The Hardening of Ubuntu.
Today I am writing about the hardening, or the increase in the level of security, of Ubuntu 18.04. The template for this is the “CIS Ubuntu Linux 18.04 LTS Benchmark” from the “Center for Internet Security”. A collection of instructions to make Ubuntu harder. It contains just over 200 instructions, which, unless already set up in the operating system, are first summarised by me in Bash scripts. The instructions include deactivating services and changing configuration files, as well as firewall rules or the granting of file permissions. The objective is to prevent potential attackers from getting into the Ubuntu operating system and performing actions that endanger the operation of the product or even the entire infrastructure.
Splitting the hard disk into several partitions, including a separate partition for log files, is designed to prevent the hard disk from filling up and causing services or the entire operating system to crash – caused by attackers or faulty log entries. Strict firewall rules define fixed communication paths between the individual systems, thereby preventing unknown services from communicating inadvertently.
Problem and solution for the provision time.
It is interesting here to work with the Linux tool ‘sed’, with which you can change the contents of individual configuration files in-place. A problem that occurs: After most of the scripts have been written, running all scripts sequentially may take much too long to provide a single virtual machine. My solution: I check the order in which the scripts are to be executed. This could cut the time in half. Also, by additionally installing a DNS cache, it is possible to reduce the time for provision by additional minutes. The reason for the slow provision may be, for example, a DNS entry in the file hosts.allow, which was entered very early in the provisioning phase of the system. This may cause the system to check on each connection whether the IP address belongs to the specified DNS name. The provisioning consists of several hundred individual shell commands that are sent across the network to the virtual machine, executed there and the result is also sent back to the provisioning service over the network. Each of these commands results in sending the instruction to the virtual machine and receiving the result of the command which takes several seconds and not just a few milliseconds. My solution: I move the script that enters the DNS entry into the hosts.allow file to the end of the virtual machine provision process.
I can accelerate the subsequent launch of the applications, which are also sent by the provisioning service via individual commands over the network by using the DNS cache.
Important to the conclusion.
Finally, test scripts must be created. They are designed to help you verify that the system continues to meet the hardening requirements. These scripts control the settings that have been changed or added by the hardening, and notify you if something changes in the set points.
Now you know.
Have fun. Enjoy coding.
Your INNO coding team.