Host OS hardening

General OS hardening measures

The following general OS hardening measures are recommended:

Note: Time synchronization cannot be provided by any host on which an NSP component is installed.

RHEL CIS OS benchmarks

Operating System security hardening is a broad topic with thousands of possible customization options. The NSP supports hardening recommendations from the Center for Internet Security (CIS). Only hardening recommendations that are described as being supported may be applied to a RHEL OS instance that hosta any NSP component.

Nokia does not recommend applying additional OS security hardening measures, as these can affect NSP operation, support, and product upgrades. Basic customer testing is required to verify that any additional platform hardening does not affect NSP operation. The NSP Product Group makes no commitment to make the NSP compatible with specific customer hardening requirements.

See Chapter 6, RHEL OS security hardening for information about the NSP support levels for specific RHEL CIS benchmarks.

NSP RHEL OS disk images

The Nokia-provided RHEL OS disk images are based upon RHEL 8 and is only available for KVM and Openstack hypervisors. An NSP RHEL OS image can be used only for the deployment of NSP software, and not for the deployment of any other Nokia or third-party product.

Applications that are not sanctioned by Nokia must not be running on any virtual OS instance that hosts an NSP component. Nokia reserves the right to remove any applications that are suspected of affecting NSP operation.

SELinux

The NSP supports RHEL SELinux for enhanced system security and logging functions. See the NSP System Administrator Guide for information about SELinux implementation and management on NSP components. See the RHEL documentation for comprehensive SELinux configuration and implementation information.

Sudoer file configuration

Some NSP components create rules in RHEL sudoers.d directories during installation. These rules allow NSP applications to run certain programs required for NSP operations. Rule files can be found in the /etc/sudoers.d/ directory and rule entries apply to NSP users. See RHEL sudoer configuration for more information.

© 2023 Nokia. Nokia Confidential Information

Use subject to agreed restrictions on disclosure and use.