Release security options

This post documents the security options incompatible with the debug mode:

  1. Add password for the root user
  2. Secure passwords (add a password testing module, set min and max password age)
  3. Remove debug-tweaks
  4. Run a security scanner like lynis
  5. Scan your sources for pending CVEs

Running a security scanner

We recommend to run a security scanner like Lynis, which we include in the distribution packages (meta-security layer). You can enable the scanner in your conf/local.conf the following way:

IMAGE_INSTALL_append = " lynis"

The build your image as usual. Start it and log to the system, then run:

root@qemux86-64:~# lynis audit system

You will get the output with the hardening index and suggestions for improvements.

An example, from allscenarios-image-base with a development build (results are very similar between development images)

  -[ Lynis 2.7.5 Results ]-

  Great, no warnings

  Suggestions (24):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      https://cisofy.com/lynis/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
      https://cisofy.com/lynis/controls/FILE-6310/

  * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410] 
      https://cisofy.com/lynis/controls/FILE-6410/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/lynis/controls/STRG-1840/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/lynis/controls/STRG-1846/

  * Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/lynis/controls/NAME-4028/

  * Install a package audit tool to determine vulnerable packages [PKGS-7398] 
      https://cisofy.com/lynis/controls/PKGS-7398/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
      https://cisofy.com/lynis/controls/NETW-3032/

  * Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590] 
      https://cisofy.com/lynis/controls/FIRE-4590/

  * Check if log files are properly rotated [LOGG-2146] 
      https://cisofy.com/lynis/controls/LOGG-2146/

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] 
      https://cisofy.com/lynis/controls/LOGG-2154/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/lynis/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/lynis/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/lynis/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/lynis/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/lynis/controls/ACCT-9628/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/lynis/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/lynis/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
      https://cisofy.com/lynis/controls/KRNL-6000/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/lynis/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 69 [#############       ]
  Tests performed : 188
  Plugins enabled : 0

  Components:
  - Firewall               [X]
  - Malware scanner        [X]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

Scan your sources for pending CVEs
A CVE scan allows to check if there are pending unresolved vulnerabilities in the sources.

To enable it, add the following to your conf/local.conf:

INHERIT += "cve-check"

Then run your build normally. If there are critical CVEs, they will be shown in red; non-critical one in yellow. At the end the system will show you the paths to the complete report files in lines:

Image CVE report stored in: <path>
Image CVE status stored in: <path>

Note: please be aware that results may be incomplete. If you have added any packages to the distribution, pay special attention to checking their updates manually.

Lynis 3.0.0 Kirkstone security report

In this report are going to be analyzed the suggestions made by Lynis in order to improve security.
Suggestions that have been introduced with Kirkstone are marked in bold.
Kirkstone has been built using the default config (except for Lynis installation)

To be changed or looked at

Those suggestions could be implemented or is worth investigating

  • Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000]

  • Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]

  • Install a package audit tool to determine vulnerable packages [PKGS-7398]

  • Determine if protocol ‘dccp’ is really needed on this system [NETW-3200]

  • Determine if protocol ‘sctp’ is really needed on this system [NETW-3200]

  • Determine if protocol ‘rds’ is really needed on this system [NETW-3200]

  • Determine if protocol ‘tipc’ is really needed on this system [NETW-3200]

  • Utilize software pseudo random number generators [CRYP-8005]

  • Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]

To leave as they are

Those suggestions are not applicable to use as they will interfere with development or are too minor

  • If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]

  • Configure minimum encryption algorithm rounds in /etc/login.defs [AUTH-9230]

  • Configure maximum encryption algorithm rounds in /etc/login.defs [AUTH-9230]

  • Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]

  • Configure minimum password age in /etc/login.defs [AUTH-9286]

  • Configure maximum password age in /etc/login.defs [AUTH-9286]

  • The database required for ‘locate’ could not be found. Run ‘updatedb’ or ‘locate.updatedb’ to create this file. [FILE-6410]

  • Check DNS configuration for the dns domain name [NAME-4028]

  • Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]

  • Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]

  • Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]

  • Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]

  • Enable process accounting [ACCT-9622]

  • Enable sysstat to collect accounting (no results) [ACCT-9626]

  • Enable auditd to collect audit information [ACCT-9628]

  • Check available certificates for expiration [CRYP-7902]

  • Double check the permissions of home directories as some might be not strict enough. [HOME-9304]

  • Double check the ownership of home directories as some might be incorrect. [HOME-9306]

  • Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]

Not sure

The following suggestions are not clear if they are applicable or worth implementing

  • This release is more than 4 months old. Consider upgrading [LYNIS]

  • To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]

  • To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]

  • Check if log files are properly rotated [LOGG-2146]

  • Determine if automation tools are present for system management [TOOL-5002]

  • One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]

List of the suggestions solved

This is the list of the suggestions that have been present in dunfell but now are solved.

  • Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]

Full Lynis suggestions output

  -[ Lynis 3.0.0 Results ]-

  Warnings (1):
  ----------------------------
  ! Hostname contains invalid characters [NETW-2400]
    - Details  : hostname
    - Solution : See log file for invalid characters
      https://cisofy.com/lynis/controls/NETW-2400/

  Suggestions (34):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS]
      https://cisofy.com/lynis/controls/LYNIS/

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
      https://cisofy.com/lynis/controls/KRNL-5820/

  * Configure minimum encryption algorithm rounds in /etc/login.defs [AUTH-9230]
      https://cisofy.com/lynis/controls/AUTH-9230/

  * Configure maximum encryption algorithm rounds in /etc/login.defs [AUTH-9230]
      https://cisofy.com/lynis/controls/AUTH-9230/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
      https://cisofy.com/lynis/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286]
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286]
      https://cisofy.com/lynis/controls/AUTH-9286/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

  * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]
      https://cisofy.com/lynis/controls/FILE-6410/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000]
      https://cisofy.com/lynis/controls/USB-1000/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
      https://cisofy.com/lynis/controls/STRG-1846/

  * Check DNS configuration for the dns domain name [NAME-4028]
      https://cisofy.com/lynis/controls/NAME-4028/

  * Install a package audit tool to determine vulnerable packages [PKGS-7398]
      https://cisofy.com/lynis/controls/PKGS-7398/

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'rds' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
      https://cisofy.com/lynis/controls/FIRE-4590/

  * Check if log files are properly rotated [LOGG-2146]
      https://cisofy.com/lynis/controls/LOGG-2146/

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
      https://cisofy.com/lynis/controls/LOGG-2154/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
      https://cisofy.com/lynis/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
      https://cisofy.com/lynis/controls/BANN-7130/

  * Enable process accounting [ACCT-9622]
      https://cisofy.com/lynis/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626]
      https://cisofy.com/lynis/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628]
      https://cisofy.com/lynis/controls/ACCT-9628/

  * Check available certificates for expiration [CRYP-7902]
      https://cisofy.com/lynis/controls/CRYP-7902/

  * Utilize software pseudo random number generators [CRYP-8005]
      https://cisofy.com/lynis/controls/CRYP-8005/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
      https://cisofy.com/lynis/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002]
      https://cisofy.com/lynis/controls/TOOL-5002/

  * Double check the permissions of home directories as some might be not strict enough. [HOME-9304]
      https://cisofy.com/lynis/controls/HOME-9304/

  * Double check the ownership of home directories as some might be incorrect. [HOME-9306]
      https://cisofy.com/lynis/controls/HOME-9306/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
      https://cisofy.com/lynis/controls/KRNL-6000/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/lynis/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 70 [##############      ]
  Tests performed : 196
  Plugins enabled : 0

  Components:
  - Firewall               [X]
  - Malware scanner        [X]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================