Version 1.9. This version is supported as outlined in the Anthos version support policy, offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem). Refer to the release notes for more details. This is the most recent version.

Node compliance

Anthos clusters on VMware (GKE on-prem) node images come preconfigured with PCI DSS, NIST Baseline High, and DoD Cloud Computing SRG Impact Level 2 settings.

The following sections describe the compliance configurations that have changed.

Packages installed

The following packages are included in the node OS images:

Audit

The audit rules added to the operating system meet requirements for logging changes in file ownership and permissions, file deletion, kernel module loading or deletion, use of privileged commands, and system administration commands.

The following events are logged by auditd on the node OS:

  • Discretionary access control (DAC) modifications:

    • chmod: change file modes or access control lists
    • chown: change file owner and group
    • fchmod: change mode of file
    • fchmodat: change mode of file
    • fchown: change owner and group of a file
    • fchownat: change owner and group of a file
    • fremovexattr: remove an extended attribute value
    • fsetxattr: set an extended attribute value
    • lchown: change owner and group of a file
    • lremovexattr: remove an extended attribute value
    • lsetxattr: set an extended attribute value
    • removexattr: remove an extended attribute value
    • setxattr: set an extended attribute value
  • File deletion

    • ename: change the name of a file
    • renameat: change the name of a file
    • rmdir: remove directories
    • unlink: remove directory entries
    • unlinkat: remove directory entry
  • Kernel module loading

    • deleted: remove an unused loadable kernel module
    • finit: load kernel module from file descriptor
    • init: load an ELF image into kernel space
  • Login events

    • faillock: lock user account after repeated failed login attempts
    • lastlog: login records
    • tallylog: record successful and unsuccessful login attempts
  • Media export: mount -F commands to mount remote filesystems

  • Privileged commands

    • chage: add or change user database information
    • chsh: add or change user database information
    • crontab: maintain crontab files for individual users
    • gpasswd: set or change password for group membership
    • newgrp: change to a new group
    • passwd: modify a user's password
    • postdrop: Postfix mail posting utility
    • postqueue: Postfix queue control
    • ssh_keysign: manage host keys for SSH Daemon
    • su: substitute user identity
    • sudo: execute a command as another user
    • unix_chkpwd: verify the password of the current user
  • Sysadmin actions: modifications of sudoers

  • System shutdown: shutdown and reboot of the OS

  • Unsuccessful file modification

    • creat: create a new file
    • ftruncate: truncate or extend a file to a specified length
    • open: open files and directories
    • open_by_handle_at: open or create a file for reading or writing
    • openat: open or create a file for reading or writing
    • truncate: truncate or extend a file to a specified length
  • User / group modification

    • group: local group membership
    • gshadow: group password database
    • opasswd: password reuse database
    • passwd: local user login information
    • shadow: Hashed local user password database

User Profile password requirements

User password complexity requirements are necessary for compliance. These complexity requirements are implemented in /etc/security/pwquality.conf as follows:

minlen = 15
lcredit = -1
maxrepeat = 3
difok = 8
maxclassrepeat = 4
ocredit = -1
dcredit = -1
ucredit = -1
minclass = 4

SSH Server

The following settings have been implemented in the sshd server config.

System banner

The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

SSH Protocol 2

SSH Protocol 1 is less secure, and should be deactivated to prevent clients from accidentally negotiating a vulnerable connection parameter.

SSH disable root login

SSH should not allow direct login as the root user, as this obscures traceability of administrative actions.

SSH disallow PermitUserEnvironment

PermitUserEnvironment can circumvent configuration on the server. This setting ensures that insecure settings are not imported during session establishment.

SSH warning banner

The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. This setting ensures the SSH daemon presents the system's configured banner content.

SSH idle timeout

SSH allows administrators to set an idle timeout interval. After this interval has passed with no activity, the user is automatically logged out.

SSH keepalive

This ensures that a user login is terminated as soon as the SSH idle timeout is reached.

SSH approved ciphers

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements.

SSH approved MACS

Limit the MACs to those hash algorithms that are FIPS-approved.

SSH UsePrivilegeSeparation

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, decreasing the impact of software vulnerabilities in the unprivileged section.

Display SSH login attempts

On successful authentication, display previous login attempts. This is to inform the user of unexpected logins.

File integrity scanning

The following AIDE integrity checks are configured:

AIDE periodic scan

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. By default, Ubuntu configures AIDE to run daily.

AIDE notification

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. The default configuration of AIDE on Ubuntu automatically sends email reports in /etc/cron.daily/aide.

AIDE: Use FIPS approved cryptographic hashes

File integrity tools use cryptographic hashes for verifying that file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

AIDE: Verify ACLs

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

AIDE: Verify EXT attributes

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

Kernel settings

The following modifications have been made to the kernel settings in /etc/sysctl.

Disable Ctrl-Alt-Del reboot

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

DCCP kernel module disabled

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. Disabling DCCP protects the system against exploitation of any flaws in its implementation.

USB storage kernel module disabled

USB storage devices such as thumb drives can be used to introduce malicious software. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver.

Randomize virtual address space

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques.

Disable IPv4 redirects

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Disable source routed IPv4 packets

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Disable sending IPv4 redirects

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable accepting IPv4 redirects

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Disable accepting IPv4 source routed packets

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Disable sending IPv4 redirect packets

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable responding to IPv4 broadcast packets

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Disable accepting IPv6 source routed packets

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Services

The following changes to service configurations have been implemented.

Remote logging of scheduled jobs

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

Disable AutoFS

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. Automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.