Following are the areas of hardening / security that needs to be addressed on a Linux VM, along with their procedures.
- No internet access on the server
This can be taken care through the Mirantis dashboard for the VMs.
Locate the Access & Security >> Egress rule for ipv4 & ipv6 which is enabled by default.
Verify that the same Access & Security rule template is not being used by any other VM, it is then you will have to create a new custom template for your VM.
Disable the default Egress rule for ipv4 & ipv6, which is set to send any & all traffic out of the VM. This will disable any http, https, ftp, request going out of the system.
Please Note : As this approch affects all out going traffic from the VM, hence you might have to enable outgoing ports as per request only incase needed.
- No direct root login, only sudo enabled
Rather than disabling the root account, you can lock the root account password. This will not allow the root user to login with his credential.
Before locking the root user, create a new user using useradd.
Locate the group that has sudo access in the /etc/sudoers files, and add the new user to this group.
Test the sudo access for the new user.
Now lock root user account ‘sudo passwd -l root’
- Only key based login, no X
Goto /etc/inittab, check the line indicating ” id:5:initdefault: “
Replace with ” id:3:initdefault: ” & save the file.
On the next boot / reboot the system should boot in to shell.
- Enable SE Linux
Verify the current selinux status using the command – sestatus
It should be in either of these states :
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
Set the appropriate value in the file /etc/selinux/config
To fully enable selinux, set it to :
- Enable logrotate for system logs under /var/log
Most of the logs under /var/log/ are set for auto backup & rotation.
Incase any help is needed with setting new log rotate scripts, refer to http://www.thegeekstuff.com/2010/07/logrotate-examples/
- Disable rlogin & rsh services
None of these services are enabled, even their binaries were missing on the host.