-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
The default CentOS security has progressed since CentOS 6, but in my opinion, there’s still some things that need to be tightened a bit more.
That being said, in order to start using the puppet module, you need to have puppet and git installed on your server (that should obviously run CentOS 7):
yum localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm yum install -y puppet git
Now, clone my module :
git clone https://firstname.lastname@example.org/legeek/bkraft-securingc7.git
Obviously, if you are running a puppet master, use classes as you like.
Rather than stopping, disabling and deleting packets like I suggested in Securing CentOS 6 installation, here I’ll skip the uninstallation phase because of some dependencies between some packets that I’ll use later on (NetworkManager/Firewalld and Fail2ban). I’ll just disable and stop them. Here’s the list of the services that will be disabled and stopped:
This is done in bkraft-securingcentos7/manifests/services.pp. If you do want to apply only this, please run the following :
puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::services'
Installing fail2ban is straight forward but as I choosed to disable firewalld (as I don’t want to use Either NetworkManager not firewalld on production servers, but this discussion is way out of the scope of this documentation), it is now required that the legacy iptables init scripts should be reinstalled. This is achieved by installing the iptables-scripts package.
This part is done in bkraft-securingcentos7/manifests/fail2ban.pp. If you do want to apply only this, please run the following :
puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::fail2ban'
On top of installing this wonderful daemon that fail2ban is, we still need to do some modifications to OpenSSH’s core configuration file to apply the following modifications:
Note on the method used to do this modification in the puppet module. I want pretty disappointed with the usage of augeas, because I did find it very complex to uncomment and also match key:values, so I just went for an ugly in place update. Yep, could have used sed.
This part is done in bkraft-securingcentos7/manifests/openssh.pp. If you do want to apply only this, please run the following :
puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::openssh'
This part will:
Also, we’re going to customize sysctl with the following:
Finally, let’s blacklist some unnecessary modules from the kernel as they are -imho- useless for a production server:
This part is done in bkraft-securingcentos7/manifests/general.pp. If you do want to apply only this, please run the following :
puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::general'
Last part, let’s delete unnecessary users. Those are the removed ones:
This part is done in bkraft-securingcentos7/manifests/users.pp. If you do want to apply only this, please run the following :
puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::users'
Shall you want to apply this entirely, it is possible in one shot, but remember or reread the first warning written in this page. Configurations applied here might break parts of your running environments and I really invite you to read the contents of this puppet module source. Anyway, shall you agree on everything that is done, you can apply the complete module this way:
puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7'
Why using puppet and not the classical scripts like I provided in the Securing CentOS 6 installation ? Simply because this module can be repeated as will and is will check the state of the specifications. Also, I sometimes noticed that copying/pasting things like cat > file <<EOF just don’t work. Why not chef ? Bah, sorry, this module is easy (and poorly written) so you can port it -if you want- to Chef receipe.
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJW5eRKAAoJEBeKS2x6xuR7XdsP/1yy5oL1jW6oMQLHVbzs82nv Dsmxk+iP2r2y9kj1G/AAGFspBYUApgRCy8NnI9sqMzABfh9v2dFYxKf6ceXoDEWv NvrrvUZKuLq1I5gwb/uhkkanp2uNm5/qq1t9NNdVWGqR+rwhH1gaBm6SNn+8xEoq qwx0uY2mqR9gDet6DgCZfF/iViZhWkCfxzP2N2o2oQTxYnIpJYR7mfdOb2ly4INk 6Qgp/BBFn9MkU5YlTV8EPtFZanq/J2dUKZRM0F7BkfGo37ufrqZxOHMOBSLGiymb KOan5lqiX1/QS+mlE4mEfLlq1Mb7eenAOyazoDyxT8nUHN+0Zzd9Uw7XrQFljqB8 m3wt0Xbtl8OgnNAzJ1cMuygVlnyzi8DhmKELzo4n+kmBRxyq8LeRStlYnKVceYwj Xu/ZmBksuxMTaCzlj98EmXZgRkottGwSZXMlRSINwzhg2lG9v5oOgnW+BtS1PUD4 CsgWbD8X6mwrVQSaMGVglb52bSqKOSKWl4xHZWvmai7H36177qKqSUlZu6zNydVe OsBwOiRVYvRuxyYHwiVR+/bFm9MsPuxMe5XFYaeWtR7Z5D81rcIZdGJNwNN3uZZP TJ2Yg8YF1tmUPgaQs/7e2B13DLQf54z99aXFYEHL593cGqpY6WpkQ2ZpaR3oVJ7j fQaTXlsH7ZZCVGN3TRCF =XXVN -----END PGP SIGNATURE-----
Created the 2015-02-23