Security Hardening

Although Stratus ztC Edge systems provide a secure out-of-box experience, you can implement additional configuration settings as described below to provide the highest level of security.

Security is often a balance between protection and ease of use. ztC Edge systems are shipped with a set of default settings that balance these factors. For a more secure posture, follow the guidelines below, and continue to evaluate the security of the system throughout its life cycle, from the planning and configuration to operation and decommissioning.

The information below provides security hardening guidance based on Version 7.1 of CIS Controls, which are hardening recommendations developed by the Center for Internet Security (CIS), a community-driven nonprofit that leads and is recognized for best practices for securing IT systems and data. CIS Benchmarks are also used to validate and create a baseline for a secure product. A list of CIS Controls is included below in Best Practices and Standards of Standards Organizations.

The information below also provides hardening guidance based on industrial control systems cyber security standard ISA/IEC 62443, which was originally created by the International Society of Automation (ISA) and continues to be developed by the International Electrotechnical Commission (IEC). ISA/IEC 62443-4-2 has differing levels of security based on the sensitivity of data or intended threat actor adversary, and by implementing the recommendations and applying mitigating controls assists in achieving compliance for the required security level. A summary of ISA/IEC 62443-4-2 requirements is included below in Best Practices and Standards of Standards Organizations.

This help topic contains the following sections:

Security Guidelines
Advanced Security Guidelines
Best Practices and Standards of Standards Organizations

Security Guidelines

The following sections describe security guidelines for ztC Edge systems.

Note: Stratus has tested and supports the following guidelines. Any other update or modification not explicitly approved by Stratus could affect the normal operation of the system.
If you have any questions about these guidelines, and the system is covered by a service agreement, contact your authorized Stratus service representative for assistance. For information, see the ztC Edge Support page at https://www.stratus.com/services-support/customer-support/?tab=ztcedge

While implementing the security hardening guidelines, consider the following:

The security guidelines refer to administrative tasks performed in the ztC Edge Console and in the host operating system. The ztC Edge Console is a browser-based interface that allows you to manage and monitor most aspects of the ztC Edge system from a remote management computer (see the ztC Edge Console). The host operating system runs on each node of the system. You can access the command line of the host operating system locally at the PM's physical console or remotely by using a secure shell (SSH) client (see Accessing the Host Operating System).
Prior to making any configuration changes, record the current settings so that you can restore them, if necessary. Also, record any modifications that you are making in case the information is needed for troubleshooting.
When changing the default system settings, particularly in the host operating system, you must make the changes on both nodes to prevent inconsistencies that could affect the normal operation of the system. Similarly, when changing the root password and other user account settings for the host operating system, you must do so on both nodes. The guidelines below indicate when these changes are needed.
When you upgrade the system software or replace a node in the system, not all modifications for system hardening may be carried over. Similarly, some settings are shared across nodes, so shared resources could have conflicts. Therefore, after completing these procedures, you should verify that each node in the system has the correct settings and that the system is working properly.
In some cases, the security guidelines directly reference Knowledge Base articles (for example, KBnnnnnnn) with more information about configuring ztC Edge systems and the Stratus Redundant Linux software. You can access the Stratus Customer Service Portal and its Knowledge Base by using your existing portal credentials, or by creating a new user account, as described in Accessing Knowledge Base Articles.

Ports and Protocols

Any administrator making networking or communication changes to the system should be knowledgeable about the ports or protocols used by Stratus Redundant Linux. For details, see KB0014311.

Network Segmentation

Connect the ztC Edge system only to networks with trusted devices, or to networks where devices require explicit permissions to communicate with each other. For more information on network segmentation, see the NIST special publications 800-125B and 800-39. For information about which Ethernet networks are available on ztC Edge systems, see Network Architecture.

IP Tables/Firewall

Enable IP tables packet filtering for the system, and block all ports that are not used in normal operation. Malicious actors can leverage a potential security vulnerability on an unused interface as a backdoor. Limit the exposure by enabling IP tables for unused ports.

For details on how to implement IP tables, see Managing IPtables.

Notes:

The ICMP protocol is used for pinging within the ztC Edge system. If you set IP tables to drop ICMP traffic, the fault tolerance or failover support will not work properly.
The SSH protocol is used for connecting to the host operating system. If you set IP tables to block SSH traffic, system administrators will be unable to access the host operating system.

User Account Creation

Create individual user accounts for each user authorized to access the system, and consider each user's role in the usage of the device. Maintaining individual user accounts also permits auditability or nonrepudiation, that by log review it can be determined which user accessed the device or made configuration changes.

For details on how to configure user settings, see Configuring Users and Groups.

Notes:

You cannot delete the default admin account, although you should change its name and password by editing the account settings.
You must specify an email address for each user account, including admin, to enable the forgot password feature. Also, you must enable the mail server, as described in Configuring the Mail Server; otherwise, the system cannot send password reset emails.
If a user account is no longer needed or not actively being used, either remove or disable the user account to prevent any possibility of inappropriate use.
Monitor login attempts to prevent brute-force attacks.

Password Creation

You must change the default passwords for the system.

The ztC Edge Console prompts you for a new admin password upon deployment. The password policy of the ztC Edge Console requires that your password meets the following conditions:

Its minimum length is 8 characters.
It must contain both upper- and lower-case characters.
It cannot be the username.

The host operating system prompts you for a new root password upon the first login. When changing the root password for the host operating system, you must manually change it on both nodes. For details, see Accessing the Host Operating System.

Note: When you change the root password for the host operating system, ensure that you remember the password, because the only way to recover a lost root password is to replace or reinstall the nodes.

For more information about controlling the quality of passwords in the host operating system, see Advanced Security Guidelines.

Least Privilege

Limit each user's access to features applicable to their position or role.

Implementing least privilege prevents a non-privileged user from accessing services above their role.

For details on how to configure roles that define the privileges for each user, see Configuring Users and Groups.

Active Directory

Active Directory integration presents a single point for centralized authentication and authorization. With Active Directory, you can create group policies for password complexity that are enforced based on your local security policy.

For details on how to add a ztC Edge system to an Active Directory domain, see Configuring Active Directory.

Time Synchronization

Synchronization of time is important, as it provides a centralized reference point to ensure that operation and security processes work within the same time frame. Time referencing allows for confidence in the time of check and time of use when updating applications and ensuring that keys and certificates are still valid based on the time and date.

When you log on to a ztC Edge system for the first time, enable the Network Time Protocol (NTP) service to automatically set the system clock . Configure NTP to reference a known and trusted NTP server. For details, see Configuring Date and Time.

Note: Use only the ztC Edge Console to properly configure the NTP settings; do not manually configure them in the host operating system.

Secure Connections

By default, the ztC Edge Console is configured to support only secure connections with the HTTPS protocol.

Enabling HTTPS on the ztC Edge system prevents common web security attacks to provide a level of confidentiality for each web session. HTTPS encrypts web session traffic, provides data integrity, and increases the overall security of the web traffic.

When HTTPS is enabled, it supports only TLSv1.2, which is currently the strongest encryption suite recommended. Ciphers include:

TLSv1.2:
ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 4096) - A
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 4096) - A
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 4096) - A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

Also enable secure, encrypted connections when using a mail server or other types of server software. Beginning with Stratus Redundant Linux 2.3.1.0, the system requires that the mail server you configure for e-Alerts and password resets supports the TLS v1.2 protocol. If your mail server does not support TLS 1.2, then no outgoing emails will be sent, even if they are configured in the ztC Edge Console. For information about configuring and enabling an encrypted connection for the mail server on a ztC Edge system, see Configuring the Mail Server.

Updating SSL Certificate

The ztC Edge system comes with a self-signed SSL certificate, but this may be updated to any purchased or supplied certificate. Changing the SSL certificate allows the root of trust to be updated to the customer specification. For details, see KB0014653.

SNMP Configurations

Simple Network Management Protocol (SNMP) is a standard protocol for receiving alarms, sending traps, and monitoring system status. SNMP draws upon system-defining information that is stored in hierarchically configured management information bases (MIBs).

For security reasons, SNMP is disabled by default on ztC Edge systems. In Stratus Redundant Linux Release 2.3 or higher, the SNMP process is also stopped in the console operating system on each node. For additional security, you can also disable all SNMP connections by adding rules to IPtables (see Managing IPtables) to block UDP ports 162, 161 and 199 and TCP ports 162 and 199.

Note: For security reasons, if you need to enable SNMP, you should disable SNMP v1 and v2, and enable only version 3 by using the SNMP Restricted configuration. For details, see Configuring SNMP Settings.

Backups

Backups are important to have in case a security event occurs; a unit can be returned to a known good state for continuous operation. Any backups taken should be stored in a secure location.

To back up a running VM to a set of XML and raw hard disk data files, see Backing Up a Running Virtual Machine. To recover the identical VM with the same SMBIOS UUID, system serial number, and MAC addresses as the original VM, see Recovering a Virtual Machine from a Backup. Alternatively, you can export a stopped VM to a set of OVF and VHD files and restore them as described in Exporting a Virtual Machine and Replacing/Restoring a Virtual Machine from an OVF File.

Note: Backing up or exporting VMs is particularly important for VMs on a single-node system. In the event of a failure or loss of the original VM, you can use the XML and raw hard disk data files to recover the VM, or the OVF and VHD files to restore the VM.

To back up the ztC Edge system preferences that you configured on the Preferences page, you can save the settings to a local storage device. For details, see Saving and Restoring System Preferences.

On redundant, dual-node ztC Edge systems, each node also serves as a backup for the other node. If a node fails, you can replace a node in a system that is currently licensed, and the system automatically restores the node with an exact copy of the Stratus Redundant Linux software and the virtual machines from the running node.

Automated Local Site Recovery

An automated local site recovery (ALSR) configuration connects two physical machines at two separate sites. It is a disaster-tolerant deployment that maintains hardware redundancy as well as redundancy of physical computer rooms and the buildings containing them. Because of the geographic separation, an ALSR configuration requires careful planning of component placement and more complex networking topologies. For ALSR configurations, Stratus strongly recommends that you use the quorum service because an ALSR configuration exposes the A-Link networks to other potential failure scenarios. (ALSR configurations are not available to systems configured for one node.)

For details, see Creating an ALSR Configuration.

Auditing

Implement auditing by a local policy to regularly collect and manage logs of events needed to detect, understand, and recover from a cyber attack.

The Audit Logs page displays a log of user activity in the ztC Edge Console. To open this page, click Audit Logs in the left-hand navigation panel. (To display information about events on the ztC Edge system, see the Alerts History Page.)

Log information contains:

Time—The date and time of the action.
Username—The name of the user that initiated the action.
Originating Host—The IP address of the host on which the ztC Edge Console was running.
Action—The action performed in the ztC Edge Console.

You can also display information about audit logs by using snmptable (for details, see Obtaining System Information with snmptable).

Use logs for continuous monitoring of the ztC Edge system. To ensure prompt service in the event of a service call, also enable support notifications and periodic reporting for your system to keep Stratus informed about your system's health. For details, see Configuring Remote Support Settings.

Login Banner Notice

Configure the Login Banner Notice to include important notifications to ztC Edge Console users. For details, see Configuring the Login Banner.

Upgrades

Upgrade Stratus Redundant Linux on a regular basis to prevent security vulnerabilities from being exploited due to out-of-date components. Refer to your local security policies for information about frequency and methods.

Caution: Do not update the Ubuntu host operating system of the ztC Edge system from any source other than Stratus. Use only the release that is installed with the Stratus Redundant Linux software.

The Upgrade Kits page in the ztC Edge Console allows you to upload and manage upgrade kits that you use to upgrade the system to newer versions of the Stratus Redundant Linux software. You can also copy an upgrade kit to a USB medium in order to use the medium when reinstalling the system software.

To open the Upgrade Kits page, click Upgrade Kits in the left-hand navigation panel in the ztC Edge Console.

For information about upgrading the Stratus Redundant Linux software, see Upgrading Stratus Redundant Linux Software Using an Upgrade Kit. For information about creating a USB medium, see Creating a USB Medium with System Software.

Physical Security

Install each ztC Edge system in a secure location to prevent malicious users from accessing the nodes.

Secure each location with an auditable system to identify which personnel entered the area to identify malicious users.

Physical security is an important addition to tamper detection and alerting for any device, including ztC Edge nodes.

Advanced Security Guidelines

The following sections describe advanced security guidelines for ztC Edge systems.

Password Quality Recommendations

When setting passwords, recommendations include:

Setting a minimum password length of at least 8 characters, of which three out of four of the following characteristics are required: one upper-case letter, one lower-case letter, one number, and one special character.
Requiring users to reset passwords on a regular basis, such as every 30, 60 or 90 days. You can also forbid the reuse of passwords for a variable amount of password updating history.

To manually update password quality settings in the host operating system

Note: Apply the password quality settings on both nodes in the system.

Log on to the host operating system, as described in Accessing the Host Operating System.
Open the /etc/pam.d/common-password file with a text editor.
Modify the pam_pwquality.so module with the appropriate settings. For example, use settings similar to the following:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root

The previous example sets the following values:

minlen=8 sets the minimum password length to 8 characters.

lcredit=-1 sets the minimum number of lower-case letters in a password to one.

ucredit=-1 sets the minimum number of upper-case letters in a password to one.

dcredit=-1 sets the minimum number of digits in a password to one.

ocredit=-1 sets the minimum number of other symbols such as @, #, ! $ % in a password to one.

enforce_for_root ensures that even if the root user is setting the password, the complexity policies should be enforced.
To restrict the password history, add or modify the pam_pwhistory.so module with the appropriate settings. For example, using settings similar to the following:

password requisite pam_pwhistory.so debug use_authtok remember=10 retry=3
Save the /etc/pam.d/common-password file.

For more information about user management and password policies in the host operating system, see the Ubuntu documentation:

https://ubuntu.com/server/docs/security-users

Concurrent User Management

Continually monitor the audit logs to view which users have logged on to the machine and if they are still active.

Identify the users that are currently operating the system to legitimize and audit their usage.

Antivirus

Continually perform a network-based analysis for antivirus or malware detection.

Your network-based intrusion detection system supplements the ztC Edge capability to support verification of the intended operation of security functions. The detection system should search for anomalous network traffic and require investigation to validate any malicious intent.

SSH Access Restrictions

Several /etc/ssh/sshd_config parameters limit which users and groups can access the system by SSH. If none of the following parameters are present in the file, edit the file to set one or more of them to limit access:

AllowUsers

The AllowUsers parameter gives the system administrator the option of allowing specific users to use SSH to access the system. The list consists of space separated usernames. This parameter does not recognize numeric user IDs. To restrict user access further by permitting only the allowed users to log in from a host, the entry can be specified in the form of user@host.

AllowGroups

The AllowGroups parameter gives the system administrator the option of allowing specific groups of users to use SSH to access the system. The list consists of space separated group names. This parameter does not recognize numeric group IDs.

DenyUsers

The DenyUsers parameter gives the system administrator the option of denying specific users from using SSH to access the system. The list consists of space separated usernames. This parameter does not recognize numeric user IDs. If a system administrator wants to restrict user access further by specifically denying a user's access from a host, the entry can be specified in the form of user@host.

DenyGroups

The DenyGroups parameter gives the system administrator the option of denying specific groups of users from using SSH to access the system. The list consists of space separated group names. This parameter does not recognize numeric user IDs.

Restricting which users can remotely access the system using SSH will help ensure that only authorized users access the system.

MaxAuthTries

The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.

Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. For example:

MaxAuthTries 4

IgnoreRhosts

The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

Setting this parameter forces users to enter a password when authenticating with SSH. For example:

IgnoreRhosts yes

HostbasedAuthentication

The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts by using .rhosts or /etc/hosts.equiv with successful public key client host authentication. This option applies only to SSH Protocol Version 2.

Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection. For example:

HostbasedAuthentication no

For more information about sshd_config parameters, see the sshd_config(5) manual page.

Best Practices and Standards of Standards Organizations

The information in this topic is based on the following best practices and standards.

CIS Controls version 7.1

CIS controls is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year. Further details may be found on the CIS website: https://www.cisecurity.org.

The CIS controls are:

Basic

Inventory and Control of Hardware Assets
Inventory and Control of Software Assets
Continuous Vulnerability Management
Controlled Use of Administrative Privileges
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Maintenance, Monitoring and Analysis of Audit Logs

Foundational

Email and Web Browser Protections
Malware Defenses
Limitation and Control of Network Ports, Protocols and Services
Data Recovery Capabilities
Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Boundary Defense
Data Protection
Controlled Access Based on the Need to Know
Wireless Access Control
Account Monitoring and Control

Organizational

Implement a Security Awareness and Training Program
Application Software Security
Incident Response and Management
Penetration Tests and Red Team Exercises

ISA/IEC 62443-4-2

ISA/IEC 62443-4-2 details technical component requirements (CRs) associated with seven foundational requirements (FRs) for meeting control system capability security levels. Further details may be found on the IEC website: https://www.iec.ch/

The foundational requirements are:

Identification and authentication control (IAC)
Use control (UC)
System integrity (SI)
Data confidentiality (DC)
Restricted data flow (RDF)
Timely response to events (TRE)
Resource availability (RA)

1. Identification and authentication control (IAC)

Identification of users is used in conjunction with authorization mechanisms to implement access control for a component. Verifying the identity of users requesting access is necessary to protect against unauthorized users from gaining access to the component. Authorization is from access control lists for different users that log in and authenticate with passwords into the ztC Edge system.

2. Use control (UC)

Once the user is identified and authenticated, the component must restrict the allowed actions to authorized use of the component. The ztC Edge system has defined roles that implement the concept of least privilege. Creating multiple users with varying levels of access control also defines the authorized use of the component.

3. System integrity (SI)

The integrity of the device should not be compromised, both the software and the physical components in operational and non-operational states. ztC Edge 110i, 200i, and 250i systems implement secure boot, which verifies that the unit is being booted or started from a trusted state, and all ztC Edge systems validate the digital signatures of software components prior to an upgrade. Ensuring system integrity is important to protect against the unauthorized manipulation or modification of data or system.

4. Data confidentiality (DC)

The purpose is to ensure the confidentiality of information on communication channels and in data stored in repositories to protect against unauthorized disclosure. The ztC Edge system has HTTPS with TLS v1.2 for web communication, as well as SSH and SMTP with encryption, ensuring that information is protected from malicious persons.

5. Restricted data flow (RDF)

Restricted data flow is the segmentation of the control system through zones and conduits to limit the unnecessary flow of data. The ztC Edge network architecture supports the routing and switching as determined by the configuration of networking for the management of information flow as determined by the installed system engineer. Leveraging the networking capabilities of the ztC Edge system allows for network segmentation to limit data flow.

6. Timely response to events (TRE)

Although a system may begin operation in a secure state, vulnerabilities and security events can occur. The ztC Edge system has a Product Security Incident Response (PSIR) team to react to security incidents and report findings while solving issues in a timely manner. The ztC Edge system has alert logs that can be used to notify the appropriate channels for configuration changes that may indicate a security incident. The logs contain enough information for forensics, and these e-alert notifications are emailed.

7. Resource availability (RA)

The aim of this control is to ensure that the component is resilient against various types of denial of service events. The high availability of the ztC Edge system is the foundation of an “always on” state. It is imperative that industrial control systems maintain a high availability state as there potentially are life safety impacts to systems. With a built-in virtualization and availability layer, automated data protection, and application recovery, Stratus Redundant Linux significantly reduces the dependence on IT for virtualized computing at the edge. Its self-protecting and self-monitoring features help reduce unplanned downtime and ensure the continuous availability of business-critical industrial applications.