Saturday, February 3rd, 2024

Wise men talk because they have something to say; fools, because they have to say something.

— Plato

CCDC plan

Database

  • Rotate root & regular user credentials. Be careful not to reset regular user credential without submitting a password reset request.
  • Secure SSH service configuration.
  • Ensure that the service can only be accessed through password.
    • PostgreSQL: SCRAM only
    • MySQL: 4.1.0 hash
    • Ensure that database root user also has a password.
  • Rotate all user passwords and coordinate with dependent services.
  • Audit SSH keys
  • Launch enumeration scripts
    • LinPEAS (WinPEAS)
    • Lynis audit
  • Set up host-based firewall so that only services that need database can connect to it.
    • PostgreSQL: pg_hba.conf
    • MySQL: use iptables
  • Check and reduce granted privileges to application user
    • SHOW GRANTS
  • Check role/group memberships
  • Run system upgrade
  • Enable TLS
  • Ensure database is not running as root
  • chattr
    • service configs
    • shadow, passwd, groups
  • Backup database
  • Follow standard procedures

Procedures

  • Change passwords and submit appropriate password change requests.
  • Log passwords into document (note that Google Docs is not available)
  • Run enumeration scripts (winPEAS, linPEAS, lynis audit)

Maintenance

  • Password rotation every hour
  • Routine monitor service availability
  • Routine backup

Nginx

  • self-signed

Redis

  • requirepass
  • enable TLS
  • screw it