Hardening - Operating System Recommendations

General hardening guidelines are outlined in the main hardening documentation.

You can configure the underlying operating system to increase overall security. In a controlled environment such as a self-managed GitLab instance it requires additional steps, and in fact is often required for certain deployments. FedRAMP is an example of such a deployment.

SSH Configuration

SSH Client Configuration

For client access (either to the GitLab instance or to the underlying operating system), here are a couple of recommendations for SSH key generation. The first one is a typical SSH key:

ssh-keygen -a 64 -t ed25519 -f ~/.ssh/id_ed25519 -C "ED25519 Key"

For a FIPS-compliant SSH key, use the following:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "RSA FIPS-compliant Key"

SSH Server Configuration

At the operating system level, if you are allowing SSH access (typically through OpenSSH), here is an example of configuration options for the sshd_config file (the exact location may vary depending on the operating system but it is usually /etc/ssh/sshd_config):

#
# Example sshd config file. This supports public key authentication and
# turns off several potential security risk areas
#
PubkeyAuthentication yes
PasswordAuthentication yes
UsePAM yes
UseDNS no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PermitTunnel no
PermitRootLogin no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Change default od 120 seconds to 60
LoginGraceTime 60

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Protocol adjustments, these would be needed/recommended in a FIPS or
# FedRAMP deployment, and use only strong and proven algorithm choices
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Macs hmac-sha2-256,hmac-sha2-512

Firewall Rules

For firewall rules, only TCP ports 80 and 443 need to be open for basic usage. By default, 5050 is open for remote access to the container registry, however in a hardened environment this would most likely exist on a different host, and in some environments not open at all. Hence, the recommendation is for ports 80 and 443 only, and port 80 should only be used to redirect to 443.

For a truly hardened or isolated environment such as FedRAMP, you should adjust the firewall rules to restrict all ports except to those networks accessing it. For example, if the IP address is 192.168.1.2 and all of the authorized clients are also on 192.168.1.0/24, restrict access to ports 80 and 443 to just 192.168.1.0/24 only (as a safety restriction), even if access is restricted elsewhere with another firewall.

Ideally, if you’re installing a self-managed instance, you should implement the firewall rules before the installation begins with access restricted to the admins and installers, and only add additional ranges of IP addresses for users after the instance is installed and properly hardened.

Usage of iptables or ufw is acceptable to implement and enforce port 80 and 443 access on a per-host basis, otherwise usage of cloud-based firewall rules through GCP Google Compute or AWS Security Groups should enforce this. All other ports should be blocked, or at least restricted to specific ranges. For more information on ports, see Package Defaults.

Firewall Additions

It is possible that various services may be enabled that require external access (for example Sidekiq) and need network access to be opened up. Restrict these types of services to specific IP addresses, or a specific Class C. As a layered and added precaution, where possible restrict these extra services to specific nodes or sub-networks in GitLab.

Kernel Adjustments

Kernel adjustments can be made by editing /etc/sysctl.conf, or one of the files in /etc/sysctl.d/. Kernel adjustments do not completely eliminate the threat of an attack, but add an extra layer of security. The following notes explain some of the advantages for these adjustments.

## Kernel tweaks for sysctl.conf ##
##
## The following help mitigate out of bounds, null pointer dereference, heap and
## buffer overflow bugs, use-after-free etc from being exploited. It does not 100%
## fix the issues, but seriously hampers exploitation.
##
# Default is 65536, 4096 helps mitigate memory issues used in exploitation
vm.mmap_min_addr=4096
# Default is 0, randomize virtual address space in memory, makes vuln exploitation
# harder
kernel.randomize_va_space=2
# Restrict kernel pointer access (for example, cat /proc/kallsyms) for exploit assistance
kernel.kptr_restrict=2
# Restrict verbose kernel errors in dmesg
kernel.dmesg_restrict=1
# Restrict eBPF
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
# Prevent common use-after-free exploits
vm.unprivileged_userfaultfd=0
# Mitigation CVE-2024-1086 by preventing unprivileged users from creating namespaces
kernel.unprivileged_userns_clone=0

## Networking tweaks ##
##
## Prevent common attacks at the IP stack layer
##
# Prevent SYNFLOOD denial of service attacks
net.ipv4.tcp_syncookies=1
# Prevent time wait assassination attacks
net.ipv4.tcp_rfc1337=1
# IP spoofing/source routing protection
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
# IP redirection protection
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0