Support #311
Updated by Charles N 10 days ago
## System Hardening (CIS Benchmarks/ Compliance as code (STIG/SCAP))
The goal of this ticket is to deliver the technology implementation piece of " Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations" (see attached PDF).
Also see https://www.cmmcaudit.org/
Separate tickets have been created for the policy/compliance piece.
### General low hanging fruit/quick wins
We need to harden the base system image. A combination of CIS benchmarks and STIG/SCAP compliance.
We have already done a number of things to get more compliant with CIS benchmarks (in particular SSH config tweaks).
- Action item: Finish tweaking SSH/auditd etc config to pass CIS benchmark checklist for Debian 12 in Wazuh dashboard .
I suspect that will help with scap/stig/lynis compliance.
- Action item: finish tweaking system config to pass lynis audit
- Action item: Atuin for root on all systems for centralized shell history
- Action item: Move to SSH certificates instead of keys
### STIG/SCAP
This is more involved.
From https://www.open-scap.org/security-policies/scap-security-guide/
```
apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications
```
And then we need to utilize ansible to run the relevant playbooks from :
- https://github.com/ComplianceAsCode/content
## 2fa
Locking down the localuser account with 2fa is mandatory.
### Webmin
### Cockpit
### SSH
## LDAP Auth To Cloudron
No local non root accounts on the systems. All need to be from LDAP.
Cloudron is our IDP. It has an LDAP server. We need to utilize it for user authentication/group management etc.
## Patch management
Unpatched vulns are the fastest way into a system. We need to keep the systems patched and be able to prove compliance.
This may be the one/done full enchilada:
- https://www.uyuni-project.org/
Otherwise we may have to kit bash it together from pieces:
- https://wiki.debian.org/UnattendedUpgrades
- https://docs.theforeman.org/release/3.15/
- Spacewalk ?
- https://unix.stackexchange.com/questions/123598/registering-ubuntu-client-with-spacewalk
- https://www.reddit.com/r/sysadmin/comments/5umy1j/setting_up_ubuntu_channels_on_spacewalk/
- https://github.com/Katello
- https://theforeman.org/plugins/katello/
- https://medium.com/@kylejones199108/ansible-patch-management-for-linux-systems-using-ansible-part-1-501df3748f84
## Audits
Once we have done all of the hardening, we need to audit the system to show compliance.
### Greenbone Vulnerability Manager
This will run from kali (with different configuration for vp-techops and dev)
https://std.rocks/security_kali_gvm.html
## General notes/vendors etc
Areas of focus/compliance:
- FedRAMP
- CMMC
- ITAR
- MDM
- https://github.com/jefferyabbott/Xavier
- https://github.com/mdmdirector/mdmdirector
Need to synthesize quite a bit of upstream source material :
- https://github.com/JAKTOOL/cmmc
- https://github.com/guardian-nexus/AuditKit-Community-Edition
- https://github.com/abualialfatih23/PVE-9-Hardening
- https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide
- https://github.com/ansible-lockdown/DEBIAN12-CIS
- https://github.com/ovh/debian-cis
- https://www.cisecurity.org/benchmark/debian_linux
### Code todos
- Have AI finish porting my NewServerBuild.sh script to FetchApply and add in lshw (move to own ticket so AI can update it as it goes)
- Have AI add ansible/salt to the FetchApply setup scripts (move to own ticket so AI can update it as it goes)