Security hardening holiday calendar - Week 3

December 21, 2021

This december, we are posting security advice and modules, every day until December 25th. Now, it’s December 21st, and we’ve gotten through most of the security hardening holiday calendar:

CFEngine themed advent calendar design with 25 boxes, 21 of them are revealed with the same titles as the following sections

Week 1 & 2 summary (1-14/25)

We posted summaries for the 2 first weeks of the calendar:

Disable prelinking (15/25)

A technique called prelinking can be used to optimize programs, making them start up faster. As this feature will change the binary file, it interferes with security functionality such as checksumming and signatures. For these reasons it is generally a good idea to disable prelinking, unless you really need it.

build.cfengine.com/modules/prelinking-disabled

Running CFEngine with this module in your policy set on a system which has prelinking enabled should produce similar output as below:

# cf-agent -KI
    info: Replaced pattern '^\s*(PRELINKING\s*=\s*(?!no$).*|PRELINKING)$' in '/etc/default/prelink'
    info: replace_patterns promise '^\s*(PRELINKING\s*=\s*(?!no$).*|PRELINKING)$' repaired
    info: Edited file '/etc/default/prelink'
    info: Executing 'no timeout' ... '/usr/sbin/prelink -ua'
    info: Completed execution of '/usr/sbin/prelink -ua'

Recommendation: If you don’t need it, disable prelinking by editing /etc/default/prelink, either manually, or using our module.

Disable Empty Passwords in SSH (16/25)

Some systems create users with empty passwords. These users should not be allowed to log in remotely, as it is an extremely easy “password” for attackers to guess. You should configure SSH to not allow logging in with an empty password:

build.cfengine.com/modules/ssh-permit-empty-passwords-no

Recommendation: Ensure logging in with an empty password is not possible, by changing sshd configuration.

Permissions for directories in root PATH (17/25)

On day 11, we showed reports of writable directories in root’s PATH variable. These represent a security risk, as other users can modify the programs ran by the root user. To fix this, you should enforce the permissions of all directories in root’s PATH variable:

build.cfengine.com/modules/root-path-enforce-permissions

Recommendation: Control the permissions of all directories in root’s PATH. Use automation to enforce this everywhere, continuously.

Add nosuid option to /tmp (18/25)

The SUID and SGID flags enable specific executables, such as sudo, to be run with additional access (setting the UID or GID). This should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. You should make /tmp a separate mount point with a nosuid mount option to prevent execution of SUID programs there:

build.cfengine.com/modules/tmp-nosuid

Recommendation: Ensure the /tmp directory is mounted with the nosuid option.

Remove old files in /tmp (19/25)

The /tmp directory holds temporary files used by various programs. This can be logs, cache files, partial downloads, etc. Since many programs use the /tmp folder, an attacker could get some software to write there, or look for valuable data to exfiltrate. It is a good idea to clean up regularly:

build.cfengine.com/modules/tmp-file-age

Recommendation: Clean up the /tmp directory regularly to free up disk space and remove unwanted old files.

Use only strong ciphers (20/25)

SSH has been around for a long time and supports many different cryptographic algorithms. Older ciphers are generally less secure than the newer additions. You should ensure it’s configured to only use modern, strong cryptographic ciphers:

build.cfengine.com/modules/ssh-ciphers-strong

Recommendation: Use our module to ensure only strong ciphers are allowed in SSH. Deploy it as part of your policy set so it’s enforced everywhere in your infrastructure.

Reports of the results of yum’s update info (21/25)

Not all updates are the same. Most systems have some pending updates all the time. But security updates should be treated more carefully, especially the important or even critical ones. First step is to know that there are such updates available. On Red Hat Enterprise Linux, the yum updateinfo sumary command gives you information about security updates. Our module on CFEngine Build uses this functionality in yum:

build.cfengine.com/modules/inventory-yum-update-info

This gives you the desired information as part of the CFEngine Enterprise reporting data:

(To see this, go to Reports -> Inventory -> Click the 3 dots at the top of a column -> Insert Column -> Security updates and similar for the other attributes.)

Recommendation: Pay attention to security upgrades and perform them as quickly as possible. Run yum updateinfo summary from the command line or use this module to get the information from all of your RHEL servers. Look for similar solutions if you are using other platforms.

Subscribe to the calendar

To sign up for the remaining days of the calendar use this link.

Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your e-mail address being stored and used to receive newsletters about CFEngine