Howto: PCI-DSS Hardened Ubuntu 14.04LTS

This document serves as a record of the knowledge acquired while producing a PCI-DSS hardened Ubuntu Linux 14.04 LTS Server VMware template.

Installation

Grab ubuntu-14.04-server-amd64.iso or your iso of choice, and burn to optical media, or upload to your VMWare datastore.

Boot the machine.

Press F6 to select expert mode. Press escape and then press "Install Ubuntu Server"

Proceed through all the steps, answering the dialogues as you would normally. Often the default is acceptable, but careful thought should be put into each decision.

After you complete the "Load installer components from CD" step, the menu will expand to this:

 Continue answering the dialogues as you would normally. After you complete the step for "Configure the package manager" you should then SKIP ENTIRELY "Select and install software". Proceed to "Install the GRUB boot loader on a hard disk" and then finally "Finish the installation"

After the first boot of Ubuntu 14.04 Trusty Tahr, I had a package count of 214.

$ sudo dpkg -l | wc -l
214

The point of PCI-DSS hardening is to make the machine resilient to attacks from the network should an attacker have access to the network, and make the machine as difficult as possible for attackers to use should they acquire shell access to the system. With this in mind, you should only install the bare minimum of utilities required to administrate the system. These were my package choices:

$ aptitude install bash bash-completion bzip2 file grep gzip htop iotop iptables-persistent less lsof man-db manpages openssh-server sed sudo sysstat tmux unzip vim

Hardening

SCAP: Guide To The Secure Configuration of Red Hat Enterprise Linux 5

The SCAP RHEL5 guide serves as a good reference for where to start to harden your Ubuntu system. Things to keep in mind regarding the differences between Red Hat Enterprise Linux and Ubuntu Linux include:

• Ubuntu uses upstart, whereas RHEL uses SysV Init.
• Ubuntu uses apt, RHEL uses yum.

2.1.2.1 - RHN does not apply. The Ubuntu equivalent would be Landscape
2.1.2.2 - rhnsd does not exist in Ubuntu
2.3.1.1 - Root login is disabled altogether by default in Ubuntu
2.4.2 - SELinux is not installed by default in Ubuntu. My PCI auditor doesn't consider it a requirement of compliance, however your auditor may disagree.
2.5.5 - RHEL by default will save iptables rulesets on shutdown and reload them on system startup. To accomplish this under Ubuntu, the package iptables-persistent is required.
3.3.6 - kudzu does not exist in Ubuntu
3.14.2 - The fact that NIST recommends BIND is laughable. BIND has a horrible track record for security, as evidenced by the fact that the next recommendation is to place it in a chroot jail. If you need an authoritative nameserver or a recursive resolver on your network, use MaraDNS or PowerDNS instead. Distribute an /etc/hosts file with puppet or chef if you have to, but do not use BIND.

The rest of the recommendations in the document can be accomplished by researching which configuration file to modify. For now I have most of the tasks in a series of bash scripts, and the remaining tasks I handle manually. My ultimate goal is to codify all the PCI hardening in puppet so that a VM template is not required, and hosts can be created with vagrant or docker on something like cloudstack. See these related links:

http://www.slideshare.net/CloudPassage/automating-secure-server-baselines-with-puppet
http://www.slideshare.net/opscode/automating-secure-serverbaselinesandrewhay

I hope this helps you in your quest to use Ubuntu in your cardholder environment.