From 0d32f41f440debecce2bcd899e81aec3c878174e Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jul 05 2021 07:43:34 +0000 Subject: Added some security guidelines for infra (wip) Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/index.md b/docs/security/index.md index e69de29..f7366dc 100644 --- a/docs/security/index.md +++ b/docs/security/index.md @@ -0,0 +1,13 @@ +# CentOS infra security guidelines + +We want to enforce the following security points on *Every* deployed node: + + * iptables rules (*even* if hosted in a DC behind a hardware firewall and so not using public IP) + * selinux turned on (`enforcing` and *not* `permissive` or even worse : `disabled`) + * TLS communication between infra components (if possible, or through similar method) + * consuming only GPG signed RPM pkgs from our own `infra` cbs/koji tags (so signed with our key) + +Optional (depending on the criticality level, if storing sensitive information on disk): + + * `luks` to encrypt the filesystem on disk (with luks passphrase itself crypted in git repo for inventory) + diff --git a/docs/security/iptables.md b/docs/security/iptables.md index e69de29..ead6282 100644 --- a/docs/security/iptables.md +++ b/docs/security/iptables.md @@ -0,0 +1,2 @@ +# Host Firewall rules + diff --git a/docs/security/selinux.md b/docs/security/selinux.md new file mode 100644 index 0000000..ff7f113 --- /dev/null +++ b/docs/security/selinux.md @@ -0,0 +1 @@ +# Security Enhanced Linux (selinux) diff --git a/docs/security/ssh.md b/docs/security/ssh.md index e69de29..3497f1d 100644 --- a/docs/security/ssh.md +++ b/docs/security/ssh.md @@ -0,0 +1,20 @@ +# CentOS ssh/sshd settings + +Except for some identified ssh Jump Hosts, or for public services over ssh (like pushing to git.centos.org), the tcp/22 port used by sshd is [firewalled](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml#L11) on almost all the fleet. + +As part of the `init` [process](/operations/deploy/common/) we sign the sshd host key, meaning that once it's signed by central key, you just have to trust that cert-authority and so not have to confirm each host key/fingerprint when connecting to a server over ssh. + +The Ansible [sshd](https://github.com/CentOS/ansible-role-sshd) is also distributing a ssh_known_hosts system file, so that each node (if needed) can also ssh into other centos nodes (like for backup purposes), as long as of course : + + * a valid user pub key is injected + * tcp/22 isn't blocked through iptables from ansible + +The central [known_hosts_entries](https://github.com/CentOS/ansible-role-sshd/blob/master/defaults/main.yml#L23) ansible variable at least has one default entry for the `main` CentOS ENV. + +Apart from that, our default sshd_config : + + * Doesn't permit root login + * Doesn't permit password authentication + * specify the `HostCertificate` (see the node about CA sshd host above) + +From a client perspective, all users ssh public keys are distributed by ansible (for sysadmin) or coming from [IPA](/infra/authentication/) through ipsilon for some services able to query/import ssh public keys through openid/openidc (like for example pagure/git.centos.org) diff --git a/mkdocs.yml b/mkdocs.yml index 78d5dce..5899d29 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -92,6 +92,7 @@ nav: - security/tls.md - security/gpg.md - security/iptables.md + - security/selinux.md - security/ssh.md - Ansible: - ansible/index.md