Managing infrastructure of Kaspersky Next XDR Expert

This section describes the general principle of using the minimum required number of applications for the function of the operating system and Kaspersky Next XDR Expert. This section also describes the principle of least privilege, which boils down to the concept of Zero Trust.

Managing operating system accounts

To work with a Kubernetes cluster by using KDT, we recommend creating a separate user with minimal privileges. The optimal way is to implement management of user accounts of the operating system by using LDAP, with the ability to revoke user rights through LDAP. For the specific implementation of user revocation and blocking, see the user/administrator guide in your LDAP solution. We recommend using a password of at least 18 characters or a physical means of authentication (for example, token) to authenticate the operating system user.

We also recommend protecting the user home directory and all nested directories in such a way that only the user has access to them. Other users and the user group must not have rights to the home directory.

We recommend not granting the execute permission for the .ssh, .kube, .config, and .kdt directories, and all the contained files in these directories in the user's home directory.

Package management of the operating system

We recommend using the minimum set of applications required for the function of KDT and Kaspersky Next XDR Expert. For example, you do not need to use a graphical user interface for working in the Kubernetes cluster, so we recommend not installing graphical packages. If packages are installed, we recommend removing these packages, including graphical servers such as Xorg or Wayland.

We recommend regularly installing security updates for the system software and the Linux kernel. We also recommend enabling automatic updates as follows:

• For operating systems with the atp package manager:

  /etc/apt/apt.conf.d/50unattended-upgrades

  Unattended-Upgrade::Allowed-Origins {

  "${distro_id}:${distro_codename}-security";

  "${distro_id}ESMApps:${distro_codename}-apps-security";

  "${distro_id}ESM:${distro_codename}-infra-security";

  };

• For operating systems with the rp, dnf, and yum package managers:

  /etc/dnf/automatic.conf

  [commands]

  # What kind of upgrade to perform:

  # default = all available upgrades

  # security = only the security upgrades

  upgrade_type = default

  # Whether updates should be downloaded when they are available, by

  # dnf-automatic.timer. notifyonly.timer, download.timer and

  # install.timer override this setting.

  download_updates = yes

  # Whether updates should be applied when they are available, by

  # dnf-automatic.timer. notifyonly.timer, download.timer and

  # install.timer override this setting.

  apply_updates = no

Operating system security settings

The Linux kernel security settings can be enabled in the /etc/sysctl.conf file or by using the sysctl command. The recommended Linux kernel security settings are listed in the /etc/sysctl.conf file snippet:

/etc/sysctl.conf

# Disable execshield

kernel.randomize_va_space=2

# Enable IP spoofing protection

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.rp_filter=1

# Ignore broadcast network requests

net.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_ignore_bogus_error_responses=1

# Enable logging of network spoofing packages

net.ipv4.conf.all.log_martians=1

# Hide the kernel pointers

kernel.kptr_restrict=1

# Restrict access to the kernel logs

kernel.dmesg_restrict = 1

# Prohibit the kernel profiling for unprivileged users

kernel.perf_event_paranoid=3

# Increasing the ASLR entropy bits

vm.mmap_rnd_bits=32

vm.mmap_rnd_compat_bits=16

We recommend restricting access to the PID. This will reduce the possibility of one user tracking the processes of another user. You can restrict access to the PID while mounting the /proc file system, for example, by adding the following line to the /etc/fstab file:

proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0

If the operating system processes are managed by using the systemd system, the systemd-logind service can still monitor the processes of other users. In order for user sessions to work correctly in the systemd system, you need to create the /etc/systemd/system/systemd-logind.service.d/hidepid.conf file, and then add the following lines to it:

[Service]

SupplementaryGroups=proc

Since some systems may not have the proc group, we recommend adding the proc group in advance.

We recommend turning off the ctrl+alt+del key combination, to prevent an unexpected reboot of the operating system by using the systemctl mask ctrl-alt-del.target command.

We recommend prohibiting authentication of privileged users (root users) to establish a remote user connection.

We recommend using a firewall to limit network activity. For more information about the ports and protocols used, refer to Ports used by Kaspersky Next XDR Expert.

We recommend enabling auditd, to simplify the investigation of security incidents. For more information about enabling telemetry redirection, refer to Setting up receiving Auditd events.

We recommend regularly backing up the following configurations and data directories:

• Administration host: ~/kdt
• Target hosts: /etc/k0s/, /var/lib/k0s

Also we recommend encrypting these backups.

Hardening guides for various operating systems and for DBMS

If you need to configure the security settings of your operating system and software, you can use the recommendations provided by Center for Internet Security (CIS).

If you use the Astra Linux operating system, refer to the security recommendations that can be applied to your Astra Linux version.

If you need to configure security settings of PostgreSQL, use the server administration recommendations from the official PostgreSQL documentation.