An Operating System Security Solution Overview - SOE Harden An Operating System Security Solution September 2014 1

Challenge We Had Global need to collect data from, and produce reports for, all of CSC managed servers. Data is required by MCS support teams, regional managers, account teams, etc. to satisfy CSC, our clients, and our vendors, that we are meeting contractual obligations Real time Information Access Centralize Administration of Information Data valuable for Transformation/New Business exercises Cross-Infrastructure Monitoring Infrastructure forecasting

Processes the data and makes the reports available at PS web console Solution Architecture Store & Forward Server Presentation Server Firewall Unix Core SOE Clients SFS collects the data captured on clients and forwards to the Presentation Server with the help of TI Server & Client. Processes the data and makes the reports available at PS web console Tier-1 Tier-2 Tier-3

UnixSOE Enterprise Suite v9.x Bundle of In-house Developed & Open source Tools for Consistent Unix System Administration Collects data in a single repository, significantly reducing the labor required to produce both regular and ad-hoc reports Supported on 19 UNIX Flavors & respective versions along with 4 Vmware ESX variants 3 Regional Presentation Server to Collect data

CSC’s Unix Server Management Tools Data Collection Tools Harden Hardens the system to Account / CSC Baseline Security Standard. PatchTT Patch tracking and patch compliance reporting on the servers. Auto-Config Collects system hardware/software/ configuration/Currency data. Caper Provides performance and capacity management data Caper LPAR This tool is, an extension of UNIX Caper, only meant for IBM LPAR Systems Caper-Vmware Remotely collects ESX & its virtual machine’s performance data. vAuto-Config Collect Virtual configuration data from ESX, Frame and Global Zones. DBAPTT Audits Oracle versions and security patches on Unix hosts. System Management Tools CFengine Cfengine is an automation framework for system administration OpenSSH Provides secure data transfer and remote login. Perl Standard SOE scripting language. Rsync Provides fast incremental file transfer. Sudo Provides controlled access to super user commands. Syslog-ng A new generation log management tool. lsof "list open files", which is used to report a list of all open files and the processes that opened them.

Overview – SOE Harden Managing compliance issues imposed by regulations and statutory requirements To address Operating System’s Governance, Risk, and Compliance (GRC) requirements To provide Operating System security compliance reports to internal and external auditors. Maintain standardization Customized solution for CSC Environment To address Rapidly fluctuating demand for infrastructure & services More business value with minimum investment 6

Harden - UNIX OS Security UNIX OS Security Auditing & Remediation Policy Based tool Perform 600+ Checks using 41 modules Security Standardization Scalability Supported on multiple OS/Hardware architectures Leverage existing CSC IT Infrastructure 7

Harden - UNIX OS Security Multiple Supported Modes Audit Mode provide scan results & suggest corrective actions Interactive Mode allow to chose what all remediation you want to make Auto Mode remediate the scan findings without user intervention Exemption mode allow you to exempt specific checks Easy to Use & Deploy Step 1- Create Policy file : your own or use CSC Baseline Security Policy file Step 2 -Download harden client software known as Harden SIP & Install on target server Step 3 (Optional)- Download policy file on target box Step 4- Audit or impart OS security as defined in the policy file Reporting Local & Centralized System Specific & Account Specific 8

The Functionality – UNIX SOE Harden

The Configuration – UNIX SOE Harden Various Harden Security Modules under different sections System Modules sys_acct_disable.pl sys_kernel.pl sys_sendmail.pl sys_services.pl sys_shadow_security.pl sys_stat.pl sys_trusted.pl File Permissions Modules file_fstab_check.pl file_sys_genperms.pl file_sys_permcheck.pl file_sys_perms.pl Network Modules net_ftp_service.pl net_hosts_equiv.pl net_ip_security.pl net_nfs_exports.pl net_services.pl net_vsftp.pl Authorization Modules auth_fail_logging.pl auth_login_banner.pl auth_pass_change.pl auth_pass_construct.pl auth_pass_dictionary.pl auth_pass_grub.pl auth_pass_history.pl auth_pass_length.pl auth_pass_singleuser.pl auth_root_console.pl User Modules user_default_umask.pl user_dup_check.pl user_group_members.pl user_home_files.pl user_sess_timeout.pl user_shell_check.pl user_sudo_audit.pl user_unused_access.pl Application Modules app_atcron_config.pl app_ssh_config.pl app_sshd_config.pl app_su_config.pl app_syslogd_config.pl app_X_config.pl 10

Harden - UNIX OS Security CSC Baseline Policy CSC Enhanced policy CIS Policy Account Based Policy DISA Policy(new) Harden comes with 9 security policies including CSC baseline (checks for CSC’s baseline security policies) ,CSCEnhanced ,CIS policy,Account Bases policies and now DISA policy. Any one of them based on the requirement can be specified Flexibility of running separately for each module or as a single unit. Run in one of the required modes. Final report with scan results available.

CIS:- Center For Internet Security The Security Benchmarks division helps organizations improve their security posture by reducing risk resulting from inadequate technical security controls. The CIS Security Benchmarks Division develops and distributes: Security Configuration Benchmarks, which describe consensus best practices for the secure configuration of target systems. Configuring IT systems in compliance with these Benchmarks has been shown to eliminate 80-95% of known security vulnerabilities. The Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls. Security Metrics, which offer enterprise IT and security teams insight into their own security process outcomes. CIS.policy shipped in with SOE-Harden defines Policies to make your system CIS benchmark compliant

DISA - Defense Information Systems Agency The DISA Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The implementation guidelines include recommended administrative processes and span the devices' lifecycle. STIG scanning software is used to implement / validate proper configuration. A STIG describes: how to minimize network-based attacks and preventing system access when the attacker is interfacing with the system, either physically at the machine, or over a network. maintenance processes, such as software updates and vulnerability patching. DISA.policy shipped in with SOE-Harden defines Policies to make your system DISA STIG compliant

Harden Online Policy File Creation System Harden Online policy file creation tool helps a user to customize/create the policies based on CSC baseline and Enhanced policies. Easiest way of customizing the policy Link for Online policy file creation tool http://plggd020.can-kan.csc.com/harden/index.php?xtype=policy

Harden Online Policy File Creation System This snapshot shows how to customize or create the new policy based on CSC baseline or Enhanced policies

Reports – UNIX Harden System Specific Windows Equivalent Audit History Report Audit history provides information about status of all the checks whether Pass, Fail and Exempted based on their severity. This report holds the history of system audits on daily basis. Audit Module Summary Report Report provides summarized view of a system audited against each Harden module. It details about the total number of checks Passed, Failed and Exempted for the system in a particular module. All Audit Fails Report It is a quite handy report and easily understandable. Provides information about all the failed checks based on each Harden module with a detailed reason of failure. Administrator can take corrective measures to fix these deviations on any system after reviewing the failure reasons. Harden Audit Report Harden Audit Report is a raw text based audit report as generated at the UNIX system (client) by the harden-client software. It is displayed at web console, so as to facilitate the system administrators to analyze the audit details through web interface without logging on to each host. Windows Equivalent WinCompliance

Reports – UNIX Harden Account Specific Security Compliance Status Report shows the compliance of each system with relation to the customer’s security policy. It focuses on user account management and system configuration settings. This data is often used or referenced when an account is facing an external audit, as it provides a detailed record that we are managing the systems to the appropriate standard. Security Audit Report Report provides a detailed module based information about all the hosts in an account. It shows the status of each host against each harden module, whether the host is able to stand all the checks of a module or it failed to stand even a single check of a module. If even a single check of a module fails for a host then host is reported as failed for a full module. Report provides a data to analyze about a service which is being most violated in an account, checked through harden modules. CompareUser Snapshot Report uses harden snapshots to compare and display the list of newly added or deleted user accounts between two dates on all the hosts in an account. CompareHarden Snapshot All the UNIX systems are bookmarked for an audit status on a particular day through a script. This status is saved in a database for each host and later on, it can be used to compare the current audit status of all the hosts in an account with any of the multiple snapshots/bookmarks we had in the past. Also, it provides the facility to compare the status of hosts between snapshots taken on two different dates. This helps compare the progress we made to make our systems comply with the defined standard of security settings. Terminated Users This report provides information about the user accounts which are not being used or logged on but still exist on the host. This information helps in regulating housekeeping of the UNIX systems.

Highlights in this release of Harden The version of harden in this release is 3.1-2 bundled with UnixSOE Enterprise Suite 9.0 Enhancement of harden with respect to the DISA standards and the feature requests and bug fixes from EMEA. Included checks to ensure correct permissions and ownership for NIS/NIS+/yp files Included checks to ensure proper audit system configurations. Included check to ensure Sendmail logging is set to less than 9 in the sendmail.cf file Included checks to ensure correct permissions and ownership for files executed through a mail aliases file Included checks to verify the rexec daemon must not be running Included checks to verify the system's access control program must be configured to grant or deny system access to specific hosts Included checks to verify the system clock must be synchronized continuously, or at least daily. Included check to ensure system enforces the entire password during authentication Included check to ensure that Internet Network News (INN) server is not running Included check to ensure NFS server must have logging implemented

Solution Pack Unix SOE & TI Services Backup Slides EMEA Platform Service Centre Unix & Linux Server Solutions Team

Audit History Report This Report provides information about status of all the checks whether Pass, Fail and Exempted based on their severity. This report holds the history of system audits on daily basis.

Audit Module Summary Report Report provides summarized view of a system audited against each Harden module. It details about the total number of checks Passed, Failed and Exempted for the system in a particular module.

All Audit Fail Report It is a quite handy report and easily understandable. Provides information about all the failed checks based on each Harden module with a detailed reason of failure. Administrator can take corrective measures to fix these deviations on any system after reviewing the failure reasons

Harden Audit Report Harden Audit Report is a raw text based audit report as generated at the UNIX system (client) by the harden-client software. It is displayed at web console, so as to facilitate the system administrators to analyze the audit details through web interface without logging on to each host.

Security Compliance Report Report shows the compliance of each system with relation to the customer’s security policy. It focuses on user account management and system configuration settings.

Security Audit Report Report provides a detailed module based information about all the hosts in an account. It shows the status of each host against each harden module, whether the host is able to stand all the checks of a module or it failed to stand even a single check of a module

Audit Module Data Report provides summarized view of an individual Harden module. It details about the list of messages(PASS, FAIL, SKIP, CHCK) for each individual module.

Solution Pack Unix SOE & TI Services Questions & Feedback Product Support Helpline unixsoe@csc.com EMEA Platform Service Centre Unix & Linux Server Solutions Team