Appliance Hardening

Overview

Hardening is the process of reducing the attack surface of an operating system or an application by enforcing a set of configurations in line with security best practices.

From V6.29 onwards, Nexthink Appliances are hardened following the Center for Internet Security (CIS) benchmark for Oracle Linux 8 L1.

Level 1 (L1) security controls are intended to provide a clear security benefit while having a minor impact on performance and maintaining usability.

Every fresh installation of the Appliance has L1 settings automatically applied.

In addition to that, we also recommend following these procedures:

The Appliance requires additional communication ports to be open depending on the Nexthink server component (if any) that is installed along with the system packages.

The automatic hardening procedure opens the ports needed by the Portal, the Engine, or both when they are installed on top of the Nexthink Appliance.

In the last sections of this article, you will learn how to open additional ports in the Appliance that you may need for your specific setup and how to enforce security hardening in existing Appliances.

Because the hardening procedure is only automatic for fresh installations of the Appliance, you may find these sections useful if you are upgrading your Nexthink Appliances.

Hardening measures

ISO CIS hardening

We started to work on the ISO CIS hardening in V6.29 and reached more than 80% of compliance with the standard. With v6.30, we enforced the remaining checks to reach 100% of compliance (with documented exceptions).

Enforcing all the CIS L1 checks requires some degree of fine-tuning to match our product configuration. We will keep those changes to a strict minimum and ensure they do not impact our product's security.

Contact Nexthink Support to request the list of changes.

We will keep our hardening configuration aligned with future versions of the CIS benchmark.

ISO CIS exceptions

Some hardening checks cannot be applied globally for all customers as they depend on customers’ internal policies and/or network configuration.

We leave it to each customer to choose how to configure those checks, if needed, to be fully compliant with the CIS standard.

Contact Nexthink Support to request the list of exceptions.

ISO Secure Boot

Starting from version 6.30, our ISO supports the UEFI firmware interface with Secure Boot. Secure Boot makes sure that only signed, trusted firmware, kernel, and kernel modules are loaded at boot time. This is aimed at reducing the risk of loading malicious code such as rootkits. Learn more about Secure Boot on the Red Hat website.

Portal

The following ports are open by default when installing the Portal on the Appliance:

TCP 443 and 80

After federating your Appliances, these additional communication channels with the Engine are open as well, but they are only accessible to the hostnames or IPs of the federated Engines:

TCP 7000, 7001, 7002, and 7003

Therefore, the federation is mandatory in hardened Appliances to enable real-time communication between the Portal and the Engines. Because of this, it is not possible to work in compatibility mode.

If Collector Assignment rules are used, these additional communication channels with the Engine are open as well:

  • TCP 8300, 8301, and 10402

  • UDP 8301

Engine

The following ports are open by default when installing the Engine on the Appliance:

TCP 99, 22, 443, 999, and 1671

If Collector Assignment rules are used, these additional communication channels with the Portal and peer Engines are open as well:

  • TCP 8300, 8301

  • UDP 8301

Enabling additional ports

The automatic hardening only enables the default ports or, for those Engine ports that are configurable, it enables the ports for which you have changed the default number.

Third-party applications other than Nexthink installed in the Appliance may require additional communication ports. To enable additional ports in the Engine or the Portal Appliances, even when hardening is turned on:

  1. Log in to the Web Console of either the Portal or the Engine Appliance.

  2. Select the APPLIANCE tab at the top of the Web Console.

  3. Click Security on the left-hand side menu.

  4. Under Custom ports:

    • Type in the additional UDP ports required inside the UDP ports box. Separate each port number by a new line.

    • Type in the additional TCP ports required inside the TCP ports box. Separate each port number by a new line.

  5. Click SAVE.

Enforce hardening from the Web Console

Only fresh installations of a V6.17 or higher Appliance are hardened. From V6.18 onwards, you can protect upgraded Appliances with the same security settings of a fresh V6.17 or higher Appliance from the Web Console. Keep in mind that the Appliances must be federated before enforcing their hardening.

To harden your upgraded Appliances from the Web Console:

  1. Log in to the Web Console of either the Portal or the Engine Appliance.

  2. Select the APPLIANCE tab at the top of the Web Console.

  3. Click Security on the left-hand side menu.

  4. Under Security hardening, tick the option Keep appliance secure.

  5. Click SAVE.


RELATED TASKS

RELATED REFERENCES

Last updated