Weekly Changes – 08/11/2021
A fairly quiet week with most changes only affecting optional components. Users of Let’s Encrypt via the x509 component should familiarise themselves with the changes. Here are the full details…
lightdm login improvements
This week the pam_trimspaces package will be installed on all DICE Ubuntu machines which have a graphical login. The changes to the PAM configuration for lightdm on DICE are still being tested, we expect to deploy the change fairly soon. Note that the config change can only be deployed once the package is installed otherwise users would be locked out by a faulty PAM config.
systemd presets
We have recently noticed that when installing a package for a service (e.g. the Apache web server) it is automatically enabled and started. From a security point of view this is less than ideal and sometimes we only install such packages to satisfy dependencies not because we actually require a web server to be running (e.g. on a compute server).
Systemd provides support for specifying presets for services, see systemd.preset(5) for full details. These allow an administrator to control whether a service should be automatically enabled (or disabled) when it is first installed.
The LCFG systemd component on Ubuntu has now gained support for configuring presets. This week sees the introduction of a new (version 5) schema that has a new preset
tag list resource and 2 associated sub-resources: preset_unit_$
and preset_state_$
. The unit may be either the name of a specific unit or a wildcard. The state is one of enable
or disable
. For example, to disable all new services by default, the resources would be:
!systemd.preset mADD(default) !systemd.preset_unit_default mSET(*) !systemd.preset_state_default mSET(disable)
Support for this new feature will be completed next week when the new component package is added.
Let’s Encrypt Support
As noted last week, the LCFG x509 component has a new schema (version 10) that adds support for specifying additional environment variables which will be added to the Let’s Encrypt dehydrated configuration file. This week the new schema is enabled and the component has been updated to support the new features. At the same time the version of the dehydrated package has been updated to 0.7.0 on both SL7 and Ubuntu Focal, see the release notes for full details of the changes.
SSH server configuration
A new LCFG header – ed/options/ssh-server.h
– has been created as the basis for a standard configuration for an SSH server in the College of Science. This takes inspiration from the configuration used by Informatics. Currently it has support for:
- Disabling Linux kernel module loading
- Denying access to dmesg
- Disabling cron-access for normal users
- Enabling extra process accounting
- Running fail2ban to handle authentication failures
- Runing rkhunter on a daily basis
More features will be added, including optional ones which can be enabled as required by defining a macro. Anyone interested in using this configuration should give it a try and send us any comments or suggestions for improvements.
rkhunter
The LCFG header for the rkhunter component has gained support for specifying an external configuration file via the LCFG_OPTIONS_RKHUNTER_CONFIGFILE
macro, this is used instead of the any file that has been generated by the component. This allows for a immutable file to be provided which is shared between multiple machines via a network filesystem (e.g. AFS or NFS). Support has also been added for running a daily scan via cron by defining the LCFG_OPTIONS_RKHUNTER_DAILYREPORT
macro.
Recent comments