Harden your system to enable CIS-CAT assessments.
TPVM provides a security hardening capability in the form of a python script located
at /opt/security/extr-granite.py (for TPVM installations valid from version 4.5.0).
The goal of this script is to modify various system security settings to achieve a
more secure state under the examination of the CIS-CAT host scanner. Specifically,
EFA running on TPVM is deployed into the Ubuntu server environment, and it is this
environment that is hardened by extr-granite.py.
To perform the steps that follow, make sure you have Java Runtime Environment (JRE)
installed. Also, ensure that the CIS-CAT scanner has been copied to the TPVM at
/root/cis-cat/Assessor-CLI.
The procedure itself involves the running of the extr-granite.py script.
Notable aspects of the script are:
extr-granite.py
script keeps a dedicated Git repository for all changes it makes to the
underlying file system. This repository is located at /opt/extr-granite-hardening/OS-files-git.extr-granite.py for
every run cycle. This allows easy comparison of what the script changes on the
host operating system from one run to the next./opt/extr-granite-hardening/hardening-log.One powerful feature offered by the hardening script is that it can be run multiple
times (and even done at every boot via the init scripts), and every run receives its
own Git tag in the OS-files-git repository. This make it easy to see every change the
script has made, going back to the initial import.
Perform the following steps to run the security script and verify that it is working:
/opt/security/extr-granite.py.
root@node-1:/opt/security# ./extr-granite.py Initialized empty Git repository in /opt/extr-granite-hardening/OS-files-git/.git/ [master (root-commit) 1e2796b] initial import 1 file changed, 1 insertion(+) create mode 100644 README [+] ./extr-granite.py version: 0.89 - Initialized sending incremental file list /usr/ /usr/sbin/ /usr/sbin/grub-mkconfig sent 3,467 bytes received 47 bytes 7,028.00 bytes/sec total size is 8,219 speedup is 2.34 [master 8b2b4bd] initial import: /usr/sbin/grub-mkconfig, for CIS-CAT test: 1.4.1 Ensure permissions on bootloader config are not overridden 1 file changed, 311 insertions(+) create mode 100755 usr/sbin/grub-mkconfig sending incremental file list /etc/ /etc/sysctl.conf sent 1,163 bytes received 39 bytes 2,404.00 bytes/sec total size is 2,683 speedup is 2.23 [master 2f4ad6c] initial import: /etc/sysctl.conf, for CIS-CAT test: 1.5.2 Ensure address space layout randomization (ASLR) is enabled 1 file changed, 77 insertions(+) create mode 100644 etc/sysctl.conf kernel.randomize_va_space = 2 sending incremental file list /etc/security/ /etc/security/limits.conf ......................... ......................... ......................... sent 1,168 bytes received 44 bytes 2,424.00 bytes/sec total size is 2,306 speedup is 1.90 [master 7ef96f4] file: /etc/pam.d/su, CIS-CAT test: 5.7 Ensure access to the su command is restricted 1 file changed, 1 insertion(+) sending incremental file list /etc/group sent 544 bytes received 36 bytes 1,160.00 bytes/sec total size is 832 speedup is 1.43 [master 374f6c9] file: /etc/group, CIS-CAT test: 5.7 Ensure access to the su command is restricted (2) 1 file changed, 1 insertion(+), 1 deletion(-) sending incremental file list /etc/profile sent 436 bytes received 36 bytes 944.00 bytes/sec total size is 619 speedup is 1.31 [master b305cfe] file: /etc/profile, CIS-CAT test: 5.5.5 Ensure default user shell timeout is 900 seconds or less 1 file changed, 3 insertions(+) [+] Total checks run: 55 root@node-1:/opt/security#
The following example shows all changes from the initial import to the tag of the first run:
extr-granite-run1Further, the example does the same git diff, except
it shows just the changes that were made to the original /etc/ssh/sshd_config
file.
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git tag -l extr-granite-initial-import extr-granite-run1 root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1 diff --git a/etc/issue b/etc/issue index 80ae21e..5192c40 100644 --- a/etc/issue +++ b/etc/issue @@ -1,2 +1 @@ -Ubuntu 18.04.5 LTS \n \l - +Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported. diff --git a/etc/issue.net b/etc/issue.net index 5e9e2fa..5192c40 100644 --- a/etc/issue.net +++ b/etc/issue.net @@ -1 +1 @@ -Ubuntu 18.04.5 LTS +Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported. diff --git a/etc/modprobe.d/cramfs.conf b/etc/modprobe.d/cramfs.conf new file mode 100644 index 0000000..b77c93a --- /dev/null +++ b/etc/modprobe.d/cramfs.conf @@ -0,0 +1 @@ +install cramfs /bin/true diff --git a/etc/modprobe.d/freevxfs.conf b/etc/modprobe.d/freevxfs.conf new file mode 100644 index 0000000..72d4aec --- /dev/null +++ b/etc/modprobe.d/freevxfs.conf @@ -0,0 +1 @@ +install freevxfs /bin/true root@tpvm:/opt/extr-granite-hardening/OS-files-git# ls etc/ssh/sshd_config etc/ssh/sshd_config root@tpvm:/opt/extr-granite-hardening/OS-files-git# git help diff^C root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1 ./etc/ssh/sshd_config diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index 3f0e52e..f640120 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -121,4 +121,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server # PermitTTY no # ForceCommand cvs server PasswordAuthentication yes -MaxStartups 30:30:100 +MaxStartups 10:30:60 +MaxAuthTries 4 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +ClientAliveInterval 300 +ClientAliveCountMax 0 +LoginGraceTime 60 +Banner /etc/issue.net
Note
After running the security hardening script, reconnect to the existing TPVM SSH sessions (active/standby/vip) for the new ssh parameters to take effect.