Harden your system to enable
CIS-CAT assessments.
Before you begin
EFA provides a security hardening capability in the form of a python script located
at /apps/bin/extr-granite.py (for TPVM installations). The goal of this
script is to modify various system security settings to achieve a more secure state
under the examination of the CIS-CAT host scanner. Specifically, EFA running on TPVM
is deployed into the Ubuntu server environment, and it is this environment that is
hardened by extr-granite.py.
To perform the steps that follow, make sure you have Java Runtime Environment (JRE)
installed. Also, ensure that the CIS-CAT scanner has been copied to the TPVM at
/root/cis-cat/Assessor-CLI.
About this task
The procedure itself involves the running of the extr-granite.py script.
Notable aspects of the script are:
- The
extr-granite.py
script keeps a dedicated Git repository for all changes it makes to the
underlying file system. This repository is located at /opt/extr-granite-hardening/OS-files-git.
- Git tags are used by
extr-granite.py for
every run cycle. This allows easy comparison of what the script changes on the
host operating system from one run to the next.
- A comprehensive log file is kept
at
/opt/extr-granite-hardening/hardening-log.
One powerful feature offered by the hardening script is that it can be run multiple
times (and even done at every boot via the init scripts), and every run receives its
own Git tag in the OS-files-git repository. This make it easy to see every change the
script has made, going back to the initial import.
Perform the following steps to run the security script and verify that it is
working:
Procedure
-
Install CIS-CAT on the host and
produce a scan result.
Here is an example of the
abbreviated output. There is a CIS-CAT score of 56.11% on the
TPVM.
root@tpvm:~# apt-get install default-jre
root@tpvm:~# cd /root/cis-cat/Assessor-CLI
root@tpvm:~# chmod u+x Assessor-CLI.sh
root@tpvm:~# ./Assessor-CLI.sh -b
benchmarks/CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1-xccdf.xml -html
-----------------------------------------------------------------------------
***** Assessment Results Summary *****
-----------------------------------------------------------------------------
Total # of Results: 241
Total Scored Results: 180
Total Pass: 101 Total
Fail: 78
Total Error: 1
Total Unknown: 0
Total Not Applicable: 0
Total Not Checked: 20
Total Not Selected: 37
Total Informational: 4
-----------------------------------------------------------------------------
***** Assessment Scoring *****
-----------------------------------------------------------------------------
Score Earned: 101.0
Maximum Available: 180.0
Total: 56.11%
-----------------------------------------------------------------------------
-
Run
/apps/bin/extr-granite.py.
root@tpvm:~# /apps/bin/extr-granite.py
root@tpvm:~# cd /opt/extr-granite-hardening
root@tpvm:~# /opt/extr-granite-hardening# head -n 20 hardening-log
2021-03-02 14:53:29 chmod u+rwx,go-rwx /opt/extr-granite-hardening
2021-03-02 14:53:29 chmod u+rwx,go-rwx /opt/extr-granite-hardening/OS-files-git
2021-03-02 14:53:29 /usr/bin/git init .
2021-03-02 14:53:29 /usr/bin/git config user.name "extr-granite"
2021-03-02 14:53:29 /usr/bin/git config user.email "gtac@extremenetworks.com"
2021-03-02 14:53:29 /usr/bin/git add .
2021-03-02 14:53:29 /usr/bin/git commit -m "initial import"
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.1 Ensure mounting of cramfs filesystems is disabled'
2021-03-02 14:53:30 lsmod > /opt/extr-granite-hardening/tmp-cmd-output
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.2 Ensure mounting of freevxfs filesystems is disabled'
2021-03-02 14:53:30 lsmod > /opt/extr-granite-hardening/tmp-cmd-output
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.3 Ensure mounting of jffs2 filesystems is disabled'
2021-03-02 14:53:30 lsmod > /opt/extr-granite-hardening/tmp-cmd-output
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.4 Ensure mounting of hfs filesystems is disabled'
2021-03-02 14:53:30 lsmod > /opt/extr-granite-hardening/tmp-cmd-output
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.5 Ensure mounting of hfsplus filesystems is disabled'
2021-03-02 14:53:30 lsmod > /opt/extr-granite-hardening/tmp-cmd-output
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.6 Ensure mounting of squashfs filesystems is disabled'
2021-03-02 14:53:30 lsmod > /opt/extr-granite-hardening/tmp-cmd-output
2021-03-02 14:53:30 [+] CIS-CAT check: '1.1.1.7 Ensure mounting of udf filesystems is disabled'
root@tpvm:/opt/extr-granite-hardening# cd OS-files-git/
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git ls-files | wc -l
17
The following example
shows all changes from the initial import to the tag of the first
run:
extr-granite-run1Further, the example does the same git diff, except
it shows just the changes that were made to the original /etc/ssh/sshd_config
file.
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git tag -l
extr-granite-initial-import
extr-granite-run1
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1
diff --git a/etc/issue b/etc/issue
index 80ae21e..5192c40 100644
--- a/etc/issue
+++ b/etc/issue
@@ -1,2 +1 @@
-Ubuntu 18.04.5 LTS \n \l
-
+Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported.
diff --git a/etc/issue.net b/etc/issue.net
index 5e9e2fa..5192c40 100644
--- a/etc/issue.net
+++ b/etc/issue.net
@@ -1 +1 @@
-Ubuntu 18.04.5 LTS
+Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported.
diff --git a/etc/modprobe.d/cramfs.conf b/etc/modprobe.d/cramfs.conf
new file mode 100644
index 0000000..b77c93a
--- /dev/null
+++ b/etc/modprobe.d/cramfs.conf
@@ -0,0 +1 @@
+install cramfs /bin/true
diff --git a/etc/modprobe.d/freevxfs.conf b/etc/modprobe.d/freevxfs.conf
new file mode 100644
index 0000000..72d4aec
--- /dev/null
+++ b/etc/modprobe.d/freevxfs.conf
@@ -0,0 +1 @@
+install freevxfs /bin/true
root@tpvm:/opt/extr-granite-hardening/OS-files-git# ls etc/ssh/sshd_config
etc/ssh/sshd_config
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git help diff^C
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1 ./etc/ssh/sshd_config
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
index 3f0e52e..f640120 100644
--- a/etc/ssh/sshd_config
+++ b/etc/ssh/sshd_config
@@ -121,4 +121,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication yes
-MaxStartups 30:30:100
+MaxStartups 10:30:60
+MaxAuthTries 4
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+ClientAliveInterval 300
+ClientAliveCountMax 0
+LoginGraceTime 60
+Banner /etc/issue.net
-
Rerun the CIS-CAT auditor and
verify that the scan results produce a score greater than 80%.
In the following example,
the results have improved from 56.11% originally to 81.67%.
Note that the
hardening results are against version 4.2.0 of the CIS-CAT Assessor. The
score achieved by the hardening script is reduced against the latest version
(4.7.0). Improvements are expected in forthcoming
releases.
root@tpvm:~# ./Assessor-CLI.sh -b
benchmarks/CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1-xccdf.xml -html
-----------------------------------------------------------------------------
***** Assessment Results Summary *****
-----------------------------------------------------------------------------
Total # of Results: 241
Total Scored Results: 180
Total Pass: 147
Total Fail: 32
Total Error: 1
Total Unknown: 0
Total Not Applicable: 0
Total Not Checked: 20
Total Not Selected: 37
Total Informational: 4
-----------------------------------------------------------------------------
***** Assessment Scoring *****
-----------------------------------------------------------------------------
Score Earned: 147.0
Maximum Available: 180.0
Total: 81.67%
-----------------------------------------------------------------------------
