REHL CIS Hardened server documentation

[Mailstorm-ctrl]

Change Type

Addition

Area

Installation/upgrade

Proposed Changes

I'm not sure if I'm supposed to write up the documentation I'm wanting added here or not so I'm just posting this initially.

I'm sure we aren't the only people that run hardened servers according to some benchmark (It's even mentioned in the current docs briefly SELinux). But if you harden servers according to CIS L1+, your instance will not work and it's because of permissions.

I can write the documentation if this would be beneficial. I'm currently still trying to get our new instance fully working as there are some weird issues I discovered that came down to permissions on files.

[DanSheps]

Could you explain exactly what doesn't work if you harden according to CIS L1+?

[Mailstorm-ctrl]

It would honestly be better for you to just try it out yourself. Installed Rocky Linux 9 and use CIS Level 1 server hardening. Install netbox like you'd do and it's just error after error once you get the web server going.

A lot of it deals with the execution bit pemrission not being set and then making sure the netbox user has permissions to all of the files it needs (this was mentioned in the docs). However, some pages are just broken for no apparent reason (The devices page works but not the VM page or some other random page). The latest error I'm chasing is. But I just can't seem to find what the issue is.

2024/10/31 15:21:00 [crit] 106585#106585: *4 open() "/var/lib/nginx/tmp/proxy/2/00/0000000002" failed (13: Permission denied) while reading upstream, client: ::ffff:10.1.12.1, server: hostname, request: "GET /virtualization/virtual-machines/ HTTP/1.1", upstream: "http://127.0.0.1:8001/virtualization/virtual-machines/", host: "hostnamel", referrer: "https://hostname/dcim/devices/"```

[Mailstorm-ctrl]

It would honestly be better for you to just try it out yourself. Installed Rocky Linux 9 and use CIS Level 1 server hardening. Install netbox like you'd do and it's just error after error once you get the web server going.

A lot of it deals with the execution bit pemrission not being set and then making sure the netbox user has permissions to all of the files it needs (this was mentioned in the docs). However, some pages are just broken for no apparent reason (The devices page works but not the VM page or some other random page). The latest error I'm chasing is. But I just can't seem to find what the issue is.

2024/10/31 15:21:00 [crit] 106585#106585: *4 open() "/var/lib/nginx/tmp/proxy/2/00/0000000002" failed (13: Permission denied) while reading upstream, client: ::ffff:10.1.12.1, server: hostname, request: "GET /virtualization/virtual-machines/ HTTP/1.1", upstream: "http://127.0.0.1:8001/virtualization/virtual-machines/", host: "hostnamel", referrer: "https://hostname/dcim/devices/"```

I got this fixed. But it is because of the CIS hardening. This is the stuff I remember I had to do to get this all working:

1. After installing netbox, I needed to chown the entire netbox directory to the netbox user (chown -R netbox /opt/netbox)
2. After installing nginx, I needed to let the netbox user access the proxy temp directory. I could've just made a different directory for this but I like keeping things as defaults because searching for errors is easier that way (chmod -R o+rx /var/lib/nginx)
3. Execution bit is not set by default on files. I used find -type f -name "*.py" -exec chmod u+x \{\} \; while inside /opt/netbox to make all python files executable.

Some additional notes:

• After upgrading netbox I need to redo the chown as when running the upgrade script, the venv gets made as root which the netbox user doesn't have access to

[afmed]

To update your fix, this command will copy the group permissions to world:

chmod -R o=g /opt/netbox*

I also add UMask=022 to the systemd .service files to make sure any new files created by the services allow world reads.