Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

Flatcar Linux Security Improvements

Open decyphertek-io opened this issue 9 months ago • 2 comments

I was comparing Fedora CoreOS to Flatcar Linux:

  • Fcos SeLinux just works and enabled by default
  • Flatcar, SeLinux disabled and difficult to setup. Keeps blocking docker.
  • Fcos allows to easily install firewalld via rpm-ostree
  • Flatcar makes you work with Iptables, more difficult.
  • Fcos Auditd enabled by default and logs SeLinux errors.
  • Flatcar Auditd disabled by default and has x3 auditd rules.
  • Flatcar Linux I also noticed it wasnt logging SeLinux denies even after adding rules.
  • Flatcar automatically installs python in a container that i cant find if you type python3 --version

Goal:

Improve the BASICS of security on Flatcar Linux to Include SeLinux, Auditd , and Firewalld ready to work. They can be disabled if you prefer, when they are enabled , they should just work correctly. Right now doing a lot of customization for the basics. After customized, should be allowed to actually make it immutable, not partially immutable.

References:

https://www.flatcar.org/docs/latest/setup/security/ https://www.flatcar.org/docs/latest/setup/security/selinux/ https://www.flatcar.org/docs/latest/setup/security/audit/ Firewall OR Iptables : No Docs???

decyphertek-io avatar Mar 27 '25 01:03 decyphertek-io

Maybe a script can be provided ? That can setup selinux correctly and auditd to alert on se linux denies. Also maybe Iptables config if your not willing to install firewalld. I noticed that the offical docs regarding selinux, do not work properly either, some commands fail. Have you tested it?

decyphertek-io avatar Mar 27 '25 22:03 decyphertek-io

Maybe a script can be provided ? That can setup selinux correctly and auditd to alert on se linux denies.

Auditd configuration is up to the user and depends on your personal requirements. Documentation applicable to other Linux distributions works.

Also maybe Iptables config if your not willing to install firewalld.

There is an example of using iptables here: https://www.flatcar.org/docs/latest/setup/clusters/booting-on-ecs/#set-up-a-new-cluster More docs would be welcome.

I noticed that the offical docs regarding selinux, do not work properly either, some commands fail. Have you tested it?

Docs may have gotten stale - we welcome contributions that improve the project docs.

note

We have issue templates for a reason - please try to stick to them. If you have a bug report or feature request - fill the matching template with all the fields we need to understand the problem.

jepio avatar Mar 28 '25 13:03 jepio