summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-10-03 01:36:27 +0000
committerGerrit Code Review <review@openstack.org>2018-10-03 01:36:27 +0000
commitcabbd0d12964fa84f89afb441213323e20d244cf (patch)
tree07f4d74fa4435033efceabb70cd2d6ef221d8568
parent7a0717adc68261c7adb3a3db74a9326d6103519f (diff)
parent9e48ddfe0c71fc7d98fb67bd3d0ba77c7c13c425 (diff)
Merge "Airship Ubuntu/MAAS security guide"
-rw-r--r--doc/source/security/guide.rst2
-rw-r--r--doc/source/security/ubuntu.rst244
2 files changed, 246 insertions, 0 deletions
diff --git a/doc/source/security/guide.rst b/doc/source/security/guide.rst
index 5d1fc3d..61db00f 100644
--- a/doc/source/security/guide.rst
+++ b/doc/source/security/guide.rst
@@ -35,6 +35,7 @@ be listed as well as the project scope.
35 * Solution: The solution is how this security concern is addressed in the platform 35 * Solution: The solution is how this security concern is addressed in the platform
36 * Remediated: The item is solved for automatically 36 * Remediated: The item is solved for automatically
37 * Configurable: The item is based on configuration. Guidance will be provided. 37 * Configurable: The item is based on configuration. Guidance will be provided.
38 * Mitigated: The item currently mitigated while a permanent remediation is in progress.
38 * Pending: Addressing the item is in-progress 39 * Pending: Addressing the item is in-progress
39 * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression 40 * Audit: Auditing the item provides for ongoing monitoring to ensure there is no regression
40 * Testing: The item is tested for in an automated test pipeline during development 41 * Testing: The item is tested for in an automated test pipeline during development
@@ -49,3 +50,4 @@ Airship Security Topics
49 50
50 template 51 template
51 haproxy 52 haproxy
53 ubuntu
diff --git a/doc/source/security/ubuntu.rst b/doc/source/security/ubuntu.rst
new file mode 100644
index 0000000..2e92d27
--- /dev/null
+++ b/doc/source/security/ubuntu.rst
@@ -0,0 +1,244 @@
1..
2 Copyright 2018 AT&T Intellectual Property.
3 All Rights Reserved.
4
5 Licensed under the Apache License, Version 2.0 (the "License"); you may
6 not use this file except in compliance with the License. You may obtain
7 a copy of the License at
8
9 http://www.apache.org/licenses/LICENSE-2.0
10
11 Unless required by applicable law or agreed to in writing, software
12 distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 License for the specific language governing permissions and limitations
15 under the License.
16
17.. _ubuntu_security_guide:
18
19Canonical Ubuntu/MAAS Security Guide
20====================================
21
22Updated: 6-AUG-2018
23
24This guide covers the configuration of MAAS to run securely and to deploy
25secure installations of Ubuntu 16.04.x. Some items are above and beyond MAAS
26when MAAS does not offer the functionality needed to fully secure a
27newly provisioned server.
28
29.. contents:: :depth: 2
30
31Security Item List
32------------------
33
34Filesystem Permissions
35^^^^^^^^^^^^^^^^^^^^^^
36
37Many files on the filesystem can contain sensitive data that can hasten a malignant
38attack on a host. Ensure the below files have appropriate ownership and permissions
39
40================================== ========= ========= ===============
41 Filesystem Path Owner Group Permissions
42================================== ========= ========= ===============
43``/boot/System.map-*`` root root ``0600``
44``/etc/shadow`` root shadow ``0640``
45``/etc/gshadow`` root shadow ``0640``
46``/etc/passwwd`` root root ``0644``
47``/etc/group`` root root ``0644``
48``/var/log/kern.log`` root root ``0640``
49``/var/log/auth.log`` root root ``0640``
50``/var/log/syslog`` root root ``0640``
51================================== ========= ========= ===============
52
53 - Project Scope: Drydock
54 - Solution *Configurable*: A bootaction will be run to enforce this on first boot
55 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
56
57Filesystem Partitioning
58^^^^^^^^^^^^^^^^^^^^^^^
59
60The mounts ``/tmp``, ``/var``, ``/var/log``, ``/var/log/audit`` and ``/home`` should be
61individual file systems.
62
63 - Project Scope: Drydock
64 - Solution *Configurable*: Drydock supports user designed partitioning, see `Filesystem Configuration`_.
65 - Audit: *Testing*: The Airship testing pipeline will validate that nodes are partitioned
66 as described in the site definition.
67
68Filesystem Hardening
69^^^^^^^^^^^^^^^^^^^^
70
71Disallow symlinks and hardlinks to files not owned by the user. Set ``fs.protected_symlinks`` and
72``fs.protected_hardlinks`` to ``1``.
73
74 - Project Scope: Diving Bell
75 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable. By default
76 MAAS deploys nodes in compliance.
77 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
78
79Execution Environment Hardening
80^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
81
82The kernel tunable ``fs.suid_dumpable`` must be set to ``0`` and there must be a hard limit
83disabling core dumps (``hard core 0``)
84
85 - Project Scope: DivingBell, Drydock
86 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
87 MAAS deploys nodes with ``fs.suid_dumpable = 2``. A boot action will put in place
88 the hard limit.
89 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
90
91Randomizing stack space can make it harder to exploit buffer overflow vulnerabilities. Enable
92the kernel tunable ``kernel.randomize_va_space = 2``.
93
94 - Project Scope: DivingBell
95 - Solution *Configurable*: Diving Bell overrides will enforce this kernel tunable, by default
96 MAAS deploys nodes in compliance.
97 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin
98
99Mandatory Access Control
100^^^^^^^^^^^^^^^^^^^^^^^^
101
102Put in place the approved default AppArmor profile and ensure that Docker is configured
103to use it.
104
105 - Project Scope: Drydock, Promenade
106 - Solution *Configurable*: A bootaction will put in place the default AppArmor profile. Promenade
107 will deploy a Docker configuration to enforce the default policy.
108 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin probing
109 ``/proc/<pid>/attr/current``.
110
111Put in place an approved AppArmor profile to be used by containers that will manipulate the
112on-host AppArmor profiles. This allows an init container in Pods to put customized AppArmor
113profile in place and load them.
114
115 - Project Scope: Drydock
116 - Solution *Configurable*: A bootaction will put in place the profile-manager AppArmor profile and
117 load it on each boot.
118 - Audit: *Pending*: The availability of this profile will be verified by a Sonobuoy plugin.
119
120.. IMPORTANT::
121
122 All other AppArmor profiles must be delivered and loaded by an init container in the Pod
123 that requires them. The Pod must also be decorated with the appropriate annotation to specify
124 the custom profile.
125
126System Monitoring
127^^^^^^^^^^^^^^^^^
128
129Run `rsyslogd` to log events.
130
131 - Project Scope: Drydock
132 - Solution *Remediated*: MAAS installs rsyslog by default.
133 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
134
135Run a monitor for logging kernel audit events such as auditd.
136
137 - Project Scope: Non-Airship
138 - Solution *Remediated*: The Sysdig Falco <https://sysdig.com/opensource/falco/> will be used and
139 - Audit: *Pending*: This will be verified on an ongoing basis via a Sonobuoy plugin.
140
141Watch the watchers. Ensure that monitoring services are up and responsive.
142
143 - Project Scope: Non-Airship
144 - Solution *Remediated*: Nagios will monitor host services and Kubernetes resources
145 - Audit: *Validation*: Internal corporate systems track Nagios heartbeats to ensure Nagios is responsive
146
147Blacklisted Services
148^^^^^^^^^^^^^^^^^^^^
149
150The below services are deprecated and should not be enabled or installed on hosts.
151
152================ ====================
153 Service Ubuntu Package
154================ ====================
155 telnet telnetd
156 inet telnet inetutils-telnetd
157 SSL telnet telnetd-ssl
158 NIS nis
159 NTP date ntpdate
160================ ====================
161
162 - Project Scope: Drydock
163 - Solution *Configurable*: A boot action will be used to enforce this on first boot.
164 - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
165
166Required System Services
167^^^^^^^^^^^^^^^^^^^^^^^^
168
169``cron`` and ``ntpd`` **must** be installed and enabled on all hosts. Only administrative
170accounts should have access to cron. ``ntpd -q`` should show time synchronization is active.
171
172 - Project Scope: Drydock
173 - Solution *Remediated*: A MAAS deployed node runs cron and configured ntpd by default.
174 - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
175
176System Service Configuration
177^^^^^^^^^^^^^^^^^^^^^^^^^^^^
178
179If ``sshd`` is enabled, ensure it is securely configured:
180
181 - **Must** only support protocol verison 2 (``Protocol 2``)
182 - **Must** disallow root SSH logins (``PermitRootLogin no``)
183 - **Must** disallow empty passwords (``PermitEmptyPasswords no``)
184 - **Should** set a idle timeout interval (``ClientAliveInterval 600`` and ``ClientAliveCountMax 0``)
185
186 - Project Scope: Drydock
187 - Solution *Configurable*: A boot action will install an explicit configuration file
188 - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
189
190Network Security
191^^^^^^^^^^^^^^^^
192
193.. IMPORTANT::
194
195 Calico network policies will be used to secure host-level network access. Nothing will
196 be orchestrated outside of Calico to enforce host-level network policy.
197
198Secure the transport of traffic between nodes and MAAS/Drydock during node deployment.
199
200 - Project Scope: Drydock, MAAS
201 - Solution *Pending*: The Drydock and MAAS charts will be updated to include an Ingress
202 port utilizing TLS 1.2 and a publicly signed certificate. Also the service will enable
203 TLS on the pod IP.
204 - Audit: *Testing*: The testing pipeline will validate the deployment is using TLS to
205 access the Drydock and MAAS APIs.
206
207.. DANGER::
208
209 Some traffic, such as iPXE, DHCP, TFTP, will utilize node ports and is not encrypted. This
210 is not configurable. However, this traffic traverses the private PXE network.
211
212Secure Accounts
213^^^^^^^^^^^^^^^
214
215Enforce a minimum password length of 8 characters
216
217 - Project Scope: Drydock
218 - Solution *Configurable*: A boot action will update ``/etc/pam.d/common-password`` to specify ``minlen=8`` for ``pam_unix.so``.
219 - Audit: *Pending*: This will be verified on an ongoing basis via Sonobuoy plugin.
220
221Configuration Guidance
222----------------------
223
224Filesystem Configuration
225^^^^^^^^^^^^^^^^^^^^^^^^
226
227The filesystem partitioning strategy should be sure to protect the ability for the host to
228log critical information, both for security and reliability. The log data should not risk
229filling up the root filesystem (``/``) and non-critical log data should not risk crowding out
230critical log data. If you are shipping log data to a remote store, the latter concern is
231less critical. Because Airship nodes are built to **ONLY** run Kubernetes, isolating filesystems
232such as ``/home`` is not as critical since there is no direct user access and applications
233are running in a containerized environment.
234
235Temporary Mitigation Status
236---------------------------
237
238
239References
240----------
241
242OpenSCAP for Ubuntu 16.04 - https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-common.html
243Ubuntu 16.04 Server Guide - https://help.ubuntu.com/16.04/serverguide/security.html
244Canonical MAAS 2.x TLS - https://docs.maas.io/2.3/en/installconfig-network-ssl & https://docs.maas.io/2.4/en/installconfig-network-ssl