search

2. System Hardening

hashtag
Limit Node Access

  • Limit users that can connect to the nodes

hashtag
SSH Hardening

  • use private/public key

  • disable ssh root login - PermintRootLogin no

  • disable password authentication - PasswordAuthentication no

hashtag
Privilege Escalation in Linux

  • use sudo

  • set nologin shell for root

hashtag
Remove Obsolete Packages and Services

  • Install only required packages - kubelet, kubeadm, containerd.io, kubectl

  • Remove Unwanted Services - systemctl list-units --type service

hashtag
Restrict Kernel Modules

  • Blacklist modules - cat /etc/modprobe.d/blacklist.conf blacklist sctp

hashtag
Identify and Disable Open ports

  • netstat, ss, lsof

hashtag
Minimize IAM roles

hashtag
Minimize external access to the network

hashtag
UFW

  • ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469

  • ufw deny in on eth0 to 224.0.0.1 proto igmp

  • ufw allow in on eth0 to any port 80 proto tcp

hashtag
Linux Syscalls

  • strace -c touch /tmp/error.txt

  • strace -p 3596 (strace of a running process)

hashtag
Seccomp

  • /var/lib/kubelet/seccomp/profiles/

hashtag
AppArmor

  • aa-status ( modes - enforce, complain, unconfined)

  • apt install apparmor-utils

  • aa-genprof /root/add_data.sh

  • aa-logprof - update profiles

  • profiles - /etc/apparmor.d/

  • load profile - apparmor_parser /etc/apparmor.d/root.add_data.sh

  • reload profile - apparmor_parser -r /etc/apparmor.d/root.add_data.sh

  • remove profile - apparmor_parser -R /etc/apparmor.d/root.add_data.sh

hashtag
Linux Capabilities

  • getcap /usr/bin/ping

  • getpcaps 779

Previous1. Cluster Setup and HardeningNext3. Minimize Microservice Vulnerabilities

Last updated