3 General #
Hardening your SUSE Enterprise Storage installation involves reducing the attack surface presented to potential attackers. But this is only the tip of the iceberg. All the basic tasks of securing a system applied to SUSE Enterprise Storage as well.
3.1 Basic security hygiene #
As with any other system it is important that you practice proper security hygiene for you SUSE Enterprise Storage installation. This includes monitoring a suitable channel for security notices (https://www.suse.com/security/cve/) and incorporate this in your security tracking.
It is mandatory that you install updates in a timely manner. If available, you can use threat intelligence to guide you in your update strategy, but the sooner you install updates the better. Most organizations do not get hacked via 0-day exploits but through long known security issues. If you keep your cluster current you improve the security posture dramatically.
Installing updates in a SUSE Enterprise Storage context means that you keep the base
operating system and the SUSE Enterprise Storage images up to date. For the base
operating system you can either use basic command line tools like
zypper
or use SUSE Manager to conveniently manage a large
fleet of machines. Refer to Section 13.7, “Updating Ceph”
on how to keep the SUSE Enterprise Storage images up to date.
3.2 General system hardening #
Ensuring that the base system is hardened is helping to provide a proper base for further hardening measures more specific to SUSE Enterprise Storage. SUSE published a hardening guide for SUSE Linux Enterprise Server at https://documentation.suse.com/de-de/sles/15-SP1/html/SLES-all/book-hardening.html. As SUSE Enterprise Storage is based on SUSE Linux Enterprise Server this contains tips that you can incorporate in your security strategy. For example, we recommend that you ensure that the systems that host SUSE Enterprise Storage are physically secure and that the boot process is protected is important to have a solid base for futher hardenings.
We also recommend that you do not add any other workloads on the machines that you use for you SUSE Enterprise Storage cluster. Not only can this negatively impact the performance of your SUSE Enterprise Storage cluster, but you also introduce additional risk to your data. If an attacker is able to exploit a vulnerability in the unrelated workload, they may be able to use this access to compromise your SUSE Enterprise Storage cluster.
If you have a virtualized environment and can easily provision machines, we recommend using one machine for each role. Especially the Ceph Monitor should be stand-alone as they have access to all the key material and running other services on them increases their risk profile.
3.3 Monitoring #
Without visibility into you systems it is tough to ensure that they run in a secure state. You have to either monitor the SUSE Enterprise Storage cluster itself or hook it into your existing monitoring framework to ensure that you are aware of changes in the cluster. This mainly helps with availability, but is also important for other security goals. For example, you need to notice if someone is trying to brute force credentials on the machines by collecting and analyzing the logs showing this behavior.
You should at least include /var/log/ceph/cephadm.log
into your log analysis setup to make sure you notice changes on your
SUSE Enterprise Storage cluster.