Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

LCFG Project

LCFG Project

Recent Activity for the LCFG project

  1. LCFG Project
  2. Uncategorised
  3. Weekly Changes – 08/11/2021

Weekly Changes – 08/11/2021

A fairly quiet week with most changes only affecting optional components. Users of Let’s Encrypt via the x509 component should familiarise themselves with the changes. Here are the full details…

lightdm login improvements

This week the pam_trimspaces package will be installed on all DICE Ubuntu machines which have a graphical login. The changes to the PAM configuration for lightdm on DICE are still being tested, we expect to deploy the change fairly soon. Note that the config change can only be deployed once the package is installed otherwise users would be locked out by a faulty PAM config.

systemd presets

We have recently noticed that when installing a package for a service (e.g. the Apache web server) it is automatically enabled and started. From a security point of view this is less than ideal and sometimes we only install such packages to satisfy dependencies not because we actually require a web server to be running (e.g. on a compute server).

Systemd provides support for specifying presets for services, see systemd.preset(5) for full details. These allow an administrator to control whether a service should be automatically enabled (or disabled) when it is first installed.

The LCFG systemd component on Ubuntu has now gained support for configuring presets. This week sees the introduction of a new (version 5) schema that has a new preset tag list resource and 2 associated sub-resources: preset_unit_$ and preset_state_$. The unit may be either the name of a specific unit or a wildcard. The state is one of enable or disable. For example, to disable all new services by default, the resources would be:

!systemd.preset mADD(default)
!systemd.preset_unit_default   mSET(*)
!systemd.preset_state_default  mSET(disable)

Support for this new feature will be completed next week when the new component package is added.

Let’s Encrypt Support

As noted last week, the LCFG x509 component has a new schema (version 10) that adds support for specifying additional environment variables which will be added to the Let’s Encrypt dehydrated configuration file. This week the new schema is enabled and the component has been updated to support the new features. At the same time the version of the dehydrated package has been updated to 0.7.0 on both SL7 and Ubuntu Focal, see the release notes for full details of the changes.

SSH server configuration

A new LCFG header – ed/options/ssh-server.h – has been created as the basis for a standard configuration for an SSH server in the College of Science. This takes inspiration from the configuration used by Informatics. Currently it has support for:

  • Disabling Linux kernel module loading
  • Denying access to dmesg
  • Disabling cron-access for normal users
  • Enabling extra process accounting
  • Running fail2ban to handle authentication failures
  • Runing rkhunter on a daily basis

More features will be added, including optional ones which can be enabled as required by defining a macro. Anyone interested in using this configuration should give it a try and send us any comments or suggestions for improvements.

rkhunter

The LCFG header for the rkhunter component has gained support for specifying an external configuration file via the LCFG_OPTIONS_RKHUNTER_CONFIGFILE macro, this is used instead of the any file that has been generated by the component. This allows for a immutable file to be provided which is shared between multiple machines via a network filesystem (e.g. AFS or NFS). Support has also been added for running a daily scan via cron by defining the LCFG_OPTIONS_RKHUNTER_DAILYREPORT macro.

Weekly Changes – 08/11/2021 / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0

Posted by

Categories

Uncategorised

Tags

No tags have been added to this post.

Previous post

Next post

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel