Introduction to security hardening for Alibaba Cloud Linux in ACK based on MLPS and how to enable security hardening and configure a baseline check policy - Container Service for Kubernetes

This topic describes the level-3 standards of Multi-Level Protection Scheme (MLPS) 2.0 that are used to enhance the security of Alibaba Cloud Linux used in Container Service for Kubernetes (ACK). This topic also describes how to configure a baseline check policy to meet the compliance requirements of MLPS.

MLPS compliance requirements

Alibaba Cloud issued baselines for checking the compliance of operating systems with the level-3 standards of MLPS 2.0 based on Information security technology - Baseline for classified protection of cybersecurity (GB/T 22239-2019) issued by the State Market Regulatory Administration and Standardization Administration of PRC. These baselines help ensure the security of Alibaba Cloud Linux used in ACK clusters. You can use the following security hardening configurations to ensure that your ACK clusters comply with the required baselines:

Identity verification
Access control
Security auditing
Intrusion prevention
Malicious code protection

Baselines for checking whether Alibaba Cloud Linux images comply with the level-3 standards of MLPS 2.0

The security of Alibaba Cloud Linux images must be hardened based on the level-3 standards of MLPS 2.0 in Information security technology - Baseline for classified protection of cybersecurity (GB/T 22239-2019). The following table describes the baselines for checking whether Alibaba Cloud Linux images comply with the level-3 standards of MLPS 2.0.

Category	Baseline	Description
Identity verification	Assign UIDs to the users that are logged on to the system and verify the identities of the users. Make sure that all UIDs are unique, and the information for identity verification is complex and periodically updated.	Check whether all user accounts have passwords. Check whether all UIDs are unique. Check whether the complexity of passwords meets the requirements. Check whether passwords are periodically changed. Check whether the minimum password age is set. The minimum password age specifies the period of time that a password must be used before the password can be changed. Limit password reuse. Make sure that root is the only account whose UID is 0.
	Prevent breach of authentication information transmitted over networks during remote server management.	Check whether SSHD is forced to use the SSH2 protocol. Check whether insecure remote logon services, such as Telnet, are used.
	Handle logon failures, and configure relevant features to automatically close sessions, limit logon abuse, and log out when sessions time out.	Check whether the account lockout policy is configured, idle sessions can be automatically closed, and the connection to the client can be automatically closed when the logon times out.
Access control	Allocate accounts and grant permissions to the users that are logged on to the system.	Check whether accounts with the regular user, auditor, and security inspector roles are created besides administrators. Check whether the umask parameter is set to 027 or a higher security level. Check whether the permissions of each user on the home directory are set to 750 or a higher security level.
	Rename or delete the default accounts, and modify the default passwords of the default accounts.	Do not delete the root account in Linux. You only need to check whether SSH logon is forbidden. Forbid default accounts and database accounts to log on to the system, except for the root account. Check for weak passwords based on the weak password baseline.
	Enforce access control on individual users or processes to limit their access to files and tables in databases.	Check whether access control is enforced on individual users to limit access to important files such as access control configuration files and user permission configuration files.
	Delete or disable expired accounts and accounts that are no longer in use at the earliest opportunity to avoid account sharing.	Forbid default accounts and database accounts to log on to the system, except for the root account. Lock or delete accounts that have been shut down or halted.
	Follow the least privilege principle and isolate user permissions.	Limit the use of the su command. Check the users (excluding the root user) that are granted the sudo privileges in the /etc/sudoers file. Do not grant all sudo privileges to these users, except for administrators.
	The access control policy must be configured by the authorizer to grant permissions to principals.	Check whether the permissions of each user on the home directory are set to 750 or a higher security level. Assign the ownership of unowned files or directories to an active user. Configure the ownership of the file that stores the SSH public key of the host and the permissions on the file. Configure the ownership of the file that stores the SSH private key of the host and the permissions on the file.
Security auditing	Periodically back up audit logs to protect them from being accidentally deleted, modified, or overwritten.	Check the configurations in the auditd.conf file, including the storage mode of audit logs, the number of rotated log files, and the maximum size of a log file. Alternatively, back up audit logs to the log server. If the vulnerability cannot be automatically patched, check whether the security audit feature is enabled.
	Audit records must include the date and time of each event, involved users, event type, whether the event is successful, and other audit-relevant information.	Check whether the requirements for enabling security audit are met.
	Enable security audit for all users and audit critical events and user behavior.	Enable the auditd service. Enable the rsyslog or syslog-ng service. Record file deletion events. Record changes to sudoers, which determines the sudo privileges of users. Record events of user or user group changes. If a third-party log collection service is used, check the relevant settings accordingly.
	Protect the audit daemon from unexpected interruptions.	The audit daemon is named auditd and the log daemon is named syslogd. Check whether these daemons are launched.
Intrusion prevention	Identify vulnerabilities and patch them after tests and assessment.	Use the vulnerability detection and patching feature provided by Security Center. If you have other methods to detect intrusion, ignore this baseline.
	Install only the components and applications that you need.	Uninstall the following applications if Alibaba Cloud Linux 3 is used: avahi-daemon, Bluetooth, firstboot, Kdump, wdaemon, wpa_supplicant, and ypbind. Uninstall the following applications if Alibaba Cloud Linux 2 is used: NetworkManager, avahi-daemon, Bluetooth, firstboot, Kdump, wdaemon, wpa_supplicant, and ypbind.
	Disable the system services that you do not need, and close the default shared ports and high-risk ports.	Disable the system services and file sharing services that you do not need. Close the following high-risk ports: 21, 23, 25, 111, 427, and 631. If you cannot modify the access control policy due to business requirements, ignore this baseline.
	Detect intrusion to key nodes and generate alerts.	Use the intrusion detection and alerting feature provided by Security Center. If you use other methods to detect intrusion and generate alerts, ignore this baseline.
	Specify connection modes or CIDR blocks to limit the access of clients.	Alibaba Cloud Linux 3: Modify the /etc/ssh/sshd_config file based on the clients that need to connect to the server. Configure the `AllowUsers <user>@<host>` parameter based on your requirements. Note `<user>` specifies the username of the account that needs to log on to the server and `<host>` specifies the IP address of the server. Replace them with the actual values. Press the `Esc` key. Then, enter `:wq` and press the Enter key to save the change and exit. Run the `sudo systemctl restart sshd` command to restart the sshd service. Alibaba Cloud Linux 2: The /etc/hosts.allow file specifies the IP addresses that are allowed to connect to the host. Do not specify `ALL:ALL`. The /etc/hosts.deny file specifies the IP addresses that are forbidden to connect to the host. Specify `ALL:ALL` to forbid all connections. Use both the preceding whitelist and blacklist and configure the `/etc/hosts.allow` file before you configure etc/hosts.deny. If you use other methods, such as security groups or firewalls, to limit the access of clients, ignore this baseline.
Malicious code protection	Alibaba Cloud Linux 3: Use malicious code protection technologies or the trust-based proactive security compliance verification mechanism to identify and block intrusion, virus, and malicious activities. Alibaba Cloud Linux 2: Install malicious code protection software and keep the software version and libraries up-to-date.	Check whether Security Center is installed and used. If other security software is used, ignore this baseline.

Level-3 standards of MLPS 2.0 for Alibaba Cloud Linux

You can select Reinforcement based on classified protection to enable security hardening when you create an ACK cluster. ACK automatically enhances the security of the operating system to meet the compliance requirements in the level-3 standards of MLPS 2.0 based on Information security technology - Baseline for classified protection of cybersecurity (GB/T 22239-2019). For more information, see Create a cluster.

Important

By default, ACK creates the ack_admin, ack_audit, and ack_security regular users in Alibaba Cloud Linux that has security hardening enabled to ensure that the operating system complies with the level-3 standards of MLPS 2.0.
To comply with the level-3 standards of MLPS 2.0, Alibaba Cloud Linux which has security hardening enabled also forbids the root user to log on through SSH. You can use Virtual Network Computing (VNC) to log on to the operating system from the Elastic Compute Service (ECS) console and create regular users that are allowed to log on through SSH. For more information, see Connect to an instance by using VNC.

Configure a baseline check policy

Alibaba Cloud provides baselines and the baseline check feature to help you check the compliance of Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 with the level-3 standards of MLPS 2.0. This section uses Alibaba Cloud Linux 3 as an example to describe how to configure a baseline check policy to check the security compliance of ECS instances.

Prerequisites

Security Center that supports baseline check is purchased.

Support for baseline check varies based on the edition of Security Center. For more information, see Functions and features.
For more information about how to purchase Security Center, see Purchase Security Center.

Procedure

Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Baseline Check. In the upper-right corner of the Baseline Check page, click Policy Management.
Configure and apply a baseline check policy.
1. In the Policy Management panel, click Create Standard Policy. In the Baseline Check Policy panel, configure the parameters and click Ok.
  The following list describes the key parameters. For more information, see Step 1: (Optional) Create a baseline check policy.
  - Policy Name: Enter a name for the policy, such as Alibaba Cloud Linux 3 MLPS compliance check.
  - Baseline Name: Choose MLPS Compliance > MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 3.
  - Effective Server: Select the asset groups to which the baseline check policy is applied. By default, newly purchased servers belong to the Default asset group. To apply this policy to new servers, select Default.
2. Return to the Policy Management panel. In the lower part of the panel, select High and Medium in the Baseline Check Item Level section and close the Policy Management panel.
3. Select the baseline check policy from the drop-down list below Baseline Check Policy. In this example, select the policy named Alibaba Cloud Linux 3 MLPS compliance check and click Check Now.
After the baseline check is complete, click the name of a baseline on the Baseline Check page to view the baseline check result.
You can view and verify the baseline check result. For more information, see Step 3: View baseline check results and handle baseline risks.