System Hardening for CIS-CAT Assessments

Harden your system to enable CIS-CAT assessments.

Before you begin

TPVM provides a security hardening capability in the form of a python script located at /opt/security/extr-granite.py (for TPVM installations valid from version 4.5.0). The goal of this script is to modify various system security settings to achieve a more secure state under the examination of the CIS-CAT host scanner. Specifically, EFA running on TPVM is deployed into the Ubuntu server environment, and it is this environment that is hardened by extr-granite.py.

To perform the steps that follow, make sure you have Java Runtime Environment (JRE) installed. Also, ensure that the CIS-CAT scanner has been copied to the TPVM at /root/cis-cat/Assessor-CLI.
Note

Note

CIS-CAT scanner is not bundled with TPVM. You must procure an external CIS-CAT license and install it on the TPVM environment.

About this task

The procedure itself involves the running of the extr-granite.py script. Notable aspects of the script are:

  • The extr-granite.py script keeps a dedicated Git repository for all changes it makes to the underlying file system. This repository is located at /opt/extr-granite-hardening/OS-files-git.
  • Git tags are used by extr-granite.py for every run cycle. This allows easy comparison of what the script changes on the host operating system from one run to the next.
  • A comprehensive log file is kept at /opt/extr-granite-hardening/hardening-log.

One powerful feature offered by the hardening script is that it can be run multiple times (and even done at every boot using the init scripts), and every run receives its own Git tag in the OS-files-git repository. This make it easy to see every change the script has made, going back to the initial import.

Perform the following steps to run the security script and verify that it is working:

Procedure

  1. Install CIS-CAT on the host and produce a scan result.
    Here is an example of the abbreviated output. There is a CIS-CAT score of 56.11% on the TPVM.
    root@tpvm:~# apt-get install default-jre 
    root@tpvm:~# cd /root/cis-cat/Assessor-CLI 
    root@tpvm:~# chmod u+x Assessor-CLI.sh 
    root@tpvm:~# ./Assessor-CLI.sh -b 
    benchmarks/CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1-xccdf.xml -html 
    ----------------------------------------------------------------------------- 
    ***** Assessment Results Summary ***** 
    ----------------------------------------------------------------------------- 
    Total # of Results: 241 
    Total Scored Results: 180 
    Total Pass: 101 Total 
    Fail: 78 
    Total Error: 1 
    Total Unknown: 0 
    Total Not Applicable: 0 
    Total Not Checked: 20 
    Total Not Selected: 37 
    Total Informational: 4 
    ----------------------------------------------------------------------------- 
    ***** Assessment Scoring ***** 
    ----------------------------------------------------------------------------- 
    Score Earned: 101.0 
    Maximum Available: 180.0 
    Total: 56.11% 
    -----------------------------------------------------------------------------
  2. Run /opt/security/extr-granite.py.
    Here is an example of an abbreviated output.
    root@node-1:/opt/security# ./extr-granite.py
    Initialized empty Git repository in /opt/extr-granite-hardening/OS-files-git/.git/
    [master (root-commit) 1e2796b] initial import
    1 file changed, 1 insertion(+)
    create mode 100644 README
    [+] ./extr-granite.py version: 0.89 - Initialized
    sending incremental file list
    /usr/
    /usr/sbin/
    /usr/sbin/grub-mkconfig
    
    sent 3,467 bytes  received 47 bytes  7,028.00 bytes/sec
    total size is 8,219  speedup is 2.34
    [master 8b2b4bd] initial import: /usr/sbin/grub-mkconfig, for CIS-CAT test: 1.4.1 Ensure permissions on bootloader config are not overridden
    1 file changed, 311 insertions(+)
    create mode 100755 usr/sbin/grub-mkconfig
    sending incremental file list
    /etc/
    /etc/sysctl.conf
    
    sent 1,163 bytes  received 39 bytes  2,404.00 bytes/sec
    total size is 2,683  speedup is 2.23
    [master 2f4ad6c] initial import: /etc/sysctl.conf, for CIS-CAT test: 1.5.2 Ensure address space layout randomization (ASLR) is enabled
    1 file changed, 77 insertions(+)
    create mode 100644 etc/sysctl.conf
    kernel.randomize_va_space = 2
    sending incremental file list
    /etc/security/
    /etc/security/limits.conf
    
    .........................
    .........................
    .........................
    
    sent 1,168 bytes  received 44 bytes  2,424.00 bytes/sec
    total size is 2,306  speedup is 1.90
    [master 7ef96f4] file: /etc/pam.d/su, CIS-CAT test: 5.7 Ensure access to the su command is restricted
    1 file changed, 1 insertion(+)
    sending incremental file list
    /etc/group
    
    sent 544 bytes  received 36 bytes  1,160.00 bytes/sec
    total size is 832  speedup is 1.43
    [master 374f6c9] file: /etc/group, CIS-CAT test: 5.7 Ensure access to the su command is restricted (2)
    1 file changed, 1 insertion(+), 1 deletion(-)
    sending incremental file list
    /etc/profile
    
    sent 436 bytes  received 36 bytes  944.00 bytes/sec
    total size is 619  speedup is 1.31
    [master b305cfe] file: /etc/profile, CIS-CAT test: 5.5.5 Ensure default user shell timeout is 900 seconds or less
    1 file changed, 3 insertions(+)
    
    [+] Total checks run: 55
    
    
    root@node-1:/opt/security#

    The following example shows all changes from the initial import to the tag of the first run:

    extr-granite-run1

    Further, the example does the same git diff, except it shows just the changes that were made to the original /etc/ssh/sshd_config file.

    root@tpvm:/opt/extr-granite-hardening/OS-files-git# git tag -l
    extr-granite-initial-import
    extr-granite-run1
    root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1
    diff --git a/etc/issue b/etc/issue
    index 80ae21e..5192c40 100644
    --- a/etc/issue
    +++ b/etc/issue
    @@ -1,2 +1 @@
    -Ubuntu 18.04.5 LTS \n \l
    -
    +Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported.
    diff --git a/etc/issue.net b/etc/issue.net
    index 5e9e2fa..5192c40 100644
    --- a/etc/issue.net
    +++ b/etc/issue.net
    @@ -1 +1 @@
    -Ubuntu 18.04.5 LTS
    +Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported.
    diff --git a/etc/modprobe.d/cramfs.conf b/etc/modprobe.d/cramfs.conf
    new file mode 100644
    index 0000000..b77c93a
    --- /dev/null
    +++ b/etc/modprobe.d/cramfs.conf
    @@ -0,0 +1 @@
    +install cramfs /bin/true
    diff --git a/etc/modprobe.d/freevxfs.conf b/etc/modprobe.d/freevxfs.conf
    new file mode 100644
    index 0000000..72d4aec
    --- /dev/null
    +++ b/etc/modprobe.d/freevxfs.conf
    @@ -0,0 +1 @@
    +install freevxfs /bin/true
    root@tpvm:/opt/extr-granite-hardening/OS-files-git# ls etc/ssh/sshd_config
    etc/ssh/sshd_config
    root@tpvm:/opt/extr-granite-hardening/OS-files-git# git help diff^C
    root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1 ./etc/ssh/sshd_config
    diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
    index 3f0e52e..f640120 100644
    --- a/etc/ssh/sshd_config
    +++ b/etc/ssh/sshd_config
    @@ -121,4 +121,11 @@ Subsystem sftp     /usr/lib/openssh/sftp-server
     #      PermitTTY no
     #      ForceCommand cvs server
     PasswordAuthentication yes
    -MaxStartups 30:30:100
    +MaxStartups 10:30:60
    +MaxAuthTries 4
    +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
    +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
    +ClientAliveInterval 300
    +ClientAliveCountMax 0
    +LoginGraceTime 60
    +Banner /etc/issue.net
    
    Note

    Note

    After running the security hardening script, reconnect to the existing TPVM SSH sessions (active/standby/vip) for the new ssh parameters to take effect.

  3. Rerun the CIS-CAT auditor and verify that the scan results produce a score greater than 80%.
    In the following example, the results have improved from 56.11% originally to 81.67%.

    Note that the hardening results are against version 4.2.0 of the CIS-CAT Assessor. The score achieved by the hardening script is reduced against the latest version (4.7.0). Improvements are expected in forthcoming releases.

    root@tpvm:~# ./Assessor-CLI.sh -b 
    benchmarks/CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1-xccdf.xml  -html
    -----------------------------------------------------------------------------
    ***** Assessment Results Summary *****
    -----------------------------------------------------------------------------
       Total # of Results: 241
    Total Scored Results: 180
               Total Pass: 147
               Total Fail: 32
              Total Error: 1
            Total Unknown: 0
    Total Not Applicable: 0
        Total Not Checked: 20
       Total Not Selected: 37
      Total Informational: 4
    -----------------------------------------------------------------------------
    ***** Assessment Scoring *****
    -----------------------------------------------------------------------------
             Score Earned: 147.0
        Maximum Available: 180.0
                    Total: 81.67%
    -----------------------------------------------------------------------------