Process used to keep Debian 9 more secure

debian_9_hardening.md

Debian 9 Hardening

TL;DR: Some security improvements that was necessary for using Debian inside a kubernetes cluster, under more restrict secure rules

The image used follows what was stated on kops documentation , which in this case is:

kope.io/k8s-1.14-debian-stretch-amd64-hvm-ebs-2019-08-16

Hardening phases:

1. Update Docker to be protected against the CVE-2019-5736:

• Let the package repository up to date:

  sudo apt update
  

• Install some prerequisite packages to let apt use packages over HTTPS:

  sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
  

• Add the GPG key for the official Docker repo to Debian OS:

  curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
  

• Add the Docker repository to APT sources:

  sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
  

• Update the package database with the Docker packages from the newly added repo:

  sudo apt update
  

• Install the updated versions:

  sudo apt upgrade
  

• Verify if the docker version installed is greater than 18.06.3:

  docker version
  

2. Edit the network configuration:

• Open the file /etc/sysctl.conf and make the following changes. Lynis info:

  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.accept_redirects = 0
  net.ipv6.conf.all.accept_redirects = 0
  net.ipv6.conf.default.accept_redirects = 0
  net.ipv4.conf.default.accept_source_route = 0
  kernel.sysrq = 0
  net.ipv4.tcp_timestamps = 0
  net.ipv4.conf.all.log_martians = 1
  net.ipv4.conf.default.log_martians = 1
  kernel.kptr_restrict = 2
  kernel.core_uses_pid = 1
  net.ipv4.conf.all.rp_filter = 1
  

  or simply:

  echo -e "##### HARDENING #####\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv4.conf.default.accept_source_route = 0\nkernel.sysrq = 0\nnet.ipv4.tcp_timestamps = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nkernel.kptr_restrict = 2\nkernel.core_uses_pid = 1\nnet.ipv4.conf.all.rp_filter = 1\n" | sudo tee -a /etc/sysctl.conf
  

• Reload the network configuration:

  sudo sysctl --system
  

3. Change home directories and newly created files permission:

• Alter the permission of all directories inside /home/*:

  sudo chmod 750 -R /home/*
  

4. Change the default UMASK:

• Enable pam_umask:

  sudo echo "session optional pam_umask.so" >> /etc/pam.d/common-session
  

• Update the value of UMASK inside /etc/login.defs to:

  UMASK 077
  

• Then exit from the current session, login again and prompt the command umask to check if the output is:

  0077
  

5. Disable root login:

• Insert at the end of the file /etc/ssh/sshd_config:

  PermitRootLogin no
  

** If the boot screen is accessible, keep going to the next step. Otherwise skip phase 6 **

6. Protect GRUB with password:

• Create a password using:

  grub-mkpasswd-pbkdf2
  

• Put it at the end of the file /etc/grub.d/00_header, using the following model:

  cat << EOF
  set superusers="<user>"
  password_pbkdf2 <user> grub.pbkdf2.sha512.10000.5BE0AF1AD2A6161F82B70289DF63C552435FECA61F2CACCBF828593033F12D07ECB86EE5265076D8B078471595040FBCEAFA7983F4F30A0C0EA9AEC28986098C.0407A80055F6AFFC373B5F9E2D1789F63EBA318BC5C8AAAC426F688EC1B44D4677E2EB9775F29A6FC260B7E329843EFF57381491E3E3B3474892E624267E5EE7
  EOF
  

  *(the user and password was chosen randomly and they must to be added to a password vault)
• Save the changes:

  update-grub
  

  or

  grub-mkconfig -o /boot/grub/grub.cfg
  

What else can be hardened?

Based on you scanning tools or policy used, other security measures must be taken. So if you have anything else that could be done and/or changed, just say it!