TeamDrive Server Hardening

The server hardening is based on the the SCAP Security Guide / ComplianceAsCode version 0.1.7.3

https://github.com/ComplianceAsCode/content/blob/master/README.md

CentOS 9 Partition Layout

Partition Layout:

- root            56.0 GB
  |               11.0 GB
  |- dev           4.0 MB (tmpfs,noexec,nosuid,nodev)
  |  |- shm        1.8 GB (tmpfs,noexec,nosuid,nodev)
  |- run           732 MB (noexec,nosuid,nodev)
  |- usr           9.3 GB (nodev)
  |- boot          888 MB (noexec,nosuid,nodev)
  |- opt           892 MB (nosuid,nodev)
  |- home          412 MB (noexec,nosuid,nodev)
  |- tmp           892 MB (tmpfs,noexec,nosuid,nodev)
  |- var           4.6 GB (noexec,nosuid,nodev)
  |  |- www        412 MB (noexec,nosuid,nodev)
  |  |- ossec      892 MB (nosuid,nodev)
  |  |- spool      1.8 GB (noexec,nosuid,nodev)
  |  |- tmp        892 MB (noexec,nosuid,nodev)
  |  |- log        9.3 GB (noexec,nosuid,nodev)
  |     |- audit   9.3 GB (noexec,nosuid,nodev)
  |- run
  |  |- user
  |     |- 0       366 MB (tmpfs)

GRUB bootloader password

To prevent anyone from logging in and changing system settings in single-user mode, a bootloader password was set. For security reasons the password is not described in this documentation. The default bootloader password can be requested from TeamDrive. How to change/disable the bootloader password is described here:

https://www.tecmint.com/password-protect-grub-in-linux/

Service Isolation and Sandboxing

The following services are sandboxed using a 01-sandboxing.conf addin to restrict access to file systems, networks, devices, kernel capabilities and system calls:

  • aide: Advanced Intrusion Detection Environment
  • auditd: Linux Auditing System (see /etc/audit/rules.d/ for audit rules)
  • chkrootkit: Chkrootkit Security Scanner
  • chronyd: Network Time Protocol (see /etc/chrony.conf for list of time servers)
  • crond: Cronjob
  • dbus: inter-process communication
  • dnf-automatic-install: synchronizes package metadata
  • dnscrypt-proxy: DNS proxy using encrypted DNS
  • dnsmasq: DNS-Server
  • fail2ban: Fail2ban scans log files and bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.
  • firewalld: Firewall
  • haveged: random number generator
  • httpd: Apache webserver
  • irqbalance: Linux daemon that distributes interrupts over among the processors and cores in your computer system
  • mysqld: MySQL database server
  • NetworkManager: Program for providing detection and configuration for systems to automatically connect to networks
  • php-fpm: Execution of PHP scripts (only used on the registration server)
  • polkit: application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes
  • postfix: mail transport agent
  • rkhunter: rootkit scanner
  • s3d: TeamDrive S3-Daemon (only used on the hosting server)
  • sshd: SSH Deamon
  • systemd-logind: System service that manages user logins
  • systemd-udevd: kernel events processing
  • td-hostserver: TeamDrive Hosting Server background task (only used on the hosting server)
  • td-regserver: TeamDrive Registration Server background task (only used on the registration server)
  • td-webportal: TeamDrive Webportal Server background task (only used on the webportal server)
  • tmp.mount: mounting temporary filesystem
  • usbguard: USB device watcher

SSH Authentication, Login and Passwords

  • Parallel SSH-Sessions limited to 3 (see MaxSessions in /etc/ssh/sshd_config, /etc/ssh/sshd_config.d/hardening.conf and maxlogins in /etc/security/limits.d/maxlogins.conf)

  • SSL: Disabled TLS 0.9, SSL 3.0, TLS 1.0, TLS 1.1 (see /etc/crypto-policies/back-ends/gnutls.config)

  • Booloader: see /etc/default/grub

  • SSH Banner: see /etc/issue

  • SSH Login on port 2021 instead of 22: Several adjustments in /etc/ssh/sshd_config

  • Login parameters in /etc/login.defs: password expiry after 60 days (PASS_MAX_DAYS), set login retries to 5 (LOGIN_RETRIES) with lockouts for failed password attempts, default UMASK set to 022 (/etc/profile, /etc/init.d/functions, /etc/bashrc, /etc/csh.cshrc)

  • Password quality, length (min 18 characters, set in /etc/security/pwquality.conf), hashing algorithm, reuse prevention

  • OpenSSH Client and Server configured compliant to:

    - DISA STIG for Red Hat Enterprise Linux 8 V1R7
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
- Protection Profile for General Purpose Operating Systems (Red Hat Enterprise Linux 8)
- Australian Cyber Security Centre (ACSC) ISM Official (Red Hat Enterprise Linux 8)
- Health Insurance Portability and Accountability Act (HIPAA) for Red Hat Enterprise Linux 8

Kernel adjustments

  • Kernel self-protection and exploit mitigation (settings l1tf=”full,force”, mds=”full,nosmt”, nosmt=”force”, spectre_v2=”on”, spectre_v2_user=”on”, spec_store_bypass_disable]=”on”, kvm.nx_huge_pages=”force”, tsx=”off”, tsx_async_abort=”full,nosmt”)
  • Restricting access to kernel pointers in the proc filesystem by hiding kernel symbol addresses regardless of privileges
  • Disabling of entire ptrace, core dumps (see /etc/sysctl.d/50-coredump.conf, /etc/systemd/coredump.conf) and debugging functionality including debugfs (setting slub_debug=FZ)
  • Disabled kexec and kernel module loading
  • ASLR with high entropy
  • Protected symlinks, hardlinks, fifos and regular files to mitigate TOCTOU (Time-of-check to time-of-use) race conditions and data spoofing attacks
  • Prevent use-after-free attacks through poisoning, sanity checks and red zoning of SLUB/SLAB objects
  • Randomize kernel stack offset on syscall entry (setting randomize_kstack_offset=on)
  • Disabled slab merging, which significantly increases the difficulty of heap exploitation by preventing overwriting objects from merged caches and by making it harder to influence slab cache layout (settings slab_nomerge=””, pti=”on”, vsyscall=”none”, debugfs=”off”, oops=”panic”)
  • Mitigate use-after-free vulnerabilities and erase sensitive information in memory by zeroing of memory during allocation and free time (setting init_on_alloc=1, init_on_free=1)
  • Randomization of page allocator freelists and the kernel stack offset on each syscal (setting page_alloc.shuffle=1)
  • Kernel Page Table Isolation to mitigate Meltdown and prevention of KASLR bypasses
  • Disabled vsyscalls to protect against ROP attacks
  • Enabling kernel panic mode upon oops to prevent continued operation with compromised reliability
  • CPU vulnerability mitigations
  • Fully enabled hardening of JIT-compiled BPF to mitigate some types of JIT spraying attacks

Linux Kernel Runtime Guard

LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel (https://lkrg.org/). This will be done using the Dynamic Kernel Module Support (DKMS): “An essential feature of DKMS is that it automatically recompiles all DKMS modules if a new kernel version is installed. This allows drivers and devices outside of the mainline kernel to continue working after a Linux kernel upgrade”.

A kernel upgrade might need an update of the LKRG package. The current LKRG version is 0.9.8 and supports CentOS 9 kernel versions up to 5.14.0-447. If future kernel releases run into errors, the LKRG package would need to be updated.

Filesystem

  • Adjusted mount options in /etc/fstab
  • Disabled uncommon filesystems

Network

  • Entire IPv6 stack disabled
  • IPv4 stack hardening:
  • Protection against SYN flood attacks
  • Protection against time-wait assassination by dropping RST packets for sockets in the time-wait state
  • Protection against IP spoofing through strict mode reverse path filtering
  • Protection against Smurf attacks
  • Prevent clock fingerprinting through ICMP timestamps
  • Prevent man-in-the-middle attacks and minimise information disclosure by disabling ICMP redirect acceptance,sending and echo and also disabling source routing
  • Prevent exploits by disabling TCP SACK
  • Logging of martian packets
  • TCP ISN CPU Information Leak Protection by using the tirdad kernel module
  • Disabled uncommon network protocols and (obsolete) services and wireless networking

Firewall

  • Using systemd sandboxed firewalld with nftables backend and “drop” as default zone
  • Incoming traffic allowed for: 2021 (SSH), 80 (HTTP) 443 (HTTPS)

Shell

  • Deinstalled unsed shells: tcsh, csh, ash, ksh, zsh, es, rc, esh, dash, screen
  • Default shell: tmux with auto-logoff (see /etc/tmux.conf, /etc/profile.d/timeout.sh) (tmux hint: Copy & Paste using mouse by pressing shift-key)

Disabled services

Ensured that unused services are disabled:

  • autofs
  • avahi-daemon
  • bind9
  • bluetooth
  • chargen-dgram
  • chargen-stream
  • chrony-wait
  • cups
  • cups-browsed
  • daytime-dgram
  • daytime-stream
  • dhcpd
  • discard-dgram
  • discard-strea
  • dovecot
  • echo-dgram
  • echo-stream
  • hidd
  • irqbalance
  • isc-dhcp-server
  • isc-dhcp-server6
  • kdump
  • lpd.service
  • named
  • nfs
  • nfs-server
  • nfslock
  • nginx
  • nis
  • nmb
  • ntalk
  • ntpd
  • ntpdate
  • portmap
  • proftp
  • pure-ftpd
  • rexec.socket.service
  • rhnsd
  • rlogin.socket.service
  • rngd
  • rpcbind.service
  • rpcbind.socket
  • rpcgssd
  • rpcidmapd
  • rpcsvcgssd
  • rsh.socket.service
  • rsyncd
  • samba-ad-dc
  • sendmail
  • slapd
  • smb
  • snmpd
  • sntp
  • squid
  • systemd-timesyncd
  • tcpmux-server
  • telnet.socket.service
  • tftp.socket
  • time-dgram
  • time-stream
  • vsftpd
  • vsftpd
  • xinetd
  • ypserv
  • systemd-coredump.service
  • plymouth-halt.service
  • plymouth-poweroff.service
  • plymouth-quit-wait.service
  • plymouth-reboot.service
  • plymouth-switch-root.service
  • plymouth-kexec.service
  • plymouth-quit.service
  • plymouth-read-write.service
  • plymouth-start.service

Package Management and Automatic (Security) Updates

  • Enabled gpg check for all repositories and for local packages
  • Using dnf-automatic and needrestart for update notification/installation and restart of services, see /etc/dnf/automatic.conf

Virus check

ClamAV for Linux (see https://www.clamav.net) is installed on the server. The ClamAV service needs 1 GB RAM and will use 1 full CPU core during the scan process. See /etc/clamd.d/scan.conf for scan configuration and parameters.

Signature databases from ClamAV and additional 3rd party signature databases via clamav-unofficial-sigs https://github.com/extremeshok/clamav-unofficial-sigs

Rootkit Scanner

Two rootkit scanner are installed chkrootkit with daily scan interval:

http://www.chkrootkit.org

and rkhunter with daily scan interval including the forensic unhide module to detect hidden processes and TCP/UDP ports:

https://rkhunter.sourceforge.net

RNG and Entropy

  • RDRAND distrusted by the kernel as an entropy source
  • Using systemd sandboxed haveged (HAVEGE algorithm) as random number generator daemon for high entropy https://github.com/jirka-h/haveged

Fail2Ban

Fail2ban (see https://www.fail2ban.org) scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Whitelist your own IPs in: /etc/fail2ban/jail.local

Fail2ban is activated for Apache, PHP, postfix and SSH with these jails: apache-auth, apache-badbots, apache-noscript, apache-overflows, apache-shellshock, php-url-fopen

To check currently banned IPs:

fail2ban-client banned

fapolicyd

Setting and enforcing a policy that either allows or denies application execution based on a rule set efficiently prevents the execution of unknown and potentially malicious software.

Software installed using dnf will be automatically whitelisted.

In case of installing own scripts, you have to whiteliste them, see:

https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening#marking-files-as-trusted-using-an-additional-source-of-trust_assembly_blocking-and-allowing-applications-using-fapolicyd

Intrusion Detection (IDS/File Integrity)

Daily AIDE scan and check https://aide.github.io/

The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system (“restrictive” policy rule set defined in /etc/fapolicyd/rules.d/*).

More informations:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening

DNSCrypt

DNSCrypt with DNSSEC using systemd sandboxed dnscrypt-proxy and dnsmasq as local DNS caching server.

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.

Related conf-Files:

- /etc/NetworkManager/NetworkManager.conf --> dns=none
- /etc/resolv.conf --> nameserver 127.0.0.1
- /etc/systemd/resolved.conf --> DNSStubListener=no
- /etc/dnscrypt-proxy/dnscrypt-proxy.toml

The DNSCrypt will load and use a DNS server from this list:

https://dnscrypt.info/public-servers

In case you have to use your own DNS server, remove the immutable flag from:

chattr -i /etc/resolv.conf

and change the nameserver in /etc/resolv.conf to your own value.

NTP

Secure NTP with NTS (Network Time Security, RFC 8915) via systemd sandboxed chronyd

Accounting and Auditing

Using comprehensive auditing rules compliant to:

  • DISA STIG for Red Hat Enterprise Linux 8 V1R7
  • CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
  • PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
  • Protection Profile for General Purpose Operating Systems (Red Hat Enterprise Linux 8)
  • Australian Cyber Security Centre (ACSC) ISM Official (Red Hat Enterprise Linux 8)
  • Health Insurance Portability and Accountability Act (HIPAA) for Red Hat Enterprise Linux 8

PHP (only Registration Server)

  • Using OWASP recommended security configuration
  • Using systemd sandboxed FastCGI Process Manager (FPM)

CentOS Hardening Check

To check the hardening score, use the Lynis - Security auditing tool and ossec benchmark. Start both checks with:

/root/hardening/benchmark.sh

Lynis generates a test result after 5 minutes analyzing the system with a green, yellow and red status and calculates a hardening index which should be 97 of 100.

After the Lynis check, the OpenSCAP scanner will be started directly:

https://www.open-scap.org

The OpenSCAP scanner executes the following 6 CIS checks which takes about 25 minutes in total:

- CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
- CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
- ANSSI-BP-028 (enhanced)
- Health Insurance Portability and Accountability Act (HIPAA)
- Protection Profile for General Purpose Operating Systems
- DISA STIG for Red Hat Enterprise Linux 9

Each check will generate a html result file located in:

/root/hardening/

Known problems caused by the hardening

An dnf update might fail in case of updating the “setup”-package. To fix the problem:

chattr -i /etc/shells
dnf update
chattr +i /etc/shells

If dnf update fails with “glibc-devel-2.28-225.el8.i686 has inferior architecture” use:

dnf update --allowerasing