<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>Hardening &amp; Compliance on Flatcar Container Linux</title>
		<link>/docs/latest/security/hardening/</link>
		<description>Recent content in Hardening &amp; Compliance on Flatcar Container Linux</description>
		<generator>Hugo</generator>
		<language>en-us</language>
		
		
		
			<copyright>Copyright © The Flatcar Project Contributors.

Copyright © Flatcar a Series of LF Projects, LLC.

For website terms of use, trademark policy and other project policies please see &lt;a href=&#34;https://lfprojects.org/policies/&#34;&gt;lfprojects.org/policies&lt;/a&gt;.
</copyright>
		
		
			<atom:link href="/docs/latest/security/hardening/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>Flatcar Container Linux FIPS guide</title>
				<link>/docs/latest/security/hardening/fips/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>/docs/latest/security/hardening/fips/</guid>
				<description>&lt;p&gt;FIPS stands for Federal Information Processing Standards, a set of standards issued by the National Institute of Standards and Technology (NIST). While Flatcar is not officially FIPS certified, it is possible to deploy it so that it is compliant with two of these standards:&lt;/p&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;&#xA;&#xA;&#xA;&lt;a href=&#34;https://csrc.nist.gov/publications/detail/fips/200/final&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;FIPS 200&lt;/a&gt;&#xA;&lt;/li&gt;&#xA;&lt;li&gt;&#xA;&#xA;&#xA;&lt;a href=&#34;https://csrc.nist.gov/publications/detail/fips/140/2/final&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;FIPS 140-2&lt;/a&gt;&#xA;&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h2 id=&#34;enabling-fips&#34;&gt;Enabling FIPS&lt;/h2&gt;&#xA;&lt;p&gt;Booting the instance with the kernel parameter &lt;code&gt;fips=1&lt;/code&gt; allows the instance to operate in a FIPS 200 mode. This means the kernel will use FIPS-compliant algorithms and will enforce some security practices like RSA key &#xA;&#xA;&#xA;&lt;a href=&#34;https://github.com/torvalds/linux/blob/941e3e7912696b9fbe3586083a7c2e102cee7a87/crypto/rsa_helper.c#L33-L37&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;size&lt;/a&gt;&#xA;. It&amp;rsquo;s also recommended to create the empty file &lt;code&gt;/etc/system-fips&lt;/code&gt; for other software (like cryptsetup).&lt;/p&gt;</description>
			</item>
			<item>
				<title>Flatcar Container Linux hardening guide</title>
				<link>/docs/latest/security/hardening/hardening-guide/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>/docs/latest/security/hardening/hardening-guide/</guid>
				<description>&lt;p&gt;This guide covers the basics of securing a Flatcar Container Linux instance. Flatcar Container Linux has a very slim network profile and the only service that listens by default on Flatcar Container Linux is sshd on port 22 on all interfaces. There are also some defaults for local users and services that should be considered.&lt;/p&gt;&#xA;&lt;h2 id=&#34;remote-listening-services&#34;&gt;Remote listening services&lt;/h2&gt;&#xA;&lt;h3 id=&#34;disabling-sshd&#34;&gt;Disabling sshd&lt;/h3&gt;&#xA;&lt;p&gt;To disable sshd from listening you can stop the socket:&lt;/p&gt;</description>
			</item>
			<item>
				<title>Setting up the Linux Auditing System</title>
				<link>/docs/latest/security/hardening/audit/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>/docs/latest/security/hardening/audit/</guid>
				<description>&lt;p&gt;On Flatcar Container Linux &lt;code&gt;audit-rules.service&lt;/code&gt; loads the audit rules to set up the logging filters for the kernel messages.&#xA;The &lt;code&gt;auditd.service&lt;/code&gt; daemon to collect these logs does not run by default.&lt;/p&gt;&#xA;&lt;h2 id=&#34;enabling-the-standard-rules-or-custom-rules&#34;&gt;Enabling the standard rules or custom rules&lt;/h2&gt;&#xA;&lt;p&gt;There is an ignore rule by default that suppresses the standard rules, which means that certain PAM audit messages are not shown.&#xA;It is also important to remove this default ignore rule when setting up own rules, or otherwise they will be ignored, too.&#xA;The following Butane Config will overwrite the default ignore rule:&lt;/p&gt;</description>
			</item>
			<item>
				<title>Trusted Computing requirements on Flatcar Container Linux</title>
				<link>/docs/latest/security/hardening/trusted-computing-hardware-requirements/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>/docs/latest/security/hardening/trusted-computing-hardware-requirements/</guid>
				<description>&lt;p&gt;Trusted Computing requires support in both system hardware and firmware. This document specifies the required support and explains how to determine if a physical machine has the features needed to enable Trusted Computing in Flatcar Container Linux.&lt;/p&gt;&#xA;&lt;h2 id=&#34;1-check-for-trusted-platform-module&#34;&gt;1. Check for Trusted Platform Module&lt;/h2&gt;&#xA;&lt;p&gt;Trusted Computing depends on the presence of a Trusted Platform Module (TPM). The TPM is a motherboard component responsible for storing the state of the system boot process, and providing a secure communication channel over which this state can be verified. To check for the presence of a TPM, install the latest Alpha version of Flatcar Container Linux and try to list the TPM device file in the &lt;code&gt;/sys&lt;/code&gt; system control filesystem:&lt;/p&gt;</description>
			</item>
			<item>
				<title>Disabling SMT on Flatcar Container Linux</title>
				<link>/docs/latest/security/hardening/disabling-smt/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>/docs/latest/security/hardening/disabling-smt/</guid>
				<description>&lt;p&gt;Recent Intel CPU vulnerabilities (&#xA;&#xA;&#xA;&lt;a href=&#34;https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;L1TF&lt;/a&gt;&#xA; and &#xA;&#xA;&#xA;&lt;a href=&#34;https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;MDS&lt;/a&gt;&#xA;) cannot be fully mitigated in software without disabling Simultaneous Multi-Threading. This can have a substantial performance impact and is only necessary for certain workloads, so for compatibility reasons, SMT is enabled by default.&lt;/p&gt;&#xA;&lt;p&gt;In addition, the Intel &#xA;&#xA;&#xA;&lt;a href=&#34;https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;TAA&lt;/a&gt;&#xA; vulnerability cannot be fully mitigated without disabling either of SMT or the Transactional Synchronization Extensions (TSX). Disabling TSX generally has less performance impact, so is the preferred approach on systems that don&amp;rsquo;t otherwise need to disable SMT. For compatibility reasons, TSX is enabled by default.&lt;/p&gt;</description>
			</item>
	</channel>
</rss>
