System hardening

Disable USB storage

Restrict USB access on the system to reduce the physical attack surface and prevent unauthorized device connections.

1. Edit or create a configuration file in the /etc/modprobe.d/ directory. For example:

   # vim /etc/modprobe.d/usb-storage.conf

2. Add the following line:

   install usb-storage /bin/true

3. Unload the usb-storage module by running:

   # rmmod usb-storage

Ensure idle shell timeout is 900 seconds or less

Configure idle shell timeouts, such as the TMOUT environment variable in shell profiles, to ensure unattended sessions are terminated automatically. This reduces the risk of unauthorized access.

1. Open the /etc/bashrc, /etc/profile, and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) for editing.

2. Add or edit any umask parameters as follows:

   readonly TMOUT=900
   export TMOUT

   Note that setting the value to read-only prevents unwanted modification during runtime.

Ensure /tmp is configured

Create a separate file system for /tmp with restrictive mount options like noexec to block execution of malicious scripts. Use tmpfs or a dedicated partition for /tmp to mitigate risks from hardlink exploitation and unauthorized script execution.

Configure /etc/fstab appropriately. For example:

tmpfs  /tmp  tmpfs defaults,rw,nosuid,nodev,noexec,relatime  0 0

Alternatively, you can do the following:

1. Enable systemd /tmp mounting by running:

   # systemctl unmask tmp.mount
   # systemctl enable tmp.mount

2. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount:

   [Mount]
   What=tmpfs
   Where=/tmp
   Type=tmpfs
   Options=mode=1777,strictatime,noexec,nodev,nosuid   

Ensure NTP is configured and in use

The redundant setup of NTP servers prevents time discrepancies and ensures accurate timekeeping across networks, servers, or network devices. It is highly recommended to ensure redundancy in NTP sources to avoid discrepancies.

Configure at least two NTP servers in your network and point chronyd on each cluster node to them:

1. Remove the default pool configuration option from /etc/chronyd.conf and add the server option with local NTP servers:

   #pool pool.ntp.org iburst
   server ntp1.local.example.com
   server ntp2.local.example.com

2. Restart chronyd:

   # systemctl restart chronyd.service

Install updates regularly

Apply regular system updates and security patches to ensure that servers are running stable, up-to-date, and secure software. This helps protect against known exploits or exploitation techniques targeting outdated or vulnerable software and possibly against zero-day vulnerabilities. Timely updates are crucial for maintaining high security.

To perform a cluster update, refer to Installing updates in the Administrator Guide.