Securing Ignition on Linux

Or just securing Linux. How do you do it? What are the pitfalls and gotchya’s?

I’m starting this thread as a place to share best practices to secure your installation. Linux is a growing platform with an enviable security record, but it still makes the news every so often for the wrong reasons.

The foundation of any security system has to be a really good threat assessment.

  1. what is the threat?
  2. what is the worst that can happen?
  3. what are the mitigation strategies if the worst does happen?

After that you can ask What can I afford to allow to happen?’ and’ What can not be allowed to happen’? Usually ‘How much will it cost if it does happen?’

If the answer to the last one is less then buying new hardware and reinstalling and the downtime costs, your done. (not likely eh)

Now that you have a list of threats, and a cost associated with each, you should sort them from $$$$ to $ and address each each in turn until your solution costs more then the threat your trying to stop.

There is a lot you can do to really lock down a Linux system for only a little effort. I really like Ubuntu for this because they install the root user without a password and then require a password to log in. This means that it’s impossible to login as root.

So that’s a starting point. What do you do?

We went with RHEL(or CentOS), and I generally follow the NSA guide to it for that OS.
(We do this for all our linux machines, not just the one that runs Ignition)

Logins are handled from our AD to avoid having to manage local accounts.
Root is disabled from everything but the ‘physical’ console(ours are VMs, so we use the VMware security to restrict who can get to them that way).
Auditd runs to record all change events to config files and syslog outputs all logon events.
Firewall starts with the default DENY ALL and we add only what’s necessary.
We use a local stratum 1 time server appliance to maintain sync w/ the domain.
SELinux is installed and enforced as well. I built a custom policy for Ignition for it.

Other stuff too, but I’m not near my notes at the moment.

I concur on the NSA guides, but there are a whole slew of different hardening standards. Check out the responses here: security.stackexchange.com/q/993/878 for a comprehensive list of lists and things to check in addition to the generic NSA/DOD suggestions.

You can make everyone happy though if you generate some standard reports like a FISMA report. Metasploit can scan, analyze and generate the reports for you and possibly give you an idea of what you still might need to harden.

FISMA Reports with Metasploit: community.rapid7.com/videos/1286

Yeah, we import some of the profiles into Nessus and scan em.