TPVM provides a security hardening capability in the form of a python script located
at
/opt/security/extr-granite.py
(for TPVM installations valid from
version 4.5.0). The goal of this script is to modify various system security
settings to achieve a more secure state under the examination of the CIS-CAT host
scanner. Specifically, XCO running on TPVM is
deployed into the Ubuntu server environment, and it is this environment that is
hardened by extr-granite.py
.
Note
The
/opt/security/extr-granite.py
script should not be exported to other 3rd party
systems.
To perform the steps that follow, make sure you have Java Runtime Environment (JRE)
installed. Also, ensure that the CIS-CAT scanner has been copied to the TPVM at
/root/cis-cat/Assessor-CLI
.
Note
CIS-CAT scanner is not bundled with
TPVM. You must procure an external CIS-CAT license and install it on the TPVM
environment.
The procedure itself involves the running of the extr-granite.py
script.
Notable aspects of the script are:
- The
extr-granite.py
script keeps a dedicated Git repository for all changes it makes to the
underlying file system. This repository is located at /opt/extr-granite-hardening/OS-files-git
.
- Git tags are used by
extr-granite.py
for
every run cycle. This allows easy comparison of what the script changes on the
host operating system from one run to the next.
- A comprehensive log file is kept
at
/opt/extr-granite-hardening/hardening-log
.
The hardening script can be run multiple times, and even run at every boot using the
init scripts. Every run receives its own Git tag in the OS-files-git
repository.
This makes it possible to track the changes the script has made, going back to the
initial import.
Perform the following steps to run the security script and verify that it is
working:
-
Install CIS-CAT on the host and
produce a scan result.
Here is an example of the
abbreviated output. There is a CIS-CAT score of 56.11% on the
TPVM.
-----------------------------------------------------------------------------
***** Assessment Results Summary *****
-----------------------------------------------------------------------------
Total # of Results: 241
Total Scored Results: 180
Total Pass: 101 Total
Fail: 78
Total Error: 1
Total Unknown: 0
Total Not Applicable: 0
Total Not Checked: 20
Total Not Selected: 37
Total Informational: 4
-----------------------------------------------------------------------------
***** Assessment Scoring *****
-----------------------------------------------------------------------------
Score Earned: 101.0
Maximum Available: 180.0
Total: 56.11%
-----------------------------------------------------------------------------
-
Run
/opt/security/extr-granite.py
.
Here is an example of an
abbreviated
output.
root@node-1:/opt/security# ./extr-granite.py
Initialized empty Git repository in /opt/extr-granite-hardening/OS-files-git/.git/
[master (root-commit) 1e2796b] initial import
1 file changed, 1 insertion(+)
create mode 100644 README
[+] ./extr-granite.py version: 0.89 - Initialized
sending incremental file list
/usr/
/usr/sbin/
/usr/sbin/grub-mkconfig
sent 3,467 bytes received 47 bytes 7,028.00 bytes/sec
total size is 8,219 speedup is 2.34
[master 8b2b4bd] initial import: /usr/sbin/grub-mkconfig, for CIS-CAT test: 1.4.1 Ensure permissions on bootloader config are not overridden
1 file changed, 311 insertions(+)
create mode 100755 usr/sbin/grub-mkconfig
sending incremental file list
/etc/
/etc/sysctl.conf
sent 1,163 bytes received 39 bytes 2,404.00 bytes/sec
total size is 2,683 speedup is 2.23
[master 2f4ad6c] initial import: /etc/sysctl.conf, for CIS-CAT test: 1.5.2 Ensure address space layout randomization (ASLR) is enabled
1 file changed, 77 insertions(+)
create mode 100644 etc/sysctl.conf
kernel.randomize_va_space = 2
sending incremental file list
/etc/security/
/etc/security/limits.conf
.........................
.........................
.........................
sent 1,168 bytes received 44 bytes 2,424.00 bytes/sec
total size is 2,306 speedup is 1.90
[master 7ef96f4] file: /etc/pam.d/su, CIS-CAT test: 5.7 Ensure access to the su command is restricted
1 file changed, 1 insertion(+)
sending incremental file list
/etc/group
sent 544 bytes received 36 bytes 1,160.00 bytes/sec
total size is 832 speedup is 1.43
[master 374f6c9] file: /etc/group, CIS-CAT test: 5.7 Ensure access to the su command is restricted (2)
1 file changed, 1 insertion(+), 1 deletion(-)
sending incremental file list
/etc/profile
sent 436 bytes received 36 bytes 944.00 bytes/sec
total size is 619 speedup is 1.31
[master b305cfe] file: /etc/profile, CIS-CAT test: 5.5.5 Ensure default user shell timeout is 900 seconds or less
1 file changed, 3 insertions(+)
[+] Total checks run: 55
root@node-1:/opt/security#
The following example
shows all changes from the initial import to the tag of the first
run:
extr-granite-run1
Further, the example does the same git diff
, except
it shows just the changes that were made to the original /etc/ssh/sshd_config
file.
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git tag -l
extr-granite-initial-import
extr-granite-run1
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1
diff --git a/etc/issue b/etc/issue
index 80ae21e..5192c40 100644
--- a/etc/issue
+++ b/etc/issue
@@ -1,2 +1 @@
-Ubuntu XX.XX
-
+Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported.
diff --git a/etc/issue.net b/etc/issue.net
index 5e9e2fa..5192c40 100644
--- a/etc/issue.net
+++ b/etc/issue.net
@@ -1 +1 @@
-Ubuntu XX.XX
+Extreme Networks, Inc. EFA product. Authorized users only. All activity may be monitored and reported.
diff --git a/etc/modprobe.d/cramfs.conf b/etc/modprobe.d/cramfs.conf
new file mode 100644
index 0000000..b77c93a
--- /dev/null
+++ b/etc/modprobe.d/cramfs.conf
@@ -0,0 +1 @@
+install cramfs /bin/true
diff --git a/etc/modprobe.d/freevxfs.conf b/etc/modprobe.d/freevxfs.conf
new file mode 100644
index 0000000..72d4aec
--- /dev/null
+++ b/etc/modprobe.d/freevxfs.conf
@@ -0,0 +1 @@
+install freevxfs /bin/true
root@tpvm:/opt/extr-granite-hardening/OS-files-git# ls etc/ssh/sshd_config
etc/ssh/sshd_config
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git help diff^C
root@tpvm:/opt/extr-granite-hardening/OS-files-git# git diff extr-granite-initial-import extr-granite-run1 ./etc/ssh/sshd_config
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
index 3f0e52e..f640120 100644
--- a/etc/ssh/sshd_config
+++ b/etc/ssh/sshd_config
@@ -121,4 +121,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication yes
-MaxStartups 30:30:100
+MaxStartups 10:30:60
+MaxAuthTries 4
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+LoginGraceTime 60
+Banner /etc/issue.net
Note
After running the security hardening script, reconnect to the existing
TPVM SSH sessions (active/standby/vip) for the new ssh parameters to
take effect.
-
Rerun the CIS-CAT auditor and
verify that the scan results produce a score greater than 80%.
Note that the hardening results are against version 4.29.0 of the CIS-CAT
Assessor.
The following score achieved is against TPVM version 4.6.2-1.
-----------------------------------------------------------------------------
***** Assessment Results Summary *****
-----------------------------------------------------------------------------
Total # of Results: 243
Total Scored Results: 219
Total Pass: 177
Total Fail: 42
Total Error: 0
Total Unknown: 0
Total Not Applicable: 0
Total Not Checked: 19
Total Not Selected: 0
Total Informational: 5
-----------------------------------------------------------------------------
***** Assessment Scoring *****
-----------------------------------------------------------------------------
Score Earned: 177.0
Maximum Available: 219.0
Total: 80.82%
-----------------------------------------------------------------------------
The following score is achieved against XCO Version 3.3.0 Build 41 on Ubuntu
Version 20.04.
-----------------------------------------------------------------------------
***** Assessment Results Summary *****
-----------------------------------------------------------------------------
Total # of Results: 243
Total Scored Results: 219
Total Pass: 181
Total Fail: 38
Total Error: 0
Total Unknown: 0
Total Not Applicable: 0
Total Not Checked: 19
Total Not Selected: 0
Total Informational: 5
-----------------------------------------------------------------------------
***** Assessment Scoring *****
-----------------------------------------------------------------------------
Score Earned: 181.0
Maximum Available: 219.0
Total: 82.65%
-----------------------------------------------------------------------------