TSYS Group » Chief Operations Officer » Known Element Enterprises - Technology & Facility Services

Support #311

Updated by Charles N about 1 month ago

 
 ## System Hardening (CIS Benchmarks/ Compliance as code (STIG/SCAP)) 

 ### General low hanging fruit/quick wins 

 We need to harden the base system image. A combination of CIS benchmarks and STIG/SCAP compliance. 

 We have already done a number of things to get more compliant with CIS benchmarks (in particular SSH config tweaks). 

 - Action item: Finish tweaking SSH/auditd etc config to pass CIS benchmark checklist for Debian 12 in Wazuh dashboard .  

 I suspect that will help with scap/stig/lynis compliance.  

 - Action item: finish tweaking system config to pass lynis audit  

 - Action item: Atuin for root on all systems for centralized shell history 

 - Action item: Move to SSH certificates instead of keys 

 


 ### STIG/SCAP 

 This is more involved.  


 From https://www.open-scap.org/security-policies/scap-security-guide/ 

 ``` 
 apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications 
 ``` 

 And then we need to utilize ansible to run the relevant playbooks from : 

 - https://github.com/ComplianceAsCode/content 


 ## 2fa 

 Locking down the localuser account with 2fa is mandatory.  

 ### Webmin 
 ### Cockpit 
 ### SSH 

 ## LDAP Auth To Cloudron 

 No local non root accounts on the systems. All need to be from LDAP. 

 Cloudron is our IDP. It has an LDAP server. We need to utilize it for user authentication/group management etc.  


 ## Patch management 

 Unpatched vulns are the fastest way into a system. We need to keep the systems patched and be able to prove compliance.  

 This may be the one/done full enchilada: 

 - https://www.uyuni-project.org/ 

 Otherwise we may have to kit bash it together from pieces: 

 - https://wiki.debian.org/UnattendedUpgrades 
 - https://docs.theforeman.org/release/3.15/ 
 - Spacewalk ? 
 - https://unix.stackexchange.com/questions/123598/registering-ubuntu-client-with-spacewalk 
 - https://www.reddit.com/r/sysadmin/comments/5umy1j/setting_up_ubuntu_channels_on_spacewalk/ 
 - https://github.com/Katello 
 - https://theforeman.org/plugins/katello/ 
 - https://medium.com/@kylejones199108/ansible-patch-management-for-linux-systems-using-ansible-part-1-501df3748f84 


 ## Audits 

 Once we have done all of the hardening, we need to audit the system to show compliance.  

 ### Lynis 

 This is an on system scanner (gvm may be able to fill that role instead/in-addition?) 

 ### Greenbone Vulnerability Manager 

 This will run from kali (with different configuration for vp-techops and dev) 

 https://std.rocks/security_kali_gvm.html

Back