2020 International Conference on Computational Science and Computational Intelligence (CSCI)

Methodological proposal for the optimization of the installation times of hardenized operating systems through the Spacewalk solution in critical infrastructures

Iván Ortiz-Garcés*, Aarón Echeverría-López*, Roberto O. Andrade+

1. Facultad de Ingenierías y Ciencias Aplicadas, Universidad de Las Américas,Quito, Ecuador, 2. Facultad de Ingeniería en Sistemas, Escuela Politécnica Nacional, Quito, Ecuador, Email: *[email protected], *[email protected], [email protected]

Abstract—Critical infrastructures are physical or virtual Country Linux servers assets that provide a variety of continuous services through United States 299,761 various networks like LAN, MAN, WAN, and cloud services. Any interruption in critical infrastructures would have a great Viet Nam 159,959 impact on the services they provide, preventing the continuity of various business models. The purpose of this methodology is to Linux servers, when using default configurations, are increase the levels of hardening in critical infrastructures that operating systems with low security levels, in order to increase use the Linux , allowing the continuity of the their security levels, the hardening process must be applied services they provide and reducing the risk of network attack [3]. Hardening are configurations to harden the security levels vectors, adjacent and local. The hardening level will increase that are carried out on different network devices, mobile during the installation of the Linux operating system by means devices, applications, operating systems, server software, of a kickstart file with the hardening settings and the Spacewalk server that hosts this file. The proposed methodology consists of desktop software, cloud providers, etc. The hardening settings four phases. The first phase will be carried out in the installation are made to reduce the probability of a cyber cyber-attack. and configuration of the Spacewalk server. The second phase is The objective of this methodology is to carry out the to establish the hardening configurations based on the CIS hardening process in the shortest possible time, so it was Benchmark in the kickstart file, which will be hosted on the decided to apply the hardening configurations during the Spacewalk server. The third phase is the deployment of the installation of the Linux operating system through the kickstart file when performing a hardenized installation. In the Spacewalk solution. This solution allows you to manage, last phase, the percentage of hardening and the optimization achieved in the installation time will be verified. automate, create and host kickstart files [4]. These files will contain the CIS Benchmark-based hardening settings to be Keywords — critical infrastructure, Linux, hardening, applied during installation. Spacewalk. A successful case of Spacewalk Linux implementation is the Finnish consultancy Capgemini [5]. The Capgemini I. INTRODUCTION Consultant needed a software for the administration of Linux Linux is an open source operating system that has various operating systems, so it was decided to implement Spacewalk. approaches in information technology (IT) such as security, The Spacewalk implementation was carried out in four phases cloud applications, containers, servers [1]. Today, most planning, installation, configuration and deployment. critical infrastructures use the Linux operating system. The Currently Spacewalk is part of the infrastructure of the Shodan search engine [2] was used to determine the number consultancy and is used for the administration of Linux of Linux servers that are exposed on the Internet. Using systems. Shodan, sentence (1) was used to find out the servers that use the Linux operating system and are exposed on the Internet. One of the specific problems associated with organizations With the use of this engine, it was found that Argentina, is the lack of knowledge of hardening guidelines, which is Uruguay, China, the United States and Viet Nam are the why organizations prefer to eliminate the hardening process countries that have a large number of exposed Linux servers from their information security management systems. with a total of approximately 3,321,732, see Table 1. Sometimes, implementing hardening in IT assets requires trained personnel and a high investment of time in production Server: “Linux” (1) environments, as a consequence produces high costs for the organization. This work proposes a model with open source TABLE I. TOP COUNTRIES WITH EXPOSED LINUX SERVERS tools that allows installations of hardenized Linux operating Country Linux servers systems in the shortest possible time, with high levels of security and low costs, which is coupled to any work model Argentina 599,579 allowing business continuity in critical infrastructures. Uruguay 453,164

China 377,369

978-1-7281-7624-6/20/$31.00 ©2020 IEEE 99 DOI 10.1109/CSCI51800.2020.00024 II. PREVIOUS CONCEPTS The installation of this solution can be done on specific Linux Critical infrastructures are systems that provide essential operating systems, see Table 2. services whose operation does not allow the use of alternative solutions [6]. Different governments have proposed the TABLE II. SPACEWALK COMPATIBLE OS protection of critical infrastructures that provide services to OS Version productive sectors, management and public life in general [7]. Enterprise Linux 6, 7 Linux is an open source operating system (OS) oriented to 6, 7 provide service around the world. Most end devices are based on this operating system, such as smartphones, CentOS 6, 7 supercomputers, desktop computers, web servers, and Internet Fedora 30, 31 of Things (IoT) devices [8]. There are a variety of Linux distributions such as Red Hat, CentOS, Fedora, , , Linux Mint, Kali Linux, Arch Linux, etc. Linux with For the proposed model, the installation was chosen on a an installation with default settings is an operating system with CentOS 7 operating system. The Spacewalk server must have a low security level, in order to increase its security level, the communication with the elements to be managed, and hardening process must be applied. communication to the Internet to synchronize the repositories. The resources required for the installation of Spacewalk Linux Hardening is a process that aims to reduce vulnerabilities must be taken into consideration, see Table 3. and security gaps in a wide variety of devices and software, regardless of the environment in which it is found. Through TABLE III. SPACEWALK REQUIREMENTS hardening, the risks and the impact of attack vectors found in technological assets are reduced [9]. Resource Sizing Observations data/tmp 8GB 80GB is left CIS is a non-profit organization dedicated to developing, Swap 4GB available in the / 4GB / var partition to promoting and maintaining best practices in cyber defense Partitions [10]. These practices are based on the experience of /usr 8GB be able to /var 200GB increase space professionals in IT and cybersecurity areas. One set of /boot 512MB when required practices developed by CIS is the CIS Benchmark, which are It is hardening best practices for securely configuring various recommended RAM 4 Gb (Minimum) systems. Each CIS Benchmark guide has multiple to increase to 6 recommendations that help organizations improve their cyber Gb It is defense capabilities. recommended CPU 2vCores The CIS Benchmarks have acquired great relevance and to increase to 4 importance in companies that provide cloud services, such as vCores Amazon Web Service (AWS) and Microsoft. AWS offers virtual machines with different operating systems configured 2) Database: Spacewalk uses a database to store raw based on the CIS Benchmark recommendations such as data. Spacewalk is compatible with PostgreSQL and Oracle Amazon Linux, CentOS Linux [11], Red Hat Enterprise RDBMS databases, see Table 4. A PostgreSQL database was Linux, Ubuntu and Windows. used in the proposed model. CIS-CAT Lite is a free tool based on CIS Benchmarks that TABLE IV. DATABASES COMPATIBLE WITH SPACEWALK allows evaluating the hardening level of an operating system, desktop software, server software and network devices [12]. Database Version This tool has versions that include a command line interface PostgreSQL 8.4 or higher (CLI) and a graphical user interface (GUI). Oracle RDBMS 10g or higher Spacewalk is an open source solution that enables the management of Linux systems. This open source solution allows you to inventory systems with hardware and software 3) Firewall configuration: To access the Spacewalk Web information, install and update software, perform quick console, the http and http protocols are used, so the ports installations through kickstart files, monitor systems, and corresponding to these protocols were enabled in the CentOS distribute content [13]. 7 firewall. 4) Spacewalk configuration: After using Spacewalk, the Kickstart is a file that stores the settings that are made during the installation of an operating system, these files are administrator's email information, SSL certificate password, divided into three pre-installation and post-installation team aliases, organization, domain, city and state were sections [14]. Pre-installation are the configurations that are established. executed before the installation of the operating system and 5) Spacewalk channels: A channel is an element that post-installation are the configurations that are carried out stores the packages of a repository to have them locally. after the installation of the operating system. Therefore, it allows the management, control and access of packages to client computers. III. PROPOSED METHODOLOGY As a requirement to create the channel, a local repository A. Spacewalk server was previously established. A name was provided to the local repository and the URL of a web repository was added, see 1) Spacewalk server requirements: In the proposed Table 5. When creating the channel, it was also assigned a model, the first thing that was done was to install Spacewalk. name, an identifier, it was specified if it is a parent channel,

100 and it was added the architecture of the packages that were B. Hardened kickstart stored. When establishing the channel, the repository that was To perform hardening according to the CIS Benchmark, previously created was added, so the synchronization of the you can only perform in two specialties: server and packages began so that they are found locally in the channel. workstation. Each specialty has two levels, with level two being the one with the strictest configurations. For the TABLE V. REPOSITORIES USED proposed methodology, four server specialty level 1 kickstart Repositorie URL files will be carried out. There are two minimal installation CentOS 7 Base http://mirror.centos.org/centos/7/os/x86_64 files and two installation files with a graphical interface for CentOS7 operating systems. and CentOS8. CentOS 7 http://mirror.centos.org/centos/7/updates/x86_64 Updates The kickstart files that were established allow saving Webtatic 7 http://repo.webtatic.com/yum/el7/x86_64/ configurations that are requested during the installation, so that at the time of installation through the kickstart file the CentOS 8 Base http://mirror.centos.org/centos/8/BaseOS/x86_64/os/ configurations were not requested and it started directly with the installation of the operating systems. 6) Spacewalk kickstart: To configure the kickstart section The kickstart files that were set have the CentOS7 and of Spacewalk you need an initrd.img file, this file contains CentOS8 OS-level hardening settings, based on CIS the kernel of the Linux operating system that you want to Benchmarks. The Kickstarts files contain the following install through the kickstart. sections for hardening the operating system: initial setup, The initrd.img file can be found in ISO images, so the services, network configuration, logging and auditing, access, download of the ISO images for CentOS7 and CentOS8 authentication and authorization, system maintenance. operating systems was performed. Having the ISO images, we proceeded to unzip them to have the initrd.img file. Upon completion of all the hardening configurations of the kickstart file, the final result could be observed in the kickstart In order to use the kickstart functionality, various file section of Spacewalk, where the solution provided a url, parameters must be configured as indicated in Table 6, which is where the Kickstart file is hosted. including the directory where the operating system was unzipped and the initrd.img file is located. Without the C. Hardened installation initrd.img file in the operating system, kickstart functionality A typical installation of a Linux operating system can take cannot be enabled. approximately 14 minutes to 38 minutes, see Table 8.

TABLE VI. KICKSTART FUNCTIONALITY PARAMETERS TABLE VIII. APPROXIMATE DURATION OF THE INSTALLATION OF LINUX OS Parameter Meaning Distribution Approximate duration The name of the distribution being created OS Version label of the installation The directory where the operating system ISO image Fedora Workstation 32 22 minutes Tree path was unzipped 14 minutes The base channel that was created with the main Fedora Server 32 Base channel operating system repository CentOS Minimal 7 15 minutes Installer Operating system version generation CentOS GUI Server 7 67 minutes 21 minutes The kickstart section of Spacewalk has several panels that CentOS Minimal 8.2 allow you to create the kickstart file for the hardenized CentOS GUI Server 8.2 33 minutes installation, see Table 7. 20.04 38 minutes Ubuntu Desktop LTS TABLE VII. SPACEWALK KICKSTART PANELS 20.04 17 minutes Ubuntu Server LTS Panel Description This section details the operating system to use for Kickstart file the installation and the URL where the kickstart file details The time to perform the hardening configurations after the is hosted completion of the usual installation of a CentOS operating In this section you configure the locality and System details partitioning system can take approximately from 52 minutes to 68 minutes, This section specifies the packages and package see Table 9. The usual hardening process is independent of the Software groups that you want to install type of operating system, therefore The duration of the In this section you can associate one or more hardening process was calculated on CentOS7 GUI Server and activation keys with the kickstart file profile. Activation key CentOS7 GUI Server operating systems. Activation keys allows systems booted to the profile to automatically register with Spacewalk TABLE IX. APPROXIMATE DURATION OF THE TRADITIONAL In this section you can specify scripts to run during, HARDENING PROCESS Scripts before (pre-kickstart) or after (post-kickstart) the operating system installation begins Approximate duration of OS Version This section displays the commands and the traditional hardening Kickstart file configurations used by the kickstart file CentOS GUI Server 7 57 minutes

CentOS GUI Server 8.2 68 minutes

101 With the proposed methodology, the hardening Level Level Level 1 Level 2 configurations will be carried out together in the installation OS Version 1 2 Workst Workst Server Server ation ation of the operating system. When performing the hardenized CentOS 59% 52% 59% 53% installation of a new operating system, in order for it to acquire GUI 7 the hardenized script settings, the URL address where the Server kickstart file with the hardening settings is located was CentOS 32% 55% 63% 55% entered. In the installation, no type of information will be GUI 8.2 requested to add, since everything is in the kickstart file, so Server the installation lasts approximately 15 minutes to 54 minutes, see Table 10. Applying the methodology proposed to the CentOS7 and CentOS8 operating systems, the percentage of hardening was TABLE X. APPROXIMATE DURATION OF THE HARDENED audited, where it is from 90% to 95% in a server specialty INSTALLATION level 1, 78% to 82% in a server specialty level 2, 90 % to 95% Approximate duration at a workstation specialty level 1 and 79% to 83% at a OS Version of the installation workstation specialty level 2, see Table 12. CentOS Minimal 7 48 minutes 15 minutes TABLE XII. PERCENTAGE OF HARDENING APPLYING THE PROPOSED CentOS Minimal 8.2 METHODOLOGY 50 minutes CentOS GUI Server 7 Level Level Level 1 Level 2 54 minutes OS Version 1 2 Workst Workst CentOS GUI Server 8.2 Server Server ation ation CentOS 92% 79% 92% 80% 7 Minimal CentOS 90% 78% 90% 79% Without applying the proposed methodology, the average 8.2 hardening installation and implementation time is 112 minutes Minimal and applying the proposed methodology, the average CentOS 95% 82% 95% 83% GUI 7 hardening installation and implementation time is 42 minutes, Server see Figure 1. CentOS 93% 79% 93% 80% GUI 8.2 Server

Fig. 1. Average installation time and hardening process

D. Hardening checked based on CIS Benchmark To verify that the configurations were properly applied, the final result was audited using the CIS-CAT Lite tool, where it was verified that all the configurations of the kickstart Fig. 2. Hardening Level 1 Server file were executed and the percentage of hardening of the operating systems was evidenced. In CentOS7 and CentOS 8 operating systems, without applying the proposed methodology, there is a hardening level of 59% to 68% in a server specialty level 1, 52% to 63% in a server specialty level 2, 59% to 69% at a workstation specialty level 1 and 53% to 62% at a workstation specialty level 2, see Table 11.

TABLE XI. PERCENTAGE OF HARDENING WITHOUT APPLYING THE PROPOSED METHODOLOGY Level Level Level 1 Level 2 OS Version 1 2 Workst Workst Fig. 3. Average percentage of hardening Server Server ation ation CentOS 61% 55% 61% 54% 7 IV. RESULTS DISCUSSION Minimal CentOS 68% 63% 69% 62% The CentOS 7 operating system without making any 8.2 Minimal configuration is 58% hardenized at the operating system level, which means that it does not have the system file

102 configurations, network parameters, firewall, system file get an operating system that reduces the impact of local, permissions and SSH connection configurations. to the host. adjacent, and network attack vectors. Performing the hardening through the kickstart file the CIS-CAT Pro is a tool available with the CIS membership percentage of hardening increases in a range of 90% to 93% that allows to verify the percentage of hardening of an in the server specialty level 1. operating system, software or network devices. To audit the The implementation of the proposed methodology allows final result of the hardenized installation, it is carried out using standardizing the hardening based on the CIS Benchmark the CIS-CAT Lite tool, which is a free evaluation tool guidelines. The proposed methodology allows hardening any developed by CIS, in the same way that CIS-CAT Pro allows type of operating systems, applications, desktop software, verifying the percentage of hardening. server software in Linux and Unix environments. Hardening based on the CIS Benchmark can be done in With the same kickstart file you can perform multiple two specialties, which are server and workstation. Each hardenized installations, so in complex environments you can specialty has two levels, with level two being the one with the have several hardenized kickstart files and simultaneously most rigorous settings. perform hardenized installations to increase the security of the installed operating systems and reduce installation and ACKNOWLEDGMENT deployment time at the same time. half. We thanks to the Universidad de Las Américas of Ecuador The time it takes to install a Linux operating system and its degree in Information Technology Engineering. without applying the proposed methodology varies from 14 REFERENCES minutes to 38 minutes. The time it takes to install the [1] R. Yao, Linux Command Line. Rails Tablet Server Device Drivers hardenized operating system with the proposed methodology Database Bash Scripting Lamp Language PC Teach Yourself, 2014. is approximately 15 minutes to 54 minutes. [2] J. Matherly, Complete Guide to Shodan. 2017. The average time spent installing a Linux operating system [3] K. Rankin, Linux Hardening in hostile networks, First. 2017. is approximately 24 minutes and 20 seconds, and the average [4] Oracle, “Spacewalk for Oracle ® Linux Installation Guide for Release time spent on a typical hardening implementation is 112 2.10,” no. August, 2020, [Online]. Available: minutes. Applying the proposed methodology, the average https://docs.oracle.com/en/operating- systems/spacewalk/2.10/install/F16303.pdf. time for installing the operating system and implementing the [5] J. Lehtimäki, “Implementing Spacewalk into Company Infrastructure,” hardening is 42 minutes 15 seconds. no. June, 2013. The average hardening without applying the proposed [6] M. Miranzo and C. del Río, “La protección de infraestructuras críticas,” methodology in the CentOS7 and CentOS8 operating systems pp. 339–352, 2014. is 62.5% in the level 1 server specialty, 56.3% in the level 2 [7] Centro de Ciberseguridad Industrial, “La protección de infraestructuras server specialty, 63% in the level 1 workstation specialty and críticas y la ciberseguridad industrial.” Madrid, 2013. 56% in the level 2 workstation specialty. [8] P. Cobbaut, “Linux Fundamentals,” p. 267, 2013. [9] J. Terpstra, P. Love, R. P. Reck, and T. Scanlon, Hardening Linux, vol. The average hardening applying the proposed 53, no. 9. 2004. methodology with the kickstart files executed is 92.5% in the [10] Center for Internet Security, “CIS Controls 7.1,” 2019. level 1 server specialty, 79.5% in the level 2 server specialty, [11] Center for Internet Security, “CIS CentOS Linux 7 Benchmark,” 2017. 92.5% in the level 1 workstation specialty, and 80.5% in the [12] Center for Internet Security, “Configuration Assessment Tool Users station specialty. job level 2. Guide.” 2019. [13] Oracle, “Spacewalk for Oracle ® Linux Concepts Guide for Release V. CONCLUSIONS 2.10,” no. July, 2020, [Online]. Available: https://docs.oracle.com/en/operating- With the analysis carried out around the implementation systems/spacewalk/2.10/gsg/F16302.pdf. of the proposed methodology, it can be seen that when [14] S. Van Vugt, Red Hat RHCSATM 8 Cert Guide: EX200. 2020. automating the hardening configurations, the time spent is less [15] Center for Internet Security. (2019). CIS CentOS Linux 8 Benchmark. than in an installation without applying the proposed [16] Dika Priska Prastika and Triyono, Joko and Lestari, U. (2019). AUDIT methodology. DAN IMPLEMENTASI CIS BENCHMARK PADA SISTEM OPERASI LINUX DEBIAN SERVER (STUDI KASUS: SERVER The Spacewalk solution is compatible with a variety of LABORATORIUM JARINGAN DAN KOMPUTER 6, INSTITUT Linux operating systems, making it suitable for any SAINS & TEKNOLOGI AKPRIND YOGYAKARTA). 6(1), 1–12. environment for management, automation, and rapid https://ejournal.akprind.ac.id/index.php/jarkom/article/view/2274/174 operating system installations. Automation work can be done 3 by means of kickstart files, significantly reducing the time to [17] Lv, S. N. and J. M. and Z. Z. and Z. (2014). Overview of Linux install the operating system and implement hardening. Vulnerabilities. Scict, 225–228. https://doi.org/https://doi.org/10.2991/scict-14.2014.55 There are kickstart files for each Linux architecture, the [18] Mattetti, M., Corradi, A., & Foschini, L. (2015). Automatic security same that can be hosted in Spacewalk by configuring the hardening and protection of linux containers. channel, profile, downloading and linking the Linux operating [19] Nepal, A. (2014). Linux Server & Hardening Security. August, 0–65. system according to the architecture that you want to https://doi.org/10.13140/2.1.5079.2329 automate. [20] Oracle. (2020a). Spacewalk for Oracle ® Linux Client Life Cycle Management Guide for Release 2.10. August. The CIS Benchmark guides are available for a wide https://docs.oracle.com/en/operating- variety of operating systems such as Microsoft Windows, systems/spacewalk/2.10/admin/F16304.pdf Apple OS, UNIX, Linux. By performing the hardenized [21] Oracle. (2020d). Spacewalk for Oracle ® Linux Release Notes for installation and verifying that the installed operating system Release 2.10. August. https://docs.oracle.com/en/operating- systems/spacewalk/2.10/relnotes/F16305.pdf complies with the hardening CIS Benchmark guidelines, you

103 [22] Tevault, D. A. (2018). Mastering Linux Security and Hardening. Packt [30] 22. Pons, Nicolás (2015). Linux Practique con los comandos básicos Publishing Ltd. (2da ed). España: Edi-ciones eni. [23] Villegas-Ch, W., Luján-Mora, S., Buenaño-Fernandez, D., & Palacios- [31] 23. Singh, S. and Singh, N.: Big Data Analytics, International Pacheco, X. (2018, January). Big Data, the Next Step in the Evolution Conference on Communication, Information & Computing of Educational Data Analysis. In Interna-tional Conference on Technology Mumbai India, IEEE, (2011). Information Theoretic Security (pp. 138-147). Springer, Cham. [32] S. Islam, S. Fenz, E. Weippl, and H. Mouratidis, “A Risk Management [24] Villegas-Ch, W., & Luján-Mora, S. (2017, March). Analysis of data Framework for Cloud Migration Decision Support,” 2017, doi: mining techniques ap-plied to LMS for personalized education. In 10.3390/jrfm10020010. World Engineering Education Conference (EDUNINE), IEEE (pp. 85- [33] E. R. Weippl and K. Krombholz, “A Decision Framework Model for 89). IEEE. 0LJUDWLRQLQWR&ORXGௗ%XVLQHVV$SSOLFDWLRQ6HFXULW\DQG3ULYDF\ [25] Villegas-Ch, W., Luján-Mora, S., & Buenaño-Fernandez, D. (2018, Perspectives,” no. 2012, 2014. March). Towards the Integration of Business Intelligence Tools [34] A. Aida, L. Abdul, S. Islam, and C. Kalloniatis, “A Risk Management Applied to Educational Data Mining. In 2018 IEEE World Engineering Approach for a Sus-tainable Cloud Migration,” 2017, doi: Education Conference (EDUNINE) (pp. 1-5). IEEE. 10.3390/jrfm10040020. [26] Chipounov, Vitaly, and George Candea. 2010. Dynamically [35] 3-DPVKLGL$$KPDGDQG&3DKO³&ORXG0LJUDWLRQ5HVHDUFKௗ$ Translating x86 to LLVM Us-ing QEMU. Technical Report EPFL-TR- Systematic Review,” vol. 1, no. 2, pp. 142–157, 2013. 149975. Ecole Polytechnique Fédérale de Lau-sanne, Switzerla [36] Y.-C. Ling, C., Zhang, W., He, H., Tian, “Network perception task [27] Bellard, Fabrice. 2005. “QEMU, a Fast and Portable Dynamic migration in cloud-edge fusion computing,” p. 2020, 2020, doi: Translator.” In Proceedings of the Annual Conference on USENIX 10.1186/s13677-020-00193-8. Annual Technical Conference, 41–46 [37] R. M. Gupta, A., Dimri, P., Bhatt, “An optimized approach for virtual [28] Chipounov, Vitaly, and George Candea. 2010. Dynamically machine live migra-tion in cloud computing environment,” p. 5258, Translating x86 to LLVM Us-ing QEMU. Technical Report EPFL-TR- 2021, doi: 10.1007/978-981-15-5258-8. 149975. Ecole Polytechnique Fédérale de Lau-sanne, Switzerla [38] Z. He, “Migration and Integration Strategy of Virtual Machines in [29] Smith, R. (2013). LPIC-1: Linux Professional Institute Certification. Cloud Data Center Based on HPGA,” p. 51431, 2021, doi: Guía de Estudio- Exá-menes 101 y 102 (3ª ed). Madrid: Ediciones 10.1007/978-3-030-51431-0. ANAYA.

104