All Products
Search

This Product

    Container Service for Kubernetes:Key suggestions on enhancing ContainerOS security in ACK clusters

    Document Center

    Container Service for Kubernetes:Key suggestions on enhancing ContainerOS security in ACK clusters

    Last Updated:Jan 29, 2024

    ContainerOS is based on Alibaba Cloud Linux 3 and is vertically optimized for containerization scenarios. Compared with Alibaba Cloud Linux 3, ContainerOS provides higher security, faster startup speeds, and streamlined system services and software packages. This topic provides ContainerOS security reinforcement suggestions to help you enhance the security of ContainerOS.

    ContainerOS is intended for containerized workloads. Software packages which are not required in most cloud-native scenarios are removed from ContainerOS to make your instance less vulnerable to attacks. If you need additional security reinforcement to further enhance the security of the OS, refer to the following suggestions.

    Disable unused file systems and services

    Unused file systems and services may pose security risks to the OS. Disabling these file systems and services can make your system more secure.

    Disable the cramfs file system

    Compressed ROM File System (Cramfs) is a lightweight, read-only file system designed for embedded systems.

    Create or modify a .conf file in the/etc/modprobe.d/ directory. Add the following command lines to add the cramfs kernel module to the blacklist:

    install cramfs /bin/false 
blacklist cramfs

    Run the following command to uninstall the cramfs module:

    # modprobe -r cramfs

    Disable the squashfs file system

    SquashFS is a compressed read-only file system, which is widely adopted in embedded systems and Linux distributions for live CD and USB environments.

    Create or modify a .conf file in the /etc/modprobe.d/ directory. Add the following command lines to add the cramfs kernel module to the blacklist:

    install squashfs /bin/false 
blacklist squashfs

    Run the following command to unload the squashfs module:

    # modprobe -r squashfs

    Disable the udf file system

    Universal Disk Format (UDF) is a file system standard developed for optical media, such as DVDs and Blu-ray discs. It is designed to provide a versatile file system that can be used across different operating systems. The UDF file system is suitable for exchanging and storing data.

    Create or modify a .conf file in the /etc/modprobe.d/ directory. Add the following command lines to add the udf kernel module to the blacklist:

    install udf /bin/false
blacklist udf

    Run the following command to uninstall the udf module:

    # modprobe -r udf

    Disable the RPCbind service

    RPCbind is a service that provides a mapping between remote procedure call (RPC) program numbers and the associated network addresses in a computer network. It acts as a registration service that allows clients to discover the location and availability of RPC services in a network.

    Run the following commands to disable the rpcbind service:

    # systemctl stop rpcbind.service 
# systemctl stop rpcbind.socket 
# systemctl mask rpcbind

    Disable core dumps

    Core dumps contain information that attackers may exploit. Core dumps also occupy large amounts of disk space. To prevent the system from creating core dumps when the OS terminates a program due to a segment violation or other unexpected errors, add the following command line to/etc/security/limits.conf:

    * hard core 0

    We recommend that you set the following parameter in /etc/sysctl.conf to prevent the exposure of sensitive information in core dumps of privileged processes.

    fs.suid_dumpable = 0

    Run the following command to set the active kernel parameter:

    # sysctl -w fs.suid_dumpable=0

    Disable unprivileged eBPF

    eBPF is a powerful and flexible feature that can provide benefit networking, security, and performance monitoring. You can disable unprivileged eBPF to mitigate security risks that arise from uncontrolled use of eBPF.

    Set the following parameter in /etc/sysctl.conf:

    kernel.unprivileged_bpf_disabled=1

    Run the following command to set the active kernel parameter:

    # sysctl -w fs.suid_dumpable=0

    Limit network access

    Disable source routing

    Source routing allows the sender of a packet to specify the route that the packet traverses. However, due to security concerns, source routing is usually disabled as a security best practice. This helps prevent the abuse of source routing for malicious purposes. By ignoring source routing packets, the system can use its own routing rules, which enhances network security.

    Add the following command lines to/etc/sysctl.conf:

    net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

    Run the following commands to set the active kernel parameters:

    # sysctl -w net.ipv4.conf.all.accept_source_route=0 
# sysctl -w net.ipv4.conf.default.accept_source_route=0 
# sysctl -w net.ipv6.conf.all.accept_source_route=0 
# sysctl -w net.ipv6.conf.default.accept_source_route=0 
# sysctl -w net.ipv4.route.flush=1 
# sysctl -w net.ipv6.route.flush=1

    Disable ICMP redirects

    ICMP redirects are used by routers to notify hosts of a better route. Disabling ICMP redirects helps prevent route spoofing attacks where attackers attempt to manipulate the routing tables of other hosts in the network.

    Add the following command lines to/etc/sysctl.conf:

    net.ipv4.conf.all.send_redirects = 0 
net.ipv4.conf.default.send_redirects = 0

    Run the following commands to set the active kernel parameters:

    # sysctl -w net.ipv4.conf.all.send_redirects=0 
# sysctl -w net.ipv4.conf.default.send_redirects=0 
# sysctl -w net.ipv4.route.flush=1

    We recommend that you add the following lines to /etc/sysctl.conf which to disallow accepting ICMP redirects.

    net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

    Run the following commands to set the active kernel parameters: 

    # sysctl -w net.ipv4.conf.all.accept_redirects=0 
# sysctl -w net.ipv4.conf.default.accept_redirects=0 
# sysctl -w net.ipv6.conf.all.accept_redirects=0 
# sysctl -w net.ipv6.conf.default.accept_redirects=0 
# sysctl -w net.ipv4.route.flush=1 
# sysctl -w net.ipv6.route.flush=1

    Disable secure ICMP redirect acceptance

    Accepting secure ICMP redirects (from those gateways acting as default gateways) has almost no legitimate use cases. You must disable secure ICMP redirect acceptance unless it is required.

    Add the following command lines to/etc/sysctl.conf:

    net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

    Run the following commands to set the active kernel parameters: 

    # sysctl -w net.ipv4.conf.all.secure_redirects=0 
# sysctl -w net.ipv4.conf.default.secure_redirects=0 
# sysctl -w net.ipv4.route.flush=1

    Enable logging of martian packets

    Martian packets are IP packets with invalid or unroutable source addresses, which usually indicate a configuration error or a potential attempt to spoof the source of the packet. By setting net.ipv4.conf.all.log_martians to 1, the kernel generates logs for received packets with invalid source addresses. This can help network administrators identify and troubleshoot issues related to configuration errors or malicious network activities.

    Add the following command lines to/etc/sysctl.conf:

    net.ipv4.conf.all.log_martians = 1 
net.ipv4.conf.default.log_martians = 1

    Run the following commands to set the active kernel parameters: 

    # sysctl -w net.ipv4.conf.all.log_martians=1 
# sysctl -w net.ipv4.conf.default.log_martians=1 
# sysctl -w net.ipv4.route.flush=1

    Enable IP spoofing prevention

    RP_filter is a mechanism that helps prevent IP spoofing by checking whether the source address of an inbound packet is reachable through the port that receives the packet. If the source address is not reachable through the port, the packet is dropped. Enabling RP_filter helps prevent IP spoofing but may cause connectivity issues in certain network settings.

    Add the following command lines to/etc/sysctl.conf:

    net.ipv4.conf.default.rp_filter=1

    Run the following commands to set the active kernel parameter:

    # sysctl -w net.ipv4.conf.default.rp_filter=1 
# sysctl -w net.ipv4.route.flush=1

    Disable IPv6 RA acceptance

    Router Advertisements (RAs) are a part of the Neighbor Discovery Protocol in IPv6 and are used by routers to advertise their presence and provide network configuration information to hosts. Disabling RA acceptance can prevent malicious network configurations.

    Add the following command lines to/etc/sysctl.conf:

    net.ipv6.conf.all.accept_ra = 0 
net.ipv6.conf.default.accept_ra = 0

    Run the following commands to set the active kernel parameters: 

    # sysctl -w net.ipv6.conf.all.accept_ra=0 
# sysctl -w net.ipv6.conf.default.accept_ra=0 
# sysctl -w net.ipv6.route.flush=1

    Configure journald

    To avoid generating huge system log files which may cost excessive amounts of disk space, add the following command line to/etc/systemd/journald.conf:

    Compress=yes

    The Storage parameter controls where the journal data is stored. We recommend that you configure the parameter to persistent to persist the data to disks. Otherwise, the log data may be stored in memory and will be lost after a system reboot.

    Add the following command line to /etc/systemd/journald.conf:

    Storage=persistent