TSYS Group » Chief Operations Officer » Known Element Enterprises - Technology & Facility Services

Support #311

Updated by Charles N 9 days ago

 
 ## System Hardening (CIS Benchmarks/ Compliance as code (STIG/SCAP)) 

 The goal of this ticket is to deliver the technology implementation piece of " Protecting Controlled Unclassified  
 Information in Nonfederal Systems and Organizations" (see attached PDF).  

 Also see https://www.cmmcaudit.org/ 

 Separate tickets have been created for the policy/compliance piece.  

 ### General low hanging fruit/quick wins 

 We need to harden the base system image. A combination of CIS benchmarks and STIG/SCAP compliance. 

 We have already done a number of things to get more compliant with CIS benchmarks (in particular SSH config tweaks). 

 - Action item: Finish tweaking SSH/auditd etc config to pass CIS benchmark checklist for Debian 12 in Wazuh dashboard .  

 I suspect that will help with scap/stig/lynis compliance.  

 - Action item: finish tweaking system config to pass lynis audit  

 - Action item: Atuin for root on all systems for centralized shell history 

 - Action item: Move to SSH certificates instead of keys 

 ### STIG/SCAP 

 This is more involved.  


 From https://www.open-scap.org/security-policies/scap-security-guide/ 

 ``` 
 apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications 
 ``` 

 And then we need to utilize ansible to run the relevant playbooks from : 

 - https://github.com/ComplianceAsCode/content 


 ## 2fa 

 Locking down the localuser account with 2fa is mandatory.  

 ### Webmin 
 ### Cockpit 
 ### SSH 

 ## LDAP Auth To Cloudron 

 No local non root accounts on the systems. All need to be from LDAP. 

 Cloudron is our IDP. It has an LDAP server. We need to utilize it for user authentication/group management etc.  


 ## Patch management 

 Unpatched vulns are the fastest way into a system. We need to keep the systems patched and be able to prove compliance.  

 This may be the one/done full enchilada: 

 - https://www.uyuni-project.org/ 

 Otherwise we may have to kit bash it together from pieces: 

 - https://wiki.debian.org/UnattendedUpgrades 
 - https://docs.theforeman.org/release/3.15/ 
 - Spacewalk ? 
 - https://unix.stackexchange.com/questions/123598/registering-ubuntu-client-with-spacewalk 
 - https://www.reddit.com/r/sysadmin/comments/5umy1j/setting_up_ubuntu_channels_on_spacewalk/ 
 - https://github.com/Katello 
 - https://theforeman.org/plugins/katello/ 
 - https://medium.com/@kylejones199108/ansible-patch-management-for-linux-systems-using-ansible-part-1-501df3748f84 


 ## Audits 

 Once we have done all of the hardening, we need to audit the system to show compliance.  

 ### Lynis 

 This is an on system scanner (gvm may be able to fill that role instead/in-addition?) 

 ### Greenbone Vulnerability Manager 

 This will run from kali (with different configuration for vp-techops and dev) 

 https://std.rocks/security_kali_gvm.html 

 ## General notes/vendors etc Core OAM 

 Areas of focus/compliance: 

 - FedRAMP ``` 
 - CMMC postalias: warning: /etc/aliases, line 1: need name:value pair 
 - ITAR postalias: warning: /etc/aliases, line 2: need name:value pair 
 - MDM 
     - https://github.com/jefferyabbott/Xavier 
     - https://github.com/mdmdirector/mdmdirector 

 Need to synthesize quite a bit postalias: warning: /etc/aliases, line 3: need name:value pair 
 postalias: warning: /etc/aliases, line 4: need name:value pair 
 postalias: warning: /etc/aliases, line 5: need name:value pair 
 postalias: warning: /etc/aliases, line 6: need name:value pair 
 postalias: warning: /etc/aliases, line 7: need name:value pair 
 postalias: warning: /etc/aliases, line 8: need name:value pair 
 postalias: warning: /etc/aliases, line 9: need name:value pair 
  Completed running global-systemServiceConfigurationFiles 
  Now running global-postPackageConfiguration 
 Synchronizing state of upstream source material :  

 - https://github.com/JAKTOOL/cmmc 
    
 - https://github.com/guardian-nexus/AuditKit-Community-Edition auditd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. 
 - https://github.com/abualialfatih23/PVE-9-Hardening Executing: /usr/lib/systemd/systemd-sysv-install enable auditd 
 - https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide postmap: warning: /etc/postfix/generic, line 2: expected format: key whitespace value 
 - https://github.com/ansible-lockdown/DEBIAN12-CIS postmap: warning: /etc/postfix/generic, line 4: expected format: key whitespace value 
 - https://github.com/ovh/debian-cis postmap: warning: /etc/postfix/generic, line 7: expected format: key whitespace value 
 - https://www.cisecurity.org/benchmark/debian_linux postmap: warning: /etc/postfix/generic, line 9: expected format: key whitespace value 
 ``` 

Back