Trellis hardening and security

Hi!

I have a few questions:
Is Trellis considered production ready from hardening and security point of view?

Does Trellis do any hardening on the Linux server besides these:

• https://roots.io/trellis/docs/security/
• and I see that fail2ban is implemented as well.

I looked at both the documentation of Trellis and the ansible playbooks on GitHub.
I couldn’t find the usual hardening tasks, like removal of unused filesystems, setting up pam, apparmour/selinux and so on? Am I missing something?

I have found two good hardening sources:

Are these considered overkill? Or will they be implemented in Trellis at some point? Are there any plans to include one or the other?

Thanks!

I don’t think anyone is against better security in Trellis. Between ferm and fail2ban there is a good amount of security in place. If you have some ideas or even implementations, Trellis is open source so issues and PR’s happen on GitHub

Well, the main intention here wasn’t me trying to make changes on Trellis, but to clarify:

• what sort of security and hardening is already built in (whether I missed something)
• whether it can be considered production ready
• and would be the openstack or dev-sec hardening an overkill for production online server environment.

At this current stage I have the following feelings (just feelings), but need confirmation on this:

• Trellis does a good job on applying basic best practices on ssl, ssh, firewall (with fail2ban and ferm)
• Thus it provides a good basic security, and keeping the hardening reasonable
• It provides a flexible easy to work with environment, BUT
• The level of hardening is far from industry levels

We encourage you to dig into things for yourself since everything is open-source and public

Of course. There’s been Trellis sites in production ever since it’s release. Is there any reason why you’d think this wasn’t the case?

I’m no security expert so I don’t know what these industry levels are. Can you provide a brief list of what you think is missing?

Hi Ben!

Thanks for you reply. In my first post I started with what I have found to be implemented in Trellis, and my question was mainly, whether I missed something.

So I found: fail2ban, ferm, ssh, ssl implementations.
But I didn’t find anything on removal of unused filesystems, or disabling single user mode, enforcing password rules, etc… so a bunch of other stuff which seems to be implemented in other hardening frameworks.
So did I miss something?

And my second major question regarding this was, whether all this extra hardening done by others is an overkill, or not?

I am not here to challenge anyone, or compare solutions, or complain. Merely to understand, and to learn. All my questions are asked with this intention.

And of course ultimately I would like to have a server setup which is as secure as possible, but is not getting to much in the way.

Thanks for helping me on this one.

Depends I guess. Some companies/industries have regulations where these things are needed whether they are overkill or not.

Trellis’ goal is to be secure enough for its main usage: a WordPress server. This doesn’t mean it’s perfect or has everything. But it does mean it’s probably much better than if someone were to try and set up a LEMP/LAMP stock on their own. The security measures we put in place are also meant to be more common/known ones. Some of the other ones you mentioned aren’t as well known and may be harder to implement (not sure though?).

edit: Trellis is also meant to be a starting point and extended or customized. Trellis is really just Ansible, and there’s many good Ansible Galaxy roles available which offer these features you’re looking for (I’m assuming but it’s likely).

Hi!

I included two links on the top. One is being developed by people at German Telekom, the other one is by Openstack guys.

The dev-sec people say that their role is mostly based on guides by:

• Arch Linux wiki, Sysctl hardening
• NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5
• Ubuntu Security/Features
• Deutsche Telekom, Group IT Security, Security Requirements (German)

Whereas the openstack people clearly try to implement STIG as closely as possible:

The ansible-hardening role applies security hardening configurations from the Security Technical Implementation Guide (STIG)

They seem to have a lot of stuff which I have mentioned in my previous post, which I could not find in Trellis. There can be a few reasons for that:

1. I missed something when looking at Trellis docs and playbook files
2. It wasn’t implemented in Trellis because it wasn’t seen as important
3. Or it wasn’t implemented in Trellis and could be added - in which case I will try to add that rule to my system.

Thanks for those.

It’s a mix of 2 and 3. They’d have to be evaluated on a case by case basis. If there are some which are:

1. easier to implement
2. important/impactful

Then please open up an issue/PR on Trellis so we can discuss it

Thank you for the confirmation. I will start to dig through both the dev-sec and openstack playbooks and roles, and see where could we add something to Trellis.

The good part is, that they have battle tested their playbooks in a major way - Deutsche Telekom is not a small thing. Openstack isn’t either. And we just have to cherry-pick and copy-paste (I know it is probably a little too optimistic).