rConfig - Security Hardening Guide

5 mins V7 Pro V6 Core

Security Hardening Documentation

WARNING: You are responsible

This document serves as a guide and is robust in its recommendations. However, like all guides, it serves as a framework for securing rConfig. Specific implementation details and adherence to internal security processes and practices are crucial to ensure compliant and robust security hardening. See rConfig terms of service

Introduction

Security hardening is a critical aspect of maintaining the integrity, confidentiality, and availability of any system, especially one as integral as rConfig. In today’s environment, cyber threats are evolving rapidly, and even a minor vulnerability can lead to significant repercussions. Hardening your systems helps mitigate risks, protect sensitive data, and ensure compliance with industry standards.

rConfig has a strong history of prioritizing security. Since its inception, rConfig has only had three Common Vulnerabilities and Exposures (CVEs), and all of these occurred in the older V3 version. This track record demonstrates rConfig’s commitment to maintaining a secure and reliable platform.

This document serves as a comprehensive end-to-end guide for securing rConfig. While much of the content includes generic best practices for securing systems and applications, it has been tailored to address the specific needs and features of rConfig. Following this guide will help ensure your rConfig deployment is robust against evolving threats.

Conduct a Security Assessment

Before you start hardening, it’s essential to know where your vulnerabilities lie. A security assessment will help you identify gaps in your security policies, practices, and tools.

• Perform Vulnerability Scanning: Use tools like Nessus, OpenVAS, or Qualys to scan your systems and infrastructure for vulnerabilities.
• Penetration Testing: Conduct periodic penetration tests to simulate real-world attacks and assess your network’s resistance.
• Security Audits: Have regular security audits done by an external firm to ensure compliance with standards like NIST, ISO 27001, and SOC 2.

Implement Strong Authentication and Access Controls

rConfig offers robust user authentication capabilities, including local user authentication, Active Directory (AD) integration, and Single Sign-On (SSO) with enterprise-grade services. These features provide flexibility and ensure secure access for various organizational needs. For more details, refer to the following resources:

• LDAP Settings
• SSO Overview

Additionally, rConfig employs a strong Role-Based Access Control (RBAC) system, enabling administrators to enforce the Principle of Least Privilege (PoLP) effectively. Adhering to these principles ensures users only have access to the resources necessary for their roles. For implementation details, see the RBAC Guide.

Authentication and authorization are the first line of defense. Here’s how you can harden access:

• Use Multi-Factor Authentication (MFA): Enable MFA for all employees, especially for privileged accounts (admin, root, etc.) and critical applications. This could be through SMS-based or app-based methods like Google Authenticator or hardware tokens (e.g., YubiKeys).
• Principle of Least Privilege (PoLP): Ensure users and administrators only have access to the systems and data they absolutely need to perform their jobs.
• Role-Based Access Control (RBAC): Implement RBAC in your systems, especially in applications like databases, network services, and cloud infrastructure.
• Disable Default Accounts: Remove or disable any default administrative or service accounts in your systems and applications. These can be a target for attackers.

Network Hardening

Your network is often the first line of defense, so securing it is paramount. For rConfig, the main connection ports to consider are as follows:

• Outbound Ports:

  • 80 (HTTP)
  • 443 (HTTPS)
  • SSH and Telnet as required for device communication
  • rConfig server typically only needs outbound internet access to rconfig.com (static IP) for version checks. While not required, this is recommended and should be factored into your firewall strategy.

• Inbound Ports:

  • 80 (HTTP)
  • 443 (HTTPS)
  • Optionally 21 (FTP) and 69/UDP (TFTP) for specific use cases

• Firewalls & Network Segmentation: Use firewalls to limit inbound and outbound traffic to necessary services. Consider network segmentation (e.g., separating internal, external, and DMZ networks) to reduce the risk of lateral movement in the event of a breach.

• Intrusion Detection & Prevention Systems (IDPS): Use tools like Snort, Suricata, or OSSEC to detect and block malicious network activity in real-time.

• VPNs and Encryption: Ensure that all remote access is encrypted (using VPNs, SSL/TLS, or SSH for secure communications) and ensure all internal communications are encrypted.

Server & Endpoint Hardening

For security and system optimization, the ideal setup is for rConfig installations to run on a dedicated server or appliance, not shared with other services. This approach minimizes potential attack vectors and ensures optimal performance. Both physical and virtual servers, as well as user devices, need to be hardened against common attack vectors:

WARNING: You are responsible

System and server management is strictly the customer’s responsibility. While rConfig provides scripts, guides, and recommendations for setup and maintenance, we strive for zero technical debt and no security vulnerabilities. However, this is a shared responsibility. Customers must ensure adherence to internal enterprise policies on patch management, updates, and compliance standards to maintain a secure environment.

Operating System Security

• Minimize Attack Surface: Remove unnecessary software, services, and packages from servers and endpoints to reduce the potential attack surface.
• Patch Management: Ensure that operating systems, applications, and third-party software are up to date with security patches. Use tools like OSSEC, WSUS, or yum-cron for automatic updates.
• Use SELinux/AppArmor: If you are using Linux, ensure SELinux (Security-Enhanced Linux) or AppArmor is configured to enforce access controls.
• Disable Unnecessary Services: Disable unnecessary ports and services (e.g., FTP, Telnet) and only leave those that are required.
• Harden SSH: Configure SSH to disable root login, use key-based authentication, and limit login attempts to prevent brute-force attacks.

Endpoint Protection

• Install and maintain anti-malware/anti-virus software on all endpoints (laptops, desktops, and servers).
• Implement device encryption to protect data in case a device is lost or stolen.
• Enforce mobile device management (MDM) policies on employees’ smartphones and tablets.

Sample SELinux Policy

Note: By default, rConfig disables SELinux as most customers, in our experience, do not use it. However, for customers who do utilize SELinux, the sample policy below can be used to allow and enable rConfig.

• Set SELinux to Enforcing Mode: This is the most secure mode and ensures that SELinux enforces its policies.

  • Use the following command: setenforce 1
  • To make this change persistent across reboots, update the configuration file /etc/selinux/config and set SELINUX=enforcing.

• Define SELinux Rules: Create rules that restrict access to only the required files, processes, and ports.

  • Allow Network Access for HTTPD: To enable HTTPD (Apache) to connect to external networks, execute: setsebool -P httpd_can_network_connect 1.
  • Enable Unified Context for HTTPD: To modify and create templates with HTTPD, enable the unified context: setsebool -P httpd_unified 1.

• Monitor SELinux Logs: Regularly review SELinux logs located at /var/log/audit/audit.log to identify and address unauthorized access attempts or policy violations.

• Policy Testing and Adjustments: Use tools like audit2allow to fine-tune SELinux policies while minimizing disruptions. For example:

  ausearch -m avc -ts today | audit2allow -M my_policy
  semodule -i my_policy.pp

Credential Hardening in UI and Other Locations

• Secure Password Storage: Ensure passwords are hashed using a secure algorithm (e.g., bcrypt, Argon2).
• Password Complexity Enforcement: Enforce policies that require strong passwords, including length and character variety.
• UI Security Measures:
  • Use secure input fields for password entry, preventing auto-completion or copying.
  • Implement reCAPTCHA or similar tools to protect against brute-force attacks in login forms.
• Secure Key Management: Use secure key vaults (e.g., AWS Secrets Manager, HashiCorp Vault) for API keys and credentials.
• Session Management: Ensure session cookies are secure, with HTTP-only and secure flags enabled.

Data Security and Encryption

Securing sensitive data is critical, both at rest and in transit:

• Encrypt Data in Transit: Use TLS/SSL to encrypt sensitive data transmitted over the network. Ensure that all services, including websites, APIs, and email, use HTTPS and that certificates are up-to-date and signed by a trusted certificate authority. For more details, refer to SSL Setup.
• Encrypt Data at Rest: Use full disk encryption (e.g., LUKS for Linux, BitLocker for Windows) for sensitive data stored on servers and workstations. For implementation details, refer to Config Encryption.
• Database Hardening: Use encryption for sensitive fields in databases and employ strong authentication mechanisms for database access. Note that rConfig encrypts credentials and other sensitive data by default, with the encryption key stored in the .env file. This file should be securely backed up at all times. Ensure regular database backups are encrypted.
• Backup Encryption: Ensure that backup files (both on-site and off-site) are encrypted, so that data is protected in case of a breach.

Backups

To protect against ransomware and other threats, regular system backups should be taken. While rConfig’s backup feature offers basic convenience, it may be ineffective if disks or other system components become compromised. Customers must implement comprehensive backup systems and processes aligned with corporate policies to protect themselves and ensure business continuity. These backups should be stored securely, with encryption and regular testing of restore procedures, to guarantee data recovery in the event of an incident.