is active.
171
+
172
+  - Project Scope: Drydock
173
+  - Solution *Remediated*: A MAAS deployed node runs cron and configured ntpd by default.
174
+  - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
175
+
176
+System Service Configuration
177
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
178
+
179
+If ``sshd`` is enabled, ensure it is securely configured:
180
+
181
+  - **Must** only support protocol verison 2 (``Protocol 2``)
182
+  - **Must** disallow root SSH logins (``PermitRootLogin no``)
183
+  - **Must** disallow empty passwords (``PermitEmptyPasswords no``)
184
+  - **Should** set a idle timeout interval (``ClientAliveInterval 600`` and ``ClientAliveCountMax 0``)
185
+
186
+  - Project Scope: Drydock
187
+  - Solution *Configurable*: A boot action will install an explicit configuration file
188
+  - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
189
+
190
+Network Security
191
+^^^^^^^^^^^^^^^^
192
+
193
+.. IMPORTANT::
194
+
195
+  Calico network policies will be used to secure host-level network access. Nothing will
196
+  be orchestrated outside of Calico to enforce host-level network policy.
197
+
198
+Secure the transport of traffic between nodes and MAAS/Drydock during node deployment.
199
+
200
+  - Project Scope: Drydock, MAAS
201
+  - Solution *Pending*: The Drydock and MAAS charts will be updated to include an Ingress
202
+    port utilizing TLS 1.2 and a publicly signed certificate. Also the service will enable
203
+    TLS on the pod IP.
204
+  - Audit: *Testing*: The testing pipeline will validate the deployment is using TLS to
205
+    access the Drydock and MAAS APIs.
206
+
207
+.. DANGER::
208
+
209
+  Some traffic, such as iPXE, DHCP, TFTP, will utilize node ports and is not encrypted. This
210
+  is not configurable. However, this traffic traverses the private PXE network.
211
+
212
+Secure Accounts
213
+^^^^^^^^^^^^^^^
214
+
215
+Enforce a minimum password length of 8 characters
216
+
217
+  - Project Scope: Drydock
218
+  - Solution *Configurable*: A boot action will update ``/etc/pam.d/common-password`` to specify ``minlen=8`` for ``pam_unix.so``.
219
+  - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
220
+
221
+Configuration Guidance
222
+----------------------
223
+
224
+Filesystem Configuration
225
+^^^^^^^^^^^^^^^^^^^^^^^^
226
+
227
+The filesystem partitioning strategy should be sure to protect the ability for the host to
228
+log critical information, both for security and reliability. The log data should not risk
229
+filling up the root filesystem (``/``) and non-critical log data should not risk crowding out
230
+critical log data. If you are shipping log data to a remote store, the latter concern is
231
+less critical. Because Airship nodes are built to **ONLY** run Kubernetes, isolating filesystems
232
+such as ``/home`` is not as critical since there is no direct user access and applications
233
+are running in a containerized environment.
234
+
235
+Temporary Mitigation Status
236
+---------------------------
237
+
238
+
239
+References
240
+----------
241
+
242
+OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html
243
+Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html
244
+Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl

Loading…
Cancel
Save