Host OS hardening

General OS hardening measures

The following general OS hardening measures are recommended:

• Install a clean operating system environment with the minimum required packages as described in the NSP Installation and Upgrade Guide.

• Install the latest Recommended Patch Cluster from Red Hat (apply the patches supplied by Nokia for the NSP RHEL OS qcow2 image).

• Nokia supports customers applying RHEL, or Windows patches provided by Red Hat, which include security fixes as well as functional fixes. If a patch is found to be incompatible with NSP/NFM-P, the patch may need to be removed until a solution to the incompatibility is provided by Red Hat or Nokia. Consult the Host Environment Compatibility Reference for NSP and CLM for up-to-date information about the recommended RHEL maintenance update and patch levels. Operating system patches of NSP-provided RHEL OS qcow2 images must be obtained from the NSP product group. Nokia supports only Nokia-provided RHEL OS disk images and OS patch bundles for qcow2 / OVA.

• Harden the RHEL operating system installation based on the CIS best practices described in Chapter 6, RHEL OS security hardening. The NSP RHEL OS qcow2 image is hardened in accordance with these supported CIS requirements only.

• The system clocks of the NSP components must always be closely synchronized. The RHEL chronyd service is the mandatory time-synchronization mechanism to engage on each NSP component during deployment. For availability reasons, redundant external servers must be accessible to the NSP.

• Disable mDNS.

• NSP components have no ingress or egress requirements to access the public Internet; hosts must be isolated with correctly configured firewalls. See “NSP Port Communications” in the NSP Planning Guide for information.

Note: Time synchronization cannot be provided by any host on which an NSP component is installed.

RHEL CIS OS benchmarks

Operating System security hardening is a broad topic with a great many possible customization options. The NSP supports hardening recommendations from the Center for Internet Security (CIS). Only hardening recommendations that are described as being supported may be applied to a RHEL OS instance that hosts any NSP software.

Nokia does not recommend applying additional OS security hardening measures, as these can affect NSP operation, support, and product upgrades. Basic customer testing is required to verify that any additional platform hardening does not affect NSP operation. The NSP Product Group makes no commitment to making the NSP compatible with specific customer hardening requirements.

See Chapter 6, RHEL OS security hardening for information about the NSP support levels for specific RHEL CIS benchmarks.

NSP RHEL OS disk images

The Nokia-provided RHEL OS disk images are based upon RHEL 8 and are available for KVM and Openstack hypervisors. An NSP RHEL OS image can be used only for the deployment of NSP software, and not for the deployment of any other Nokia or third-party product.

An application that Nokia does not sanction must not be deployed on any OS instance that hosts an NSP component. Nokia reserves the right to remove any applications that are suspected of affecting NSP operation.

SELinux

The NSP supports RHEL SELinux for enhanced system security and logging functions. See the NSP System Administrator Guide for information about SELinux implementation and management in the NSP, and the RHEL documentation for comprehensive SELinux configuration and implementation information.

All NSP system elements support SELinux in enforcing mode, except for an auxiliary database, which supports only permissive mode.

Sudoer file configuration

Some NSP components create rules in RHEL sudoers.d directories during installation. These rules allow NSP functions to run certain programs required for NSP operations. Rule files can be found in the /etc/sudoers.d/ directory and rule entries apply to NSP users. See RHEL sudoer configuration for more information.