Release security options

This post documents the security options incompatible with the debug mode:

  1. Add password for the root user
  2. Secure passwords (add a password testing module, set min and max password age)
  3. Remove debug-tweaks
  4. Run a security scanner like lynis
  5. Scan your sources for pending CVEs

Running a security scanner

We recommend to run a security scanner like Lynis, which we include in the distribution packages (meta-security layer). You can enable the scanner in your conf/local.conf the following way:

IMAGE_INSTALL_append = " lynis"

The build your image as usual. Start it and log to the system, then run:

root@qemux86-64:~# lynis audit system

You will get the output with the hardening index and suggestions for improvements.

An example, from allscenarios-image-base with a development build (results are very similar between development images)

  -[ Lynis 2.7.5 Results ]-

  Great, no warnings

  Suggestions (24):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      https://cisofy.com/lynis/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
      https://cisofy.com/lynis/controls/FILE-6310/

  * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410] 
      https://cisofy.com/lynis/controls/FILE-6410/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/lynis/controls/STRG-1840/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/lynis/controls/STRG-1846/

  * Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/lynis/controls/NAME-4028/

  * Install a package audit tool to determine vulnerable packages [PKGS-7398] 
      https://cisofy.com/lynis/controls/PKGS-7398/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
      https://cisofy.com/lynis/controls/NETW-3032/

  * Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590] 
      https://cisofy.com/lynis/controls/FIRE-4590/

  * Check if log files are properly rotated [LOGG-2146] 
      https://cisofy.com/lynis/controls/LOGG-2146/

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] 
      https://cisofy.com/lynis/controls/LOGG-2154/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/lynis/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/lynis/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/lynis/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/lynis/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/lynis/controls/ACCT-9628/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/lynis/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/lynis/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
      https://cisofy.com/lynis/controls/KRNL-6000/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/lynis/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 69 [#############       ]
  Tests performed : 188
  Plugins enabled : 0

  Components:
  - Firewall               [X]
  - Malware scanner        [X]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

Scan your sources for pending CVEs
A CVE scan allows to check if there are pending unresolved vulnerabilities in the sources.

To enable it, add the following to your conf/local.conf:

INHERIT += "cve-check"

Then run your build normally. If there are critical CVEs, they will be shown in red; non-critical one in yellow. At the end the system will show you the paths to the complete report files in lines:

Image CVE report stored in: <path>
Image CVE status stored in: <path>

Note: please be aware that results may be incomplete. If you have added any packages to the distribution, pay special attention to checking their updates manually.