Bug 57166 – Easy and transparent way for customers to security-harden UCS

Bug 57166 - Easy and transparent way for customers to security-harden UCS


Summary:	Easy and transparent way for customers to security-harden UCS

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UCR
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-03-21 07:18 CET by Robert Heyer
Modified:	2024-03-21 13:18 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Heyer

2024-03-21 07:18:56 CET

In a customer project, the idea of implementing security levels via UCR came up. The customer needs to make the use of UCS BSI-compliant and wants us to implement a mechanism that can harden various services such as SSH, Apache2, DNS (by adapting the cipher, algorithm, etc.) via UCR. I don't mean existing UCR for individual services, but a global UCR that sets various services to the highest security level at once.

I see a conflict here between "we offer an open configuration that the customer has to maintain themselves" and "we take care of this for the customer". What do you think?

Comment 1 Robert Heyer

2024-03-21 07:21:08 CET

Inspiration: https://help.univention.com/t/ucs-and-security-hardening/6059

Comment 2 Daniel Tröder

2024-03-21 08:15:17 CET

Besides being difficult to implement and maintain a "key that turns multiple keys", it raises questions: what if the global key is set, and the customer wants to change just one setting back: will it also set the global key to false? If not, what does "true" mean then?

Instead, I suggest writing a nice CLI script that asks the customer questions and makes proposals: "I see you have Dovecot installed. Do you want me to change the following UCRs: .....?"

Such a script can be enhanced over time with new software and new defaults and can be part of UCS.

Comment 3 Arvid Requate

2024-03-21 10:20:41 CET

Yes, could start as CLI and grow into a sth like a UMC module (similar to System Diagnostics).
IMHO it would have some use to add some verification functionality where possible, so that
you know that the switch is not just set to "safety level XYZ" but the wire behind that switch
has been cut.

Comment 4 Robert Heyer

2024-03-21 13:18:10 CET

We also considered the script route. Alternatively, a list of recommendations would also be conceivable, which the customer then implements himself.

I like the idea with the process script, then later a UMC module with visibility of the respective settings. That is certainly all debatable.

I can't estimate the added value for other customers. Basically, however, I think that we should think along as providers or at least make recommendations.