Secure Configuration Standards

Property	Value
Document ID	PROC-003
Version	1.0
Status	Draft
Owner	Security Engineering Lead
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: CC6.1, CC6.6, CC6.7, CC6.8 / ISO 27001: A.12.1, A.12.6
Parent Policy	Change Management Policy (POL-006)

---

1. Purpose

This document defines secure configuration baselines for servers, cloud infrastructure, databases, and applications. Following these standards ensures systems are hardened against common attacks and comply with security requirements.

---

2. Scope

This procedure applies to:

• Infrastructure: Servers (virtual and physical), containers, Kubernetes
• Cloud Services: AWS, GCP, Azure resources
• Databases: PostgreSQL, MySQL, MongoDB, Redis
• Applications: Web applications, APIs, microservices
• Network Devices: Firewalls, load balancers, VPNs

---

3. Linux Server Hardening

3.1 Operating System Configuration

Setting	Standard	Command/Config
OS Version	Current LTS release	Ubuntu 22.04/24.04, Amazon Linux 2023
Auto-updates	Enabled for security	unattended-upgrades enabled
Unnecessary services	Disabled	Remove unused packages
Time sync	NTP configured	chronyd or systemd-timesyncd
Firewall	Enabled (default deny)	ufw or iptables

3.2 User and Access Configuration

Setting	Standard
Root login	Disabled (SSH)
Password auth (SSH)	Disabled (key-only)
Sudo	Required for privileged ops
Default accounts	Removed or disabled
Login banners	Warning banner displayed
Session timeout	15 minutes idle

3.3 SSH Hardening

# /etc/ssh/sshd_config

Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
MaxAuthTries 3
LoginGraceTime 60
ClientAliveInterval 300
ClientAliveCountMax 2
AllowGroups ssh-users

3.4 Logging Configuration

Log Type	Configuration
Auth logs	/var/log/auth.log forwarded to SIEM
Syslog	Forwarded to central logging
Audit logs	auditd enabled for critical events
Log retention	Local: 7 days, Central: per policy

3.5 Linux Hardening Checklist

• OS updated to latest security patches
• Unnecessary packages removed
• Firewall enabled with default deny
• SSH hardened per standards above
• Root login disabled
• Password authentication disabled
• Audit logging enabled
• Logs forwarded to SIEM
• NTP configured
• File integrity monitoring installed (optional)

---

4. Container Security (Docker/Kubernetes)

4.1 Docker Configuration

Setting	Standard
Base images	Official, minimal images (Alpine, distroless)
Root user	Containers run as non-root
Privileges	No --privileged flag
Capabilities	Drop all, add only required
Read-only filesystem	Enabled where possible
Resource limits	CPU and memory limits set
Image scanning	Required before deployment
Image signing	Enabled (Docker Content Trust)

Dockerfile Best Practices:

# Use specific version, not 'latest'
FROM node:20-alpine

# Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

# Set working directory
WORKDIR /app

# Copy and install dependencies (leverage caching)
COPY package*.json ./
RUN npm ci --only=production

# Copy application code
COPY --chown=appuser:appgroup . .

# Switch to non-root user
USER appuser

# Expose only necessary ports
EXPOSE 3000

# Use exec form for signals
CMD ["node", "server.js"]

4.2 Kubernetes Security

Setting	Standard
RBAC	Enabled, least privilege
Network Policies	Default deny, explicit allow
Pod Security	Pod Security Standards enforced
Secrets	External secrets manager (not native)
Service accounts	Non-default, minimal permissions
API server	Private endpoint, auth required
etcd	Encrypted at rest

Pod Security Context:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

---

5. Cloud Security (AWS)

5.1 IAM Configuration

Setting	Standard
Root account	MFA enabled, no access keys, rarely used
IAM users	Individual accounts, no shared
Access keys	Rotate every 90 days
Permissions	Least privilege, use roles
MFA	Required for console access
Password policy	Per POL-003 standards
Service accounts	Use IAM roles, not access keys

5.2 Network Configuration

Setting	Standard
VPC	Isolated VPCs per environment
Subnets	Public/private separation
Security groups	Default deny, specific allows
NACLs	Additional layer for critical resources
NAT Gateway	For private subnet internet access
VPC Flow Logs	Enabled
Internet Gateway	Public subnets only

5.3 S3 Configuration

Setting	Standard
Public access	Block all public access (account-level)
Encryption	SSE-S3 or SSE-KMS enabled
Versioning	Enabled for critical buckets
Logging	Access logging enabled
Lifecycle	Policies for data retention
MFA Delete	Enabled for critical buckets

5.4 RDS Configuration

Setting	Standard
Encryption	At-rest encryption enabled
Public access	Disabled
Multi-AZ	Enabled for production
Automated backups	Enabled, 7+ day retention
Minor version upgrade	Auto-enabled
Security group	Restrict to application tier
Parameter groups	Hardened settings

5.5 CloudTrail Configuration

Setting	Standard
Status	Enabled in all regions
Log validation	Enabled
S3 bucket	Dedicated, encrypted, no public
Multi-region	Yes
Management events	All
Data events	Critical buckets/functions

5.6 AWS Security Checklist

• Root account MFA enabled
• Root access keys deleted
• IAM password policy configured
• IAM users have individual accounts
• MFA required for IAM users
• CloudTrail enabled in all regions
• S3 block public access enabled
• VPC flow logs enabled
• Security groups follow least privilege
• RDS/databases not publicly accessible
• GuardDuty enabled
• Config enabled with rules

---

6. Cloud Security (GCP)

6.1 IAM Configuration

Setting	Standard
Organization policies	Enforced at org level
Service accounts	Minimal, key rotation
Primitive roles	Avoid (use predefined)
Workload Identity	Use for GKE
Domain restriction	Limit sharing to org

6.2 GCP Security Checklist

• Organization policies configured
• Service account keys minimized
• Cloud Audit Logs enabled
• VPC Service Controls (optional)
• Cloud Armor configured (if applicable)
• Security Command Center enabled

---

7. Database Security

7.1 PostgreSQL Configuration

Setting	Standard
Network	Not exposed to internet
Authentication	Strong passwords, SSL required
SSL	Enforced for all connections
Encryption	At-rest encryption enabled
Logging	Log connections, DDL, errors
Extensions	Minimal, approved only
Roles	Least privilege, no superuser for apps

postgresql.conf hardening:

ssl = on
ssl_min_protocol_version = 'TLSv1.2'
log_connections = on
log_disconnections = on
log_statement = 'ddl'
password_encryption = scram-sha-256

7.2 Redis Configuration

Setting	Standard
Network	Not exposed to internet
Authentication	Password required
TLS	Enabled for connections
Dangerous commands	Renamed or disabled
Persistence	Configured per requirements

redis.conf hardening:

bind 127.0.0.1
requirepass <strong-password>
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""

---

8. Application Security

8.1 Web Application Configuration

Setting	Standard
HTTPS	Required (redirect HTTP)
TLS	Version 1.2+ only
HSTS	Enabled
Security headers	CSP, X-Frame-Options, etc.
Cookies	Secure, HttpOnly, SameSite
Error handling	Generic messages (no stack traces)
Input validation	All user input validated
Output encoding	Context-appropriate encoding

8.2 Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()

8.3 API Security

Setting	Standard
Authentication	Required (OAuth 2.0, API keys)
Authorization	Enforced per endpoint
Rate limiting	Configured
Input validation	Strict schema validation
TLS	Required
Versioning	Explicit versioning
Error responses	No sensitive data leakage

---

9. Configuration Management

9.1 Infrastructure as Code

Requirement	Standard
Tool	Terraform, CloudFormation, Pulumi
State	Remote, encrypted, access-controlled
Review	Code review required
Scanning	Security scanning in CI (tfsec, checkov)
Secrets	Not in code (use variables/vault)

9.2 Configuration Drift Detection

Approach	Implementation
Automated scanning	AWS Config, GCP Security Health Analytics
Scheduled audits	Weekly compliance scans
Alerts	Drift notifications to security
Remediation	Automated or ticket creation

---

10. Evidence Requirements

Evidence Type	Description	Location	Retention
Configuration Baselines	Documented standards	This document	Current
Compliance Scans	Results of security scans	Security tools	1 year
Configuration Exports	Current configs vs baseline	Config repository	Current
Change Records	Configuration change tickets	Ticketing system	3 years

---

11. Related Documents

• Change Management Policy (POL-006)
• Encryption & Key Management Policy (POL-004)
• Patch & Vulnerability Management (PROC-004)

---

12. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Security Engineering	Initial release

---

This document is classified as INTERNAL. Unauthorized distribution is prohibited.