TSYS Group » Chief Operations Officer » Known Element Enterprises - Technology & Facility Services

System Hardening (CIS Benchmarks/ Compliance as code (STIG/SCAP))¶

The goal of this ticket is to deliver the technology implementation piece of " Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations" (see attached PDF).

Also see https://www.cmmcaudit.org/

Separate tickets have been created for the policy/compliance piece.

General low hanging fruit/quick wins¶

We need to harden the base system image. A combination of CIS benchmarks and STIG/SCAP compliance.

We have already done a number of things to get more compliant with CIS benchmarks (in particular SSH config tweaks).

• Action item: Finish tweaking SSH/auditd etc config to pass CIS benchmark checklist for Debian 12 in Wazuh dashboard .

I suspect that will help with scap/stig/lynis compliance.

• Action item: finish tweaking system config to pass lynis audit

• Action item: Atuin for root on all systems for centralized shell history

• Action item: Move to SSH certificates instead of keys

STIG/SCAP¶

This is more involved.

From https://www.open-scap.org/security-policies/scap-security-guide/

apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications

And then we need to utilize ansible to run the relevant playbooks from :

• https://github.com/ComplianceAsCode/content

2fa¶

Locking down the localuser account with 2fa is mandatory.

Webmin¶

Cockpit¶

SSH¶

LDAP Auth To Cloudron¶

No local non root accounts on the systems. All need to be from LDAP.

Cloudron is our IDP. It has an LDAP server. We need to utilize it for user authentication/group management etc.

Patch management¶

Unpatched vulns are the fastest way into a system. We need to keep the systems patched and be able to prove compliance.

This may be the one/done full enchilada:

• https://www.uyuni-project.org/

Otherwise we may have to kit bash it together from pieces:

• https://wiki.debian.org/UnattendedUpgrades
• https://docs.theforeman.org/release/3.15/
• Spacewalk ?
• https://unix.stackexchange.com/questions/123598/registering-ubuntu-client-with-spacewalk
• https://www.reddit.com/r/sysadmin/comments/5umy1j/setting_up_ubuntu_channels_on_spacewalk/
• https://github.com/Katello
• https://theforeman.org/plugins/katello/
• https://medium.com/@kylejones199108/ansible-patch-management-for-linux-systems-using-ansible-part-1-501df3748f84

Audits¶

Once we have done all of the hardening, we need to audit the system to show compliance.

Greenbone Vulnerability Manager¶

This will run from kali (with different configuration for vp-techops and dev)

https://std.rocks/security_kali_gvm.html

General notes/vendors etc¶

Areas of focus/compliance:

• FedRAMP
• CMMC
• ITAR
• MDM
  • https://github.com/jefferyabbott/Xavier
  • https://github.com/mdmdirector/mdmdirector

Need to synthesize quite a bit of upstream source material :

• https://github.com/JAKTOOL/cmmc

• https://github.com/guardian-nexus/AuditKit-Community-Edition

• https://github.com/abualialfatih23/PVE-9-Hardening

• https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide

• https://github.com/ansible-lockdown/DEBIAN12-CIS

• https://github.com/ovh/debian-cis

• https://www.cisecurity.org/benchmark/debian_linux

Code todos¶

• Have AI finish porting my NewServerBuild.sh script to FetchApply and add in lshw (move to own ticket so AI can update it as it goes)
• Have AI add ansible/salt to the FetchApply setup scripts (move to own ticket so AI can update it as it goes)