Operating System Configuration¶
Installing a base operating system¶
Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 8 (8) or derivative Linux distribution (e.g. CentOS 8, Oracle Linux 8), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.
For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).
Boot up the system and log in as the root user, either via the console or via an SSH connection.
Note
CentOS 8 package manager was replaced by DNF. DNF is the next generation version of YUM and intended to be the replacement for YUM in RPM-based systems. YUM is still supported in CentOS 8 but for compatibility reasons with CentOS 7 all subsequent package installations continue to use YUM. On CentOS 8 systems you can replace these calls with DNF.
Time Synchronization with Chrony NTP Server¶
We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). For CentOS 8 Chrony will be used and is already installed in general.
For CentOS 8 Chrony will be used instead of NTP. Chrony is already installed in general.
Disable SELinux¶
The TeamDrive Web Portal currently can not be run when SELinux is enabled.
Edit the file /etc/selinux/config and set SELINUX=disabled.
Reboot the system or change the SELinux enforcing mode at run time using the following command:
[root@webportal install]# setenforce 0
Firewall configuration¶
You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 22 (SSH, optional for remote administration), 80 (http) and 443 (https).
On a minimal installation please enable access to the following services:
- SSH
- Secure WWW (HTTPS)
- WWW (HTTP)
To configure the firewall, disable the two unnecessary services:
firewall-cmd --remove-service=cockpit --permanent
firewall-cmd --remove-service=dhcpv6-client --permanent
and enable HTTP (80) and HTTPS (443):
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload
Enable additional protections based on your local requirements or security policies.
You can check the result with firewall-cmd --list-all --zone=public:
[root@webportal ~]# firewall-cmd --list-all --zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:
- Secure WWW (Port 443 for HTTPS)
- WWW (Port 80 for HTTP)
- DNS Lookup (Port 53 for DNS communication with a public DNS server)
Installing the Postfix MTA (optional)¶
If you intend to use the email-based two-factor authentication for accessing the Web Portal Administration Console, or if you want to be notified about Space Volumes running out of disk space via email, the TeamDrive Web Portal needs to be configured to send out these notifications via SMTP.
The Yvva Runtime Environment that provides the foundation for the Web Portal is only capable of sending out email using plain SMTP via TCP port 25 to a local or remote MTA.
If your mail server requires some form of authentication or transport layer encryption like SSL/TLS, you need to set up a local MTA that relays all outgoing email from the TeamDrive Web Portal to your mail server using the appropriate protocol and credentials.
We recommend configuring a local Postfix instance to perform this duty. The following packages need to be installed:
[root@regserver ~]# yum install postfix mailx cyrus-sasl-plain
The detailed configuration of the local Postfix instance depends heavily on your local environment and how the remote MTA accepts remote submissions and is out of the scope of this document.
See the Postfix SMTP client documentation at
http://www.postfix.org/smtp.8.html for details on how to configure Postfix to
use a relay server and make sure to test the correct operation by sending
local emails using the mail command line utility and watching the Postfix
log file /var/log/maillog for errors.
Once the Postfix service has been configured correctly, ensure that it will be started automatically upon system boot:
[root@regserver ~]# chkconfig postfix on
CentOS Hardening¶
Install a rootkit scanner:
yum install epel-release
yum --enablerepo=epel -y install rkhunter
and update the email in MAILTO in the rkhunter config file:
/etc/sysconfig/rkhunter
The rootkit scanner will automatically be started once a day and will send a status email to the above email.
Update rkhunter and run the rootkit check:
rkhunter --update
rkhunter --propupd
rkhunter --check --sk
Install USBGuard to protect your systems against intrusive USB devices:
yum install usbguard
Change config for PresentControllerPolicy in /etc/usbguard/usbguard-daemon.conf
and set this to:
PresentControllerPolicy=block
Enable usbguard:
systemctl enable --now usbguard
We recommend to harden the CentOS system based on the DevSec Hardening Framework:
https://github.com/dev-sec/linux-baseline
and the Lynis - Security auditing tool for Linux:
https://cisofy.com/lynis/
Install both tools:
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
yum install epel-release
yum install lynis
To analyze the system using DevSec execute:
inspec exec https://github.com/dev-sec/linux-baseline
and for Lynis execute:
lynis audit system
The DevSec report will show the test results with a green and red staus. Lynis generates a similar test result with a green, yellow and red status and calculates a Hardening index.
For hardening the system we offer a script which will be installed with the TeamDrive Webportal software. The script will be executed later on in the documentation.