Security Guidelines

The following content are guidelines to have a secure Stream installation.

Stream should run on a dedicated machine.From this fact, all unused packages should be removed from the machine.The system should have been installed following the security guidelines recommended by the operating system vendor.

The following requirements should be met:

  • SELinux should be enabled

  • The stream-hardening rpm should be installed

  • Privileged Access Management or SSH/Sudoers should be set up

  • The disk space should be monitored, and when the disk is filled to a critical level, the database logs should be backed up on an external storage following the Administration Guide section: Managing Security  Events  Purging/Backup event database

  • The firewall should be enabled and ports 80 and 443 allowed

  • Only certificate authentication should be enabled once the product has been initialized and the initial Key Ceremony phase performed

  • The NGINX configuration should be modified following the below procedure

  • Stacktrace logging in events should be disabled

On top of that, though it is not mandatory, it is recommended to set up other security-related solutions, such as a Web Application Firewall, an Intrusion Detection System, a Security Information and Event Management Software.

All the following steps should be followed to ensure compliance if they are not already implemented with the above requirements, and should be done with an account with administrative privileges.

SELinux

To enhance security, SELinux should be enabled.

# setenforce Enforcing

To ensure that it is enabled, run the following command

# getenforce

This should return Enforcing

Install the stream-hardening rpm

Follow the same steps as in Installing Stream but for the stream-hardening rpm.

Once the rpm is installed, a system reboot is necessary. The following command can be used:

# reboot now

In order to install the stream hardening policies, the server must have access to a repository (mirror, iso file, …​) of the linux distribution you are using in order to be able to install the dependencies of the software. The stream-hardening package has the following dependencies:

  • stream

  • policycoreutils-python-utils

Please note that these packages may have their own dependencies.

Sudoers

To administrate Stream without using the root user, stream-hardening rpm creates a stream-administrator group with sudoers permissions.

Create a new user with stream-administrator and stream groups, for instance, user-admin.

# useradd -G stream-administrator,stream user-admin
# passwd user-admin

Link user-admin to the selinux sysadm_u user

# semanage login -a -s sysadm_u -rs0:c0.c1023 user-admin
The semanage command is available with the policycoreutils-python-utils package.

Relabel the user-admin user home folder with the following command

# restorecon -FR -v /home/user-admin

In case you need to access the user-admin user account via ssh you will need to set the selinux ssh_sysadm_login boolean

# setsebool -P ssh_sysadm_login on
The setsebool command is available with the policycoreutils package.

Now the user-admin can:

  • Manage mongodb server with systemctl

  • Manage nginx server with systemctl

  • Manage stream server with systemctl

  • Execute every script under the folder /opt/stream/sbin/ as a root user

Configuring the Firewall

The firewall should have been configured at the setup step.

In addition to this configuration, the https (443) access should be restricted to :

  • The Stream administrators

  • External components using Stream certificate lifecycle capabilities (Horizon for example)

Firewalld sometimes has default ports allowed. No other ports than those referenced in the setup step should be allowed.

X509 Enforcing

In order to improve security once an administration certificate has been emitted, all authentication modes should be disabled apart from certificate authentication.

To do that, please follow the dedicated steps in the security section of the administration guide : Managing Security  Enforce Certificate Authentication

NGINX Configuration

In order to improve security, the default NGINX configuration should be altered.

1. In the configuration file in /etc/nginx/nginx.conf, the server instruction block containing the listen 80 instruction should be deleted or commented.

Once an administration certificate has been emitted, the /opt/stream/etc/stream-httpd.conf should be updated.

2. The following line

ssl_verify_client         optional_no_ca;

should be replaced by the lines

ssl_verify_client         on;
ssl_client_certificate    ssl/client-trusted-cas.pem;
ssl_trusted_certificate   ssl/trusted-cas.pem;
ssl_crl                   ssl/crl-bundle.pem;

This ensures only valid and trusted certificates can be used to authenticate on the Stream server.

3. For the following example chain :
Root CAClient Issuing CA 1
Root CAClient Issuing CA 2

The /etc/nginx/ssl/client-trusted-cas.pem file should contain the PEM certificates of the CAs trusted for client authentication, concatenated one after the other. It should look like:

-----BEGIN CERTIFICATE----
<Client Issuing CA 1 PEM>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
<Client Issuing CA 2 PEM>
-----END CERTIFICATE-----

The /etc/nginx/ssl/trusted-cas.pem file should contain the PEM certificates of the chain to the CAs trusted for client authentication, concatenated one after the other. It should look like:

-----BEGIN CERTIFICATE----
<Root CA PEM>
-----END CERTIFICATE-----

Both these files should have the following permissions:

# chmod 640 /etc/nginx/ssl/trusted-cas.pem
# chmod 640 /etc/nginx/ssl/client-trusted-cas.pem
# chown root:nginx /etc/nginx/ssl/trusted-cas.pem
# chown root:nginx /etc/nginx/ssl/client-trusted-cas.pem

To update the CRL, the /opt/stream/etc/crl-fetching.conf configuration file (installed with the stream-hardening rpm) should be customized

# Uncomment and edit the following line
# CRL_URLS=("<CRL URL 1>" "<CRL URL 2>")
CRL_DOWNLOAD_PATH="/etc/nginx/ssl/tmp.crl"
CRL_PEM_PATH="/etc/nginx/ssl/tmp.crl.pem"
TMP_CRL_BUNDLE_PATH="/etc/nginx/ssl/tmp.crl.bundle"
NGINX_CRL_BUNDLE_PATH="/etc/nginx/ssl/crl-bundle.pem"

To customize this file, after the # Uncomment and edit the following line comment, the CRL_URLS line should be uncommented and edited to have each of your CRLs URLs.

ALL of your CAs present in the /etc/nginx/ssl/trusted-cas.pem and /etc/nginx/ssl/client-trusted-cas.pem files must have their CRL downloaded.
CRL are expected in DER format.
To fetch the CRL on stream first follow Managing Certificate Revocation Lists  Configuring Certificate Revocation Lists for a Managed CA in the administration guide, the CRL path is http://localhost:9000/crls/<your CA Technical Name>

The following file should then be put in /etc/cron.d/nginx-crl

# This cron runs every 5 minutes and execute a script replacing the CRL file for NGINX
*/5 * * * * root /opt/stream/sbin/crl-fetching

Stacktraces management

Stacktraces in the functional logs can give a lot of information about the technical architecture of the application. To disable their logging, set the parameter stream.event.disable-stacktrace to true following the steps in the Overridable configuration parameters section of the administration guide.

Stacktraces are still available in the technical logs.