Host OS hardening

General OS hardening measures

The following general OS hardening measures are recommended:

Note: Time synchronization cannot be provided by any host on which an NSP component is installed.

RHEL CIS OS benchmarks

Operating System security hardening is a broad topic with a great many possible customization options. The NSP supports hardening recommendations from the Center for Internet Security (CIS). Only hardening recommendations that are described as being supported may be applied to a RHEL OS instance that hosts any NSP software.

Nokia does not recommend applying additional OS security hardening measures, as these can affect NSP operation, support, and product upgrades. Basic customer testing is required to verify that any additional platform hardening does not affect NSP operation. The NSP Product Group makes no commitment to making the NSP compatible with specific customer hardening requirements.

See Chapter 6, RHEL OS security hardening for information about the NSP support levels for specific RHEL CIS benchmarks.

NSP RHEL OS disk images

The Nokia-provided RHEL OS disk images are based upon RHEL 8 and are available for KVM and Openstack hypervisors. An NSP RHEL OS image can be used only for the deployment of NSP software, and not for the deployment of any other Nokia or third-party product.

An application that Nokia does not sanction must not be deployed on any OS instance that hosts an NSP component. Nokia reserves the right to remove any applications that are suspected of affecting NSP operation.

SELinux

The NSP supports RHEL SELinux for enhanced system security and logging functions. See the NSP System Administrator Guide for information about SELinux implementation and management in the NSP, and the RHEL documentation for comprehensive SELinux configuration and implementation information.

All NSP system elements support SELinux in enforcing mode, except for an auxiliary database, which supports only permissive mode.

Sudoer file configuration

Some NSP components create rules in RHEL sudoers.d directories during installation. These rules allow NSP functions to run certain programs required for NSP operations. Rule files can be found in the /etc/sudoers.d/ directory and rule entries apply to NSP users. See RHEL sudoer configuration for more information.