Univention Bugzilla – Bug 37877
Create a UCS security guide
Last modified: 2023-10-17 15:04:38 CEST
We should create a guide which describes security hardening possibilities for a UCS system E.g. configuring stricter default options for the TLS settings in Apache: If TLS 1.2 is enforced, Internet Explorer 7 and 8 are unable to complete the handshake, but it's a security enhancement in environments where only modern browsers are used.
I should include checking the SSH host keys. 4.0 installs no ECDSA keys by default. After (re)creating ssh keys "ucr commit /etc/ssh/sshd_config" must be run, to activate the usage of keys that didn't exist before.
Bug #39485: A section about the Samba 4 DC possibilities on a DC Slave.
Disallow the apache UserDir module (~/public_html → http://server/~username/).
From Ticket #2017011721000128: ------------------------------------------------------------------------ ich habe eben die ucr-Variable „dns/allow/transfer” im template gefunden - einen manuellen Mechanismus gibt es also schon. Das finde ich super. Ich würde mir trotzdem wünschen, dass von Hause aus die ACL-Datei angelegt/benutzt wird. Sie erweitert sich dann automatisch beim Hinzufügen von neuen Slaves, sodaß man für ein sicheres Setup nicht selbst Nacharbeiten muss. ------------------------------------------------------------------------
See also Bug #43425: Disable simple_bind over unencrypted ldap://$HOST:[7]389
ucr set saml/idp/show-errors=false (See Bug #45393).
Disable apache directory listings.
There are multiple places where MITM is possible if connector/ad/ldap/ssl is set to false.
UCS Security Hardening - A Collection: https://help.univention.com/t/ucs-and-security-hardening/6059
Requested at Ticket#2017101921000287
Ticket #2017101921000287 is a customer.
The UCR variables listener/shares/whitelist/.* should be stripped down to it's minimal necessarities.
The default for PermitRootLogin for ssh is yes: base/univention-base-files/debian/univention-base-files.postinst: sshd/permitroot?yes We should document that it should be set to "prohibit-password" or "no".
it should be documented how to disable LDAP anonymous bind (Bug #52866).
ucr set \ apache2/force_https=yes \ apache2/hsts=yes \ apache2/server-tokens=Prod \ apache2/server-signature=Off \ apache2/ssl/tlsv11=false \ apache2/ssl/tlsv12=false \ apache2/ssl/ciphersuite=HIGH \ apache2/ssl/honorcipherorder=true \ umc/http/show_tracebacks=false \ directory/manager/rest/show-tracebacks=false rm -f /usr/share/apache2/icons/README* (better: remove `Alias /icons/ "/usr/share/apache2/icons/"` from/etc/apache2/mods-available/alias.conf) 
(In reply to Florian Best from comment #15) > apache2/ssl/tlsv11=false \ > apache2/ssl/tlsv12=false \ Ah wrong, the UCR variable is counter intuitive. It only enables the TLS versions or higher. So the only meaning for the variable is `true`. As of Bug #54306 only `apache2/ssl/tlsv13=true` should be set.
ucr set saml/idp/show-errors=false saml/idp/show-error-reporting=false
ucr set umc/http/enforce-secure-cookie=true umc/http/cookie/samesite=Stict Bug #54484
ucr set saml/idp/{session,language}-cookie/{secure=true,samesite=Strict}
(In reply to Florian Best from comment #15) > rm -f /usr/share/apache2/icons/README* (better: remove `Alias /icons/ > "/usr/share/apache2/icons/"` from/etc/apache2/mods-available/alias.conf) >  Also due to https://demo.univention.de/html/: rm -rf /var/www/html/
Ansible role: https://github.com/univention/ansible-roles/tree/main/roles/hardening