Support #311
Updated by Charles N 25 days ago
## System Hardening (CIS Benchmarks/ Compliance as code (STIG/SCAP))
The goal of this ticket is to deliver the technology implementation piece of " Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations" (see attached PDF).
Also see https://www.cmmcaudit.org/
Separate tickets have been created for the policy/compliance piece.
### General low hanging fruit/quick wins
We need to harden the base system image. A combination of CIS benchmarks and STIG/SCAP compliance.
We have already done a number of things to get more compliant with CIS benchmarks (in particular SSH config tweaks).
- Action item: Finish tweaking SSH/auditd etc config to pass CIS benchmark checklist for Debian 12 in Wazuh dashboard .
I suspect that will help with scap/stig/lynis compliance.
- Action item: finish tweaking system config to pass lynis audit
- Action item: Atuin for root on all systems for centralized shell history
- Action item: Move to SSH certificates instead of keys
### STIG/SCAP
This is more involved.
From https://www.open-scap.org/security-policies/scap-security-guide/
```
apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications
```
And then we need to utilize ansible to run the relevant playbooks from :
- https://github.com/ComplianceAsCode/content
## 2fa
Locking down the localuser account with 2fa is mandatory.
### Webmin
### Cockpit
### SSH
## LDAP Auth To Cloudron
No local non root accounts on the systems. All need to be from LDAP.
Cloudron is our IDP. It has an LDAP server. We need to utilize it for user authentication/group management etc.
## Patch management
Unpatched vulns are the fastest way into a system. We need to keep the systems patched and be able to prove compliance.
This may be the one/done full enchilada:
- https://www.uyuni-project.org/
Otherwise we may have to kit bash it together from pieces:
- https://wiki.debian.org/UnattendedUpgrades
- https://docs.theforeman.org/release/3.15/
- Spacewalk ?
- https://unix.stackexchange.com/questions/123598/registering-ubuntu-client-with-spacewalk
- https://www.reddit.com/r/sysadmin/comments/5umy1j/setting_up_ubuntu_channels_on_spacewalk/
- https://github.com/Katello
- https://theforeman.org/plugins/katello/
- https://medium.com/@kylejones199108/ansible-patch-management-for-linux-systems-using-ansible-part-1-501df3748f84
## Audits
Once we have done all of the hardening, we need to audit the system to show compliance.
### Lynis
This is an on system scanner (gvm may be able to fill that role instead/in-addition?)
### Greenbone Vulnerability Manager
This will run from kali (with different configuration for vp-techops and dev)
https://std.rocks/security_kali_gvm.html
## Core OAM
```
postalias: warning: /etc/aliases, line 1: need name:value pair
postalias: warning: /etc/aliases, line 2: need name:value pair
postalias: warning: /etc/aliases, line 3: need name:value pair
postalias: warning: /etc/aliases, line 4: need name:value pair
postalias: warning: /etc/aliases, line 5: need name:value pair
postalias: warning: /etc/aliases, line 6: need name:value pair
postalias: warning: /etc/aliases, line 7: need name:value pair
postalias: warning: /etc/aliases, line 8: need name:value pair
postalias: warning: /etc/aliases, line 9: need name:value pair
Completed running global-systemServiceConfigurationFiles
Now running global-postPackageConfiguration
Synchronizing state of auditd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable auditd
postmap: warning: /etc/postfix/generic, line 2: expected format: key whitespace value
postmap: warning: /etc/postfix/generic, line 4: expected format: key whitespace value
postmap: warning: /etc/postfix/generic, line 7: expected format: key whitespace value
postmap: warning: /etc/postfix/generic, line 9: expected format: key whitespace value
```