Mastering CentOS 8 Security: Implementing Robust Profiles for Enhanced System Protection

Welcome to revWhiteShadow, your dedicated resource for navigating the complexities of the Linux environment. As you embark on your journey with CentOS, a distribution renowned for its stability and security, we understand your desire to fortify your system from the outset. Many newcomers to Linux find themselves at a crossroads when it comes to initial system hardening, and the absence of explicit security profile selections during CentOS 8 installation, unlike its predecessor, CentOS 7, can be a point of confusion. This comprehensive guide aims to demystify the process, providing actionable steps and insightful strategies to implement robust security profiles and ensure the maximum protection of your CentOS 8 environment. We will delve into the “how-to” of security profile implementation and explore the alternative, powerful solutions available to you.

Understanding the Shift in CentOS 8 Security Profile Implementation

CentOS 7 offered a straightforward approach to security profile selection during its installation process. This allowed users, even those with limited Linux expertise, to choose pre-defined security configurations that adhered to various compliance standards or security best practices. These profiles typically dictated which services were enabled, which ports were open, and the overall security posture of the operating system. However, with the evolution of the operating system and the underlying technologies, CentOS 8 has transitioned to a more modular and flexible security management paradigm.

The absence of direct security profile selection during the CentOS 8 graphical installation does not signify a reduction in security capabilities. Instead, it reflects a more granular and automated approach to security configuration, leveraging powerful tools that can be applied post-installation or integrated into automated deployment workflows. This shift empowers administrators with greater control and customization, allowing for the tailoring of security measures to specific operational needs and threat landscapes. For users new to this methodology, it can initially seem less intuitive, but by understanding the available tools and techniques, you can achieve a security posture that is not only comparable but often superior to the static profiles of previous versions.

Q1: How Do We Implement Security Profiles in CentOS 8?

The implementation of security profiles in CentOS 8 is not a single-click operation during installation, but rather a systematic process that involves configuring various security-enhancing components and applying best practices. We approach this by focusing on key areas that contribute to a secure system: system services, network access, user and group management, and auditing.

Leveraging firewalld for Network Security

One of the cornerstones of CentOS 8 security is its dynamic firewall, firewalld. Unlike static firewall configurations, firewalld allows for zone-based management of network traffic, enabling different security levels for different network interfaces or sources.

  1. Understanding Zones: firewalld operates with zones, such as public, home, trusted, drop, and block. Each zone has a set of predefined rules that determine the level of trust and access granted to traffic within that zone.
  2. Default Zone Configuration: Upon installation, CentOS 8 typically defaults to the public zone for most network interfaces. We need to examine and adjust the services allowed within this zone.
  3. Listing Active Zones and Services: To see which zones are active and what services are permitted, we can use the following commands:
    sudo firewall-cmd --get-active-zones
sudo firewall-cmd --zone=public --list-services
  4. Adding and Removing Services: Based on your system’s intended function, you will need to selectively allow or deny services. For example, to allow SSH access (port 22), you would use:
    sudo firewall-cmd --zone=public --add-service=ssh --permanent
sudo firewall-cmd --reload
    To remove an unnecessary service, such as the web server if it’s not in use:
    sudo firewall-cmd --zone=public --remove-service=http --permanent
sudo firewall-cmd --reload
  5. Port Forwarding and Rich Rules: For more advanced configurations, firewalld supports port forwarding and rich rules, allowing for precise control over incoming and outgoing traffic.

Hardening System Services with systemctl

The systemctl command is your primary tool for managing system services. A secure system minimizes the attack surface by disabling unnecessary services.

  1. Listing All Running Services: To get a comprehensive overview of currently running services:
    sudo systemctl list-units --type=service --state=running
  2. Disabling Unnecessary Services: For any service that is not critical to your system’s operation (e.g., postfix if you are not running a mail server, avahi-daemon for network service discovery if not needed), we can disable them to prevent them from starting at boot and to reduce potential vulnerabilities.
    sudo systemctl disable postfix
sudo systemctl stop postfix
    Repeat this process for all non-essential services.
  3. Masking Services: For services you absolutely do not want to run under any circumstances, masking is a stronger approach than disabling, as it prevents them from being started manually or by dependencies.
    sudo systemctl mask some-unwanted-service

User and Group Management Best Practices

Robust user and group management is fundamental to system security.

  1. Principle of Least Privilege: Ensure that users and processes only have the permissions necessary to perform their intended functions.
  2. Strong Passwords and Authentication: Enforce strong password policies and consider implementing multi-factor authentication where appropriate.
  3. Regular Auditing of User Accounts: Periodically review user accounts and their associated privileges. Remove any inactive or unnecessary accounts.
  4. sudo Configuration: Carefully configure the /etc/sudoers file to grant specific administrative privileges to trusted users, rather than giving them full root access. Use visudo for safe editing of this file.
    sudo visudo
    Within visudo, you can define rules like:
    username ALL=(ALL) /usr/bin/systemctl restart httpd
    This allows username to restart the httpd service without needing the root password.

File Permissions and Ownership

Incorrect file permissions are a common security vulnerability.

  1. Default Permissions: Understand the default permissions for newly created files and directories.
  2. chmod and chown: Use chmod to change file permissions and chown to change ownership. For sensitive system files, ensure they are only readable by root and not writable by others.
  3. umask: Configure the umask setting for users to control the default permissions of files and directories they create. A common secure umask is 027 or 077. This can be set in /etc/profile or user-specific files like ~/.bashrc.

Security Enhanced Linux (SELinux)

SELinux is a powerful mandatory access control (MAC) system that provides an additional layer of security by defining policies for what processes can do.

  1. Checking SELinux Status:
    sestatus
    SELinux can be in three modes: Enforcing, Permissive, or Disabled.
  2. Enforcing Mode: In this mode, SELinux policies are actively enforced, and any actions that violate the policy are denied. This is the most secure mode.
  3. Permissive Mode: In this mode, SELinux policies are not enforced, but any violations are logged. This is useful for troubleshooting and developing new policies.
  4. Disabled Mode: SELinux is completely turned off. This is generally not recommended for production systems.
  5. Managing SELinux Contexts: The chcon, restorecon, and semanage commands are used to manage SELinux contexts, which are labels applied to files, directories, and processes that define their security attributes.
  6. Troubleshooting SELinux Denials: When SELinux denies an action, it’s logged. The audit.log file (/var/log/audit/audit.log) and tools like audit2why and audit2allow are invaluable for understanding and resolving these denials.
    sudo ausearch -m avc -ts today | audit2allow -M mypolicy
    This command searches for Access Vector Cache (AVC) denials in the audit log from today, interprets them, and generates a SELinux policy module.

Q2: If We Can’t Use the Security Profiles of CentOS 7 Then What Options Do We Have for CentOS 8?

As we’ve established, the direct selection of security profiles during CentOS 8 installation is not present. However, this absence is compensated by more advanced and flexible tools that allow for the implementation of comprehensive security postures. The primary and most highly recommended option for achieving robust security compliance in CentOS 8 is OpenSCAP.

Introducing OpenSCAP: Your Next-Generation Security Solution

OpenSCAP is an open-source project that provides tools and libraries to manage and enforce security policies based on the Security Content Automation Protocol (SCAP). SCAP is a suite of standards that allow for the automation of enterprise security and compliance.

  1. What is SCAP? SCAP is a set of standards developed by the National Institute of Standards and Technology (NIST) and the Department of Defense (DoD). It aims to standardize the way security information is communicated and automated. Key components of SCAP include:

    • CVE (Common Vulnerabilities and Exposures): A dictionary of publicly known information security vulnerabilities.
    • CPE (Common Platform Enumeration): A naming standard for identifying products and classes of products.
    • CWE (Common Weakness Enumeration): A list of software security weaknesses.
    • CVSS (Common Vulnerability Scoring System): A framework for conveying the business impact of vulnerabilities.
    • XCCDF (Extensible Configuration Checklist Description Format): A benchmark for describing security checklists and compliance policies.
    • OVAL (Open Vulnerability and Assessment Language): A language for describing security-related information about computer systems.

  2. How OpenSCAP Works: OpenSCAP utilizes SCAP-compliant data to scan systems, assess their configuration against defined security policies, and remediate any identified vulnerabilities. This allows for the automation of tasks that were previously manual and prone to error.

Implementing Security with OpenSCAP

The OpenSCAP ecosystem on CentOS 8 includes several key components:

  • scap-security-guide: This package provides a collection of SCAP-compliant security policies, including profiles for various standards like DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides), CIS Benchmarks (Center for Internet Security), and PCI DSS (Payment Card Industry Data Security Standard).
  • openscap-scanner: This is the command-line tool used to perform scans and apply remediation actions.

Steps to Implement Security Profiles using OpenSCAP:

  1. Installation: First, we need to install the necessary OpenSCAP components.

    sudo dnf install openscap-scanner scap-security-guide

  2. Exploring Available Security Guides: The scap-security-guide package installs a wealth of pre-defined security policies. You can list these available guides and their profiles to understand your options.

    oscap xccdf eval --profile-list /usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml

    This command will list the available profiles within the default CentOS 8 SCAP Security Guide. You’ll see profiles like xccdf_org.ssgproject.content_profile_ospp (OpenSCAP Package Policy), xccdf_org.ssgproject.content_profile_cis (CIS Benchmark), and others.

  3. Performing a Security Scan: To assess your system’s compliance against a specific profile, you can perform a scan. Let’s use the CIS (Center for Internet Security) benchmark as an example.

    sudo oscap xccdf eval --profile cis --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml
    • --profile cis: Specifies the CIS benchmark profile to evaluate.
    • --results results.xml: Outputs the scan results in an XML format.
    • --report report.html: Generates a human-readable HTML report of the scan.
    • /usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml: The path to the SCAP Security Guide content for CentOS 8.

  4. Analyzing the Report: Open the report.html file in your web browser. This report will detail which security controls passed, failed, or were not applicable to your system. It provides a clear overview of your system’s current security posture relative to the chosen profile.

  5. Remediation: The most crucial step is to remediate the identified vulnerabilities. OpenSCAP can automate this process as well. For example, to apply the remediation for the CIS benchmark:

    sudo oscap xccdf eval --profile cis --remediate --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml

    The --remediate flag instructs OpenSCAP to attempt to fix the issues that were identified during the scan according to the policy’s remediation rules.

  6. Customizing Profiles: For more tailored security, you can create custom XCCDF files or modify existing ones to suit your specific requirements. This allows for fine-grained control over which security checks are applied and how they are remediated.

Q3: Will OpenSCAP Keep the CentOS 8 Secure?

OpenSCAP is not a magical shield that guarantees absolute security on its own, but it is an exceptionally powerful and indispensable tool for maintaining a highly secure CentOS 8 environment. Its effectiveness is directly tied to how it is implemented, the specific security policies chosen, and the ongoing maintenance of the system.

Here’s a breakdown of why OpenSCAP is so vital and its limitations:

Strengths of OpenSCAP for CentOS 8 Security:

  • Automation of Compliance: OpenSCAP automates the process of assessing system configurations against established security benchmarks. This significantly reduces the risk of human error and ensures consistent application of security policies.
  • Adherence to Standards: It enables your CentOS 8 system to comply with industry-specific regulations and security best practices, such as PCI DSS, HIPAA, and NIST guidelines. This is crucial for organizations operating in regulated sectors.
  • Proactive Vulnerability Management: By regularly scanning and remediating identified misconfigurations, OpenSCAP helps prevent known vulnerabilities from being exploited.
  • Reduced Attack Surface: The ability to identify and disable unnecessary services and features through defined policies directly contributes to minimizing the system’s attack surface.
  • Auditability and Reporting: The detailed reports generated by OpenSCAP provide clear evidence of your system’s security posture and compliance status, which is essential for audits.
  • Customization: The flexibility to tailor security profiles allows you to implement a security strategy that aligns precisely with your organization’s unique needs and risk tolerance.

Limitations and Considerations:

  • Not a Replacement for Core Security Practices: OpenSCAP focuses on configuration hardening and compliance. It does not replace fundamental security practices such as:
    • Regular Software Updates: Keeping your system and all installed packages patched and up-to-date is paramount.
    • Intrusion Detection/Prevention Systems (IDS/IPS): Tools like fail2ban or dedicated IDS solutions are needed to monitor for and react to malicious activity in real-time.
    • Secure Application Development: If you are running custom applications, ensuring their code is secure is critical.
    • Physical Security: Protecting the physical access to your servers remains a fundamental security layer.
    • User Awareness and Training: Educating users about security threats like phishing is vital.
  • Policy Interpretation and Remediation: While OpenSCAP can automate remediation, understanding the implications of certain policy changes is important. Some automated remediations might impact system functionality if not carefully considered. Always review reports and test remediations in a non-production environment first.
  • Evolving Threat Landscape: Security is an ongoing process. New vulnerabilities and threats emerge constantly. Regular updates to SCAP data and re-evaluation of your security posture are necessary.
  • Complex Environments: In very large and complex environments, managing and customizing OpenSCAP policies might require specialized expertise.

Key Steps for Effective OpenSCAP Implementation:

  1. Select Appropriate Profiles: Choose profiles that align with your compliance requirements and security objectives. For general hardening, the CIS benchmark is an excellent starting point. For specific government or industry compliance, identify the relevant DISA STIGs or other standards.
  2. Regular Scanning: Schedule regular scans (daily, weekly, or monthly, depending on your risk tolerance and change management processes) to continuously monitor your system’s security posture.
  3. Automated Remediation (with caution): Implement automated remediation where feasible, but always review the remediation actions and their potential impact. Consider manual remediation for critical systems or for changes that have significant operational implications.
  4. Integrate with Other Security Tools: Combine OpenSCAP with other security tools like auditd for enhanced logging, intrusion detection systems, and vulnerability scanners for a layered security approach.
  5. Stay Updated: Ensure that your scap-security-guide package and the openscap-scanner are kept up-to-date to benefit from the latest security checks and policy refinements.

In conclusion, while CentOS 8 has shifted its approach to security profile implementation away from a simple selection during installation, it offers far more powerful and flexible mechanisms. By embracing tools like firewalld, systemctl, and, most importantly, OpenSCAP, you can implement robust security profiles that not only match but exceed the security levels achievable with older methods. Your commitment to understanding and actively managing these tools will be the key to maintaining a highly secure and stable CentOS 8 environment. At revWhiteShadow, we are here to guide you on this important journey of securing your digital infrastructure.