GKE on-prem node images come preconfigured with PCI DSS, NIST Baseline High, and DoD Cloud Computing SRG Impact Level 2 settings.
The following sections describe the compliance configurations that have changed.
Packages installed
The following packages are included in the node OS images:
Audit
The audit rules added to the operating system meet requirements for logging changes in file ownership and permissions, file deletion, kernel module loading or deletion, use of privileged commands, and system administration commands.
The following events are logged by auditd on the node OS:
Discretionary access control (DAC) modifications:
chmod
: change file modes or access control listschown
: change file owner and groupfchmod
: change mode of filefchmodat
: change mode of filefchown
: change owner and group of a filefchownat
: change owner and group of a filefremovexattr
: remove an extended attribute valuefsetxattr
: set an extended attribute valuelchown
: change owner and group of a filelremovexattr
: remove an extended attribute valuelsetxattr
: set an extended attribute valueremovexattr
: remove an extended attribute valuesetxattr
: set an extended attribute value
File deletion
ename
: change the name of a filerenameat
: change the name of a filermdir
: remove directoriesunlink
: remove directory entriesunlinkat
: remove directory entry
Kernel module loading
deleted
: remove an unused loadable kernel modulefinit
: load kernel module from file descriptorinit
: load an ELF image into kernel space
Login events
faillock
: lock user account after repeated failed login attemptslastlog
: login recordstallylog
: record successful and unsuccessful login attempts
Media export:
mount -F
commands to mount remote filesystemsPrivileged commands
chage
: add or change user database informationchsh
: add or change user database informationcrontab
: maintain crontab files for individual usersgpasswd
: set or change password for group membershipnewgrp
: change to a new grouppasswd
: modify a user's passwordpostdrop
: Postfix mail posting utilitypostqueue
: Postfix queue controlssh_keysign
: manage host keys for SSH Daemonsu
: substitute user identitysudo
: execute a command as another userunix_chkpwd
: verify the password of the current user
Sysadmin actions: modifications of sudoers
System shutdown: shutdown and reboot of the OS
Unsuccessful file modification
creat
: create a new fileftruncate
: truncate or extend a file to a specified lengthopen
: open files and directoriesopen_by_handle_at
: open or create a file for reading or writingopenat
: open or create a file for reading or writingtruncate
: truncate or extend a file to a specified length
User / group modification
group
: local group membershipgshadow
: group password databaseopasswd
: password reuse databasepasswd
: local user login informationshadow
: Hashed local user password database
User Profile password requirements
User password complexity requirements are necessary for compliance. These
complexity requirements are implemented in /etc/security/pwquality.conf
as
follows:
minlen = 15 lcredit = -1 maxrepeat = 3 difok = 8 maxclassrepeat = 4 ocredit = -1 dcredit = -1 ucredit = -1 minclass = 4
SSH Server
The following settings have been implemented in the sshd
server config.
System banner
The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
SSH Protocol 2
SSH Protocol 1 is less secure, and should be deactivated to prevent clients from accidentally negotiating a vulnerable connection parameter.
SSH disable root login
SSH should not allow direct login as the root user, as this obscures traceability of administrative actions.
SSH disallow PermitUserEnvironment
PermitUserEnvironment can circumvent configuration on the server. This setting ensures that insecure settings are not imported during session establishment.
SSH warning banner
The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. This setting ensures the SSH daemon presents the system's configured banner content.
SSH idle timeout
SSH allows administrators to set an idle timeout interval. After this interval has passed with no activity, the user is automatically logged out.
SSH keepalive
This ensures that a user login is terminated as soon as the SSH idle timeout is reached.
SSH approved ciphers
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements.
SSH approved MACS
Limit the MACs to those hash algorithms that are FIPS-approved.
SSH UsePrivilegeSeparation
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, decreasing the impact of software vulnerabilities in the unprivileged section.
Display SSH login attempts
On successful authentication, display previous login attempts. This is to inform the user of unexpected logins.
File integrity scanning
The following AIDE integrity checks are configured:
AIDE periodic scan
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. By default, Ubuntu configures AIDE to run daily.
AIDE notification
AIDE should notify appropriate personnel of the details of a scan after the scan
has been run. The default configuration of AIDE on Ubuntu automatically sends
email reports in /etc/cron.daily/aide
.
AIDE: Use FIPS approved cryptographic hashes
File integrity tools use cryptographic hashes for verifying that file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
AIDE: Verify ACLs
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
AIDE: Verify EXT attributes
Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
Kernel settings
The following modifications have been made to the kernel settings in
/etc/sysctl
.
Disable Ctrl-Alt-Del reboot
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
DCCP kernel module disabled
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. Disabling DCCP protects the system against exploitation of any flaws in its implementation.
USB storage kernel module disabled
USB storage devices such as thumb drives can be used to introduce malicious software. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver.
Randomize virtual address space
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.
Disable IPv4 redirects
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
Disable source routed IPv4 packets
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Disable sending IPv4 redirects
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Disable accepting IPv4 redirects
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
Disable accepting IPv4 source routed packets
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
Disable sending IPv4 redirect packets
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Disable responding to IPv4 broadcast packets
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Disable accepting IPv6 source routed packets
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
Services
The following changes to service configurations have been implemented.
Remote logging of scheduled jobs
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
Disable AutoFS
The autofs
daemon mounts and unmounts filesystems, such as user home
directories shared via NFS, on demand. In addition, autofs
can be used to
handle removable media, and the default configuration provides the cdrom device
as /misc/cd
. Automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity.