TL;DR: Some security improvements that was necessary for using Debian inside a kubernetes cluster, under more restrict secure rules
The image used follows what was stated on kops documentation , which in this case is:
kope.io/k8s-1.14-debian-stretch-amd64-hvm-ebs-2019-08-16
- Update Docker to be protected against the CVE-2019-5736:
- Let the package repository up to date:
sudo apt update
- Install some prerequisite packages to let apt use packages over HTTPS:
sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
- Add the GPG key for the official Docker repo to Debian OS:
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- Add the Docker repository to APT sources:
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- Update the package database with the Docker packages from the newly added repo:
sudo apt update
- Install the updated versions:
sudo apt upgrade
- Verify if the docker version installed is greater than 18.06.3:
docker version
- Edit the network configuration:
- Open the file /etc/sysctl.conf and make the following changes. Lynis info:
or simply:net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 net.ipv4.tcp_timestamps = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 kernel.kptr_restrict = 2 kernel.core_uses_pid = 1 net.ipv4.conf.all.rp_filter = 1
echo -e "##### HARDENING #####\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv4.conf.default.accept_source_route = 0\nkernel.sysrq = 0\nnet.ipv4.tcp_timestamps = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nkernel.kptr_restrict = 2\nkernel.core_uses_pid = 1\nnet.ipv4.conf.all.rp_filter = 1\n" | sudo tee -a /etc/sysctl.conf
- Reload the network configuration:
sudo sysctl --system
- Change home directories and newly created files permission:
- Alter the permission of all directories inside /home/*:
sudo chmod 750 -R /home/*
- Change the default UMASK:
- Enable pam_umask:
sudo echo "session optional pam_umask.so" >> /etc/pam.d/common-session
- Update the value of UMASK inside /etc/login.defs to:
UMASK 077
- Then exit from the current session, login again and prompt the command
umask
to check if the output is:0077
- Disable root login:
- Insert at the end of the file
/etc/ssh/sshd_config
:PermitRootLogin no
- Protect GRUB with password:
- Create a password using:
grub-mkpasswd-pbkdf2
- Put it at the end of the file /etc/grub.d/00_header, using the following model:
*(the user and password was chosen randomly and they must to be added to a password vault)cat << EOF set superusers="<user>" password_pbkdf2 <user> grub.pbkdf2.sha512.10000.5BE0AF1AD2A6161F82B70289DF63C552435FECA61F2CACCBF828593033F12D07ECB86EE5265076D8B078471595040FBCEAFA7983F4F30A0C0EA9AEC28986098C.0407A80055F6AFFC373B5F9E2D1789F63EBA318BC5C8AAAC426F688EC1B44D4677E2EB9775F29A6FC260B7E329843EFF57381491E3E3B3474892E624267E5EE7 EOF
- Save the changes:
orupdate-grub
grub-mkconfig -o /boot/grub/grub.cfg
Based on you scanning tools or policy used, other security measures must be taken. So if you have anything else that could be done and/or changed, just say it!