Operating system hardening

An optional package which increases the security of the platform’s operating system by changing some of its policies can be installed in the IAM appliance.

  • It prohibits the root user access via SSH.

  • It creates a special user iamadmin for access via SSH. The administrator then can, if they choose to, create additional users' accounts for remote access.

  • It turns off SFTP subsystem of the SSH daemon.

  • It defines policies for user lockout and user passwords requirements. A policy can be partially adapted for the particular environment using optional features.

Steps to setup hardening

  1. Installing the package.

  2. Setting the password for the iamadmin user.

  3. Applying new SSHd configuration.

  4. Applying default password and login policies.

  5. Finalizing policies setup for a particular environtment.

Package installation

Install the package as usual. During installation, you will be informed about further actions you will need to take.

[root@localhost ~]# dnf install iam-security-settings
... abbreviated ...
NOTICE: SSHd configuration updated. Please verify configuration with 'sshd -t' and restart sshd daemon.
NOTICE: New user 'iamadmin' created. Please set its password.
NOTICE: No authselect profile in use, set it by calling 'authselect select iamappliance -f'.
... abbreviated ...

Setting the password for user iamadmin

If there is no user called iamadmin it will be created during package installation. This user cannot log-in yet because it doesn’t have any password set. Set the password for user iamadmin.

[root@localhost ~]# passwd iamadmin
Changing password for user iamadmin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Test the SSH access for the iamadmin user and switching to the root user. When switching, enter the password for the user iamadmin.

[root@localhost ~]# ssh iamadmin@appliance.bcv
iamadmin@appliance.bcv's password:
Last login: Wed Aug 18 11:08:43 2021 from 172.31.255.70

[iamadmin@localhost ~]$ sudo su
[sudo] password for iamadmin:

[root@localhost iamadmin]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The user iamadmin does not have to be the only user used for remote access. Additional user accounts can be created by the administrator with the useradd command, for example:

# "login" is the login for the new user
# -G wheel add the user to the group "wheel", which allows the user to use the command "sudo"
# other parameters of the command useradd can be specified as desired
[root@localhost ~]# useradd -m -s /bin/bash -G wheel login

# after creating the user we will set a new password to the user
# the password can be generated, for example, with the `pwgen` command
# `login` is the login of a newly created user
[root@localhost ~]# passwd login
Changing password for user login.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Applying SSHd configuration

If the access for user iamadmin works, you can restart the SSHd daemon. Changes made to the SSH server configuration prohibit direct login as root. After restarting the daemon, you will need to use the user iamadmin for access and then use sudo su to switch to root.

# test that the SSHd configuration is valid
# if the test fails, you must fix the configuration by hand
# during the installation of the package a backup of the original configuration will be created in /etc/ssh/sshd_config.YYYYmmdd_HHMM
[root@localhost ~]# sshd -t

# if the new configuration passes the test, we can restart SSHd
[root@localhost ~]# systemctl restart sshd

Applying password and login policies

In IAM appliance, policies are implemented using the so-called authselect profile and they can be partially customized. Some files in /etc/pam.d/ will be rewritten.

Custom changes made in PAM configuration will be rewritten.

Apply the basic profile iamappliance.

[root@localhost ~]# authselect select iamappliance -f
Backup stored at /var/lib/authselect/backups/2021-08-18-11-31-23.AucMps
Profile "iamappliance" was selected.
... abbreviated ...

The iamappliance profile features

Using authselect enable-feature …​ and authselect disable-feature …​, finish profile setup according to your needs. The full readme can be found directly in the system by running authselect show iamappliance. Current settings information can be found by running authselect current.

The same features with …​-lax and …​-strict in their names are mutually exclusive. If you change one policy for another, you need to manually turn off the first one and turn on the other.

Between different features, …​-lax and …​-strict can be combined.

Example of a valid policy
iamappliance
- with-faillock-lax
- with-pwquality-strict
Example of an invalid policy
iamappliance
- with-faillock-lax
- with-faillock-strict
Supported features

  • Fail delay - The time period of enforced delay between log-in attempts.

    • with-faildelay-lax - wait 2 seconds.

    • with-faildelay-strict - wait 10 seconds.

  • Fail lock - Temporary account lockout after several unsuccessful log-in attempts.

    • with-faillock-lax - 5 attempts during 1 minute locks the account for 2 minutes.

    • with-faillock-strict - 5 attempts during 5 minutes locks the account for 10 minutes.

    • with-faillock-also-for-root - Faillock setting will be enforced for the root account as well. This option can be used both with "lax" and "strict" options.

  • Password quality - Defines password complexity requirements.

    • with-pwquality-lax

      • Minimal length 12 characters.

      • At least 2 character classes (option: lower case letters, upper case letters, numbers, special characters).

    • with-pwquality-strict

      • Minimal length 12 characters.

      • At least 3 character classes (option: lower case letters, upper case letters, numbers, special characters).

      • Password cannot contain GECOS fields (first name, last name, login, address, etc.). The information is compared to the user record in the OS.

      • At most two immediately following characters can be identical. For example, password "aabccaad" follows this requirement. Password "aaabccaad" fails this requirement because it contains 3 immediately following instances of the character "a".

  • Password history - Defines requirements for password history checks.

    • with-pwhistory-lax - Password cannot be the same as or similar to 6 previous passwords.

    • with-pwhistory-strict - Password cannot be the same as or similar to 12 previous passwords.

    • with-pwhistory-also-for-root - pwhistory setting will be enforced for the root account as well. This option can be used both with "lax" and "strict" options.