This is the final summary of our 2021 security hardening holiday calendar. We wanted to provide educational, useful, and actionable security advice, and we’re really pleased with the reception! Thank you for reading and following along.
Week 1-3 summary (1-21/25)
We posted summaries for the 3 first weeks of the calendar:
Enforce specific list of allowed sudoers (22/25)
As discussed previously, the root user and sudo tool provide a lot of access to the system, both in terms of making changes, and reading sensitive data. You should tightly control who can use sudo (the sudoers). This module allows you to specify a list of suoders, and have it enforced; no other users will be allowed to use sudo:
build.cfengine.com/modules/sudo-enforce-allowed-users
Recommendation: Specify the list of users allowed to use sudo, and limit it as much as possible. Ensure it is enforced everywhere with CFEngine and this module.
Who’s logging into your hosts? (23/25)
Reports of who logged on to hosts are important for security monitoring and audits / compliance. After some change or unexpected event, it is especially valuable to see which users have logged in to the relevant systems. You should set up all your hosts to automatically report this information, continuously:
build.cfengine.com/modules/inventory-lastlog
Recommendation: Use this module to get a complete overview of who is logging into your hosts in the CFEngine Enterprise Web UI (Mission Portal). Look for unexpected user logins.
Uninstall ftp package (24/25)
Using FTP servers is an easy way to share files over the network. FTP clients can connect and download the files they want. If you use FTP, it’s probably on a few specific / dedicated machines. We provide a module for uninstalling ftp everywhere you don’t need it:
build.cfengine.com/modules/ftp-server-not-installed
As a test, you can install vsftpd
and then run CFEngine with this module, to see that it’s uninstalled:
$ sudo apt install vsftpd
$ cf-agent -KI
info: Successfully removed package 'vsftpd'
Recommendation: Disable and uninstall FTP everywhere it’s not needed, to avoid unintended data exposure and reduce attack surface.
Supported version of CFEngine (25/25)
We are constantly improving CFEngine and fixing issues. The 3.15 and 3.18 LTS series are currently supported. To get the latest bug fixes and security updates, you should upgrade to the latest release for your LTS series (3.15.5 and 3.18.1). This module adds reporting information around whether your hosts are running supported versions or not:
build.cfengine.com/modules/cfengine-supported
Recommendation: Always use a supported version of CFEngine and try to upgrade to new releases as quickly as possible. Use the reporting system in CFEngine Enterprise to stay on top of which versions you are using and what hosts need to be upgraded.
Thank you
Thank you for following our holiday themed security hardening calendar. We look forward to sharing more useful content, security advice, and modules with you in 2022. Stay up to date by following us on LinkedIn and Twitter. Happy holidays!