simp-4.2.- PDF - Read the Docs
Contents
1. Control ID Control Name Control Family SIMP Implementation Method PE 9 1 Power Equipment and Physical and Environmental Power Cabling Control Protection Enhancement PE 9 2 Power Equipment and Physical and Environmental Power Cabling Control Protection Enhancement PE 10 Emergency Shutoff Physical and Environmental Protection PE 10 1 Emergency Shutoff Con Physical and Environmental trol Enhancement Protection PE 11 Emergence Power Physical and Environmental Protection PE 11 1 Emergence Power Control Physical and Environmental Enhancement Protection PE 11 2 Emergence Power Control Physical and Environmental Enhancement Protection PE 12 Emergency Lighting Physical and Environmental Protection PE 12 1 Emergency Lighting Con Physical and Environmental trol Enhancement Protection PE 13 Fire Protection Physical and Environmental Protection PE 13 1 Fire Protection Control En Physical and Environmental hancement Protection PE 13 2 Fire Protection Control En Physical and Environmental hancement Protection PE 13 3 Fire Protection Control En Physical and Environmental hancement Protection PE 13 4 Fire Protection Control En Physical and Environmental hancement Protection PE 14 Temperature and Humidity Physical and Environmental Controls Protection PE 14 1 Temperature and Humidity Physical and Environmental Controls Control Enhance Protection ment2. Control ID Control Name Control Family SIMP Implementation Method SI 3 Malicious Code Protection System and Information In SIMP has modules avail tegrity able for mcafee and Cla mAV The ClamAV Imple mentations need need to provide their own version of the mcafee software for the module to work That mod ule comes with the ability to sync dat updates to clients via rsync The modulde does NOT specify how of ten and what files systems should be scanned SIMP also implements the open source tool chkrootkit that comes installed by default SI 3 1 Malicious Code Protection System and Information In The provided anti virus Control Enhancement tegrity modules are installed via puppet modules Those modules include the ability to sycn data file updates via rsync Therefore all management of malicious code detection is done centrally SI 3 2 Malicious Code Protection System and Information In Control Enhancement tegrity SI 3 3 Malicious Code Protection System and Information In Control Enhancement tegrity SI 3 4 Malicious Code Protection System and Information In Control Enhancement tegrity SI 3 5 Malicious Code Protection System and Information In Control Enhancement tegrity SI 3 6 Malicious Code Protection System and Information In Control Enhancement tegrity SI 4 Information System Mon System and Information In itoring Tools and Tech tegrity niques
3. a always exit F arch b64 F auid 0 F uid 0 S capset S mknod S pivot_root S quotd a always exit F arch b32 F auid 0 F uid 0 S capset S mknod S pivot_root S quotd Audit the execution of suid and sgid binaries CCE 26457 2 Had to add an entry at the top for getting rid of anonymous records are only moderately useful and contain way too much noise since this covers They a always exit F arch b64 F euid 0 F uid 0 S execv k suid root a always exit F arch b32 F euid 0 F uid 0 S execv k suid root Audit the loading and unloading of kernel modules CCE 26611 4 w sbin insmod p x k modules w sbin rmmod p x k modules w sbin modprobe p x k modules a always exit F arch b64 S init_modul a always exit F arch b32 S init_modul S delet S delet Things that could affect time CCE 27172 6 CCE 27203 9 CCE 27169 2 CCE 27170 0 ry ry _modul k modules _modul k modules a exit always F arch b32 S adjtimex S stime S clock_settim S settim a exit always F arch b64 S adjtimex S clock_settim S settimeofday CCE 27172 6 w etc localtime p wa k audit_time_rules Things that could affect system locale CCE 26648 6 a always exit F arch b32 S sethostname S setdomainname k audit_network_modification a always exit F arch b64 S sethostname S setdomainname k audit_
4. 4 5 Security Concepts Appendices 179 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 4012 Information System Mon itoring Tools and Tech niques Control Enhance ment System and Information In tegrity SI 4 13 Information System Mon itoring Tools and Tech niques Control Enhance ment System and Information In tegrity SI 4 14 Information System Mon itoring Tools and Tech niques Control Enhance ment System and Information In tegrity SI 4 15 Information System Mon itoring Tools and Tech niques Control Enhance ment System and Information In tegrity SI 4 16 Information System Mon itoring Tools and Tech niques Control Enhance ment System and Information In tegrity SI 4 17 Information System Mon itoring Tools and Tech niques Control Enhance ment System and Information In tegrity System Alerts Advisories and Directives System and Information In tegrity The only part of the con trol a that is met by SIMP is the tracking of security alerts for products that are part of the code base The development team subscribes to message boards for the main prod ucts puppet that are part of the packaging Red Hat Centos advisories are also tracked out of necessity but since ALL the OS files are n
5. bitmap miscfixed fonts 0 3 15 el16 noarch rpm Red Hat Optional Repository chkrootkit 0 49 9 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 chkr clamav 0 98 7 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 clam clamav db 0 98 7 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 clam clamav devel 0 98 7 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 clam clamav milter 0 98 7 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 clam clamav unofficial sigs 3 7 1 7 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 clam clamd 0 98 7 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 clam clamsmtp 1 10 6 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 clam dejavu lgc sans fonts 2 33 1 el6 noarch rpm Red Hat Base Repository dejavu lgc serif fonts 2 33 1 el6 noarch rpm Red Hat Base Repository dracut 004 388 e16 noarch rpm Red Hat Base Repository dracut fips 004 388 e16 noarch rpm Red Hat Base Repository dracut fips aesni 004 388 e16 noarch rpm Red Hat Optional Repository dracut kernel 004 388 el16 noarch rpm Red Hat Base Repository elasticsearch 1 3 2 noarch rpm https download elastic co elasticsearch elasticsearch elasticsearc elasticsearch curator 1
6. Authenticator Management Control Enhancement Identification and Authenti cation The simp config utility gives each implementation an opportunity to change default passwords at build time It s up to the im plementation to change the values for the various passwords TA 5 6 Authenticator Management Control Enhancement Identification and Authenti cation Authenticators are pro tected with operating system access control and file permissions IA 50 Authenticator Management Control Enhancement Identification and Authenti cation Plaintext passwords are only used when application support no other means of providing a password IA 5 8 Authenticator Management Control Enhancement Identification and Authenti cation IA 6 Authenticator Feedback Identification and Authenti cation Plaintext passwords are not echoed back to the screen Continued on next page 4 5 Security Concepts Appendices 151 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method IA 7 Cryptographic Module Au thentication Identification and Authenti cation Redhat 7 and the several modules are being evalu ated for FIPS 140 com pliance Implementations should check the FIPS site for updates on this evalua tion The SIMP team will also continue to e
7. Source Promoting a Slave Node LDAP Change the common ldap server variable to promote the slave node Sldap_master ldap ldaprepll your domain node ldapmaster include ldap_master node ldaprepll include ldap_repl include ldap_master After the next Puppet run on all hosts daprepl1 will be promoted to the master and all slave nodes will point to it 3 14 SIMP FAQs 85 SIMP Documentation Release 0 0 Troubleshooting If the system is not replicating it is possible that another user has updated the ldap_sync_passwd and Sldap_sync_hash entries in the etc puppet manifests vars pp file without also updating the value in LDAP itself this is the most common issue reported by users Currently SIMP cannot self modify the LDAP database directly therefore the LDAP Administrator needs to perform this action Refer to the User Management chapter for more information on manipulating entries in OpenLDAP The example below shows the changes necessary to update the 1dap_sync information in LDAP Update 1dap_sync Information in LDAP Examples dn cn LDAPSync ou People dc your dc domain changetype modify replace userPassword userPassword lt Hash from ldap_sync_hash gt Master Node Demotion In the event that multiple master nodes have been set up it may be necessary to demote one or more of them to slave instances To do this add the replication code shown in the previous
8. continued from previous page Control Enhancement Control ID Control Name Control Family SIMP Implementation Method AT 2 1 Security Awareness Con Awareness and Training trol Enhancement AT 3 Security Training Awareness and Training AT 3 1 Security Training Control Awareness and Training Enhancement AT 3 2 Security Training Control Awareness and Training Enhancement AT 4 Security Training Records Awareness and Training AT 5 Contacts with Security Awareness and Training Groups and Associations CM 1 Configuration Management Configuration Management Policy and Procedures CM 2 Baseline Configuration Configuration Management SIMP has strictly enforced version control during de velopment The baseline files for SIMP are kept and maintained in a git repository Files are pack aged and a series of auto tests are performed on each release Once released there is a version num ber associated for distribu tion Additionally custom puppet modules are in the form of RPMs and have version numbers associated with them All documenta tion is also built with source code CM 2 1 Baseline Configuration Configuration Management Control Enhancement CM 2 2 Baseline Configuration Configuration Management SIMP has strictly enforced Control Enhancement version control during de velopment The baseline files for SIMP are kept and maintained in a git reposi tor
9. continued from previous page Control ID Control Name Control Family SIMP Implementation Method CP 10 4 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 5 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 6 Information System Re Contingency Planning covery and Reconstitution Control Enhancement IR 1 Incident Response Policy Incident Response and Procedures IR 2 Incident Response Training Incident Response IR 2 1 Incident Response Training Incident Response Control Enhancement IR 2 2 Incident Response Training Incident Response Control Enhancement IR 3 Incident Response Testing Incident Response and Exercises IR 3 1 Incident Response Testing Incident Response and Exercises Control En hancement IR 4 Incident Handling Incident Response TR 4 1 Incident Handling Control Incident Response Enhancement TR 4 2 Incident Handling Control Incident Response If an implementation Enhancement chooses they can leverage puppet s ability to recon figure systems as part of incident response While puppet is not intended to be a security product its features can help provide security functionality such as dynamic reconfigura tions IR 4 3 Incident Handling Control Incident Response Enhancement IR 4 4 Incident Handling Control
10. Make sure the MAC address of the client is set up in DHCP see Configure DHCP for more info Restart the system Once the client installs reboots and begins to bootstrap it will check in for the first time i E Puppet will not autosign puppet certificates by default and waitforcert is enabled The client will check in every 30 seconds for a signed cert Log on to the puppet server and run puppet cert sign lt puppet client fqdn gt Upon successful deployment of a new client it is highly recommended that LDAP administrative accounts be created 3 3 7 Troubleshooting Issues If the client has been kickstarted but is not communicating with the Puppet server try the following options e Check the forward and reverse DNS entries on the client and server both must be correct e Check the time on the systems More than an hour s difference will cause serious issues with certificates e Remove var lib puppet ss1 on the client system run puppet cert clean lt Client Host Name gt x on the Puppet server and try again 3 3 8 Troubleshoot Certificate Issues If host certificates do not appear to be working and the banner is not getting rsync d to the clients ensure that all certificates verify against the installed CA certificates The table below lists the steps to determine which certificates are working and which are not 1 Navigate to etc puppet environments simp keydist 2 Run find name lt Your Domain gt
11. freeradius utils 2 2 6 4 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac ganglia 3 7 1 2 el6 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ganglia 3 7 1 ganglia devel 3 7 1 2 el6 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ganglia devel ganglia gmetad 3 7 1 2 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ganglia gmet ganglia gmond 3 7 1 2 el6 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ganglia gmor ganglia gmond python 3 7 1 2 el16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ganglia gmor glibc 2 12 1 166 e16_7 1 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages glibc common 2 12 1 166 e16_7 1 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages glibc devel 2 12 1 166 e16_7 1 x86_64 rpm http centos mirror nac net 6 7 updates x86_64 Packages glibc de glibc devel 2 12 1 166 e16_7 1 1686 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages glibc headers 2 12 1 166 e16_7 1 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages 4 5 Security Concepts Appendices 127 SIMP Documentation Release 0 0 Table 4 2 continued from previous page Name Source glibc static 2 12 1 166 e16_7 1 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 upd
12. 10 Chapter 1 Changelog SIMP Documentation Release 0 0 Split the Freeradius module based on version so that it can be properly selected against the installed version of Freeradius This may take two runs to coalesce pupmod puppetlabs inifile Updated to version 1 2 0 pupmod puppetlabs puppetdb Updated to version 5 0 0 0 pupmod simp kibana Add Kibana dashboards to the Kibana module Allows users to apply default SIMP kibana Dashboards pupmod simp logstash Integrated SIMP and Electrical Logstash modules Changes the existing Logstash module to allow users to apply default SIMP filters pupmod pki Now generate a system RSA public key against the passed private key pupmod puppetlabs postgresql Initial import of the Puppet Labs PostgreSQL module Modifications were made to support the SIMP concat pupmod puppetlabs puppetdb New import of the Puppet Labs PuppetDB module pupmod puppetlabs stdlib Updated to version 4 5 1 pupmod rsyslog Migrated to Rsyslog 7 and the new RainerScript Added acceptance tests pupmod simp Now set the SELinux Boolean use_nfs_home_dirs when using NFS for home directories fixfiles is now run prior to the final runpuppet client script runs due to various issues with autorelabel over time pupmod tftpboot Updated to use native packages and pull as much as possible simp doc Updated tables across the board to
13. AC 7 1 Unsuccessful Login At tempts Control Enhance ment Access Control An account is never locked to a point an admin must unlock it It will continue to be unlocked after 15 min utes This should meet most modern policies It can be further restricted if required by local policies AC 7 2 Unsuccessful Login At tempts Control Enhance ment Access Control AC 8 System Use Notification Access Control SIMP displays a default banner prior to login Implementations must customize that banner for their use AC 9 Previous Logon Access Notification Access Control SIMP uses the pam_lastlog so module to display last login infor mation AC 9 1 Previous Logon Access Notification Control En hancement Access Control SIMP uses the pam_lastlog so module to display last login infor mation AC 9 2 Previous Logon Access Notification Control En hancement Access Control SIMP uses the pam_lastlog so module to display last login in formation including the number of failed login attempts since the last logon AC 9 3 Previous Logon Access Notification Control En hancement Access Control AC 10 Concurrent Session Control Access Control The default value for concurrent ses sions in SIMP is 10 etc security limits conf Given the variety of system usage to include automated processes it could impact functio
14. Control Enhancement MA 4 5 Non Local Maintenance Maintenance Control Enhancement MA 4 6 Non Local Maintenance Maintenance Remote maintenance is per Control Enhancement formed using SSH SSH in herently provides confiden tiality and integrity of data while in transit MA 4 7 Non Local Maintenance Maintenance Control Enhancement MA 5 Maintenance Personnel Maintenance MA 5 1 Maintenance Personnel Maintenance Control Enhancement MA 5 2 Maintenance Personnel Maintenance Control Enhancement MA 5 3 Maintenance Personnel Maintenance Control Enhancement MA 5 4 Maintenance Personnel Maintenance Control Enhancement MA 6 Timely Maintenance Maintenance MP 1 Media Protection Policy Media Protection and Procedures MP 2 Media Access Media Protection MP 2 1 Media Access Control En Media Protection Continued on next page 4 5 Security Concepts Appendices 193 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method MP 2 2 Media Access Control En Media Protection hancement MP 4 Media Storage Media Protection MP 5 Media Transport Media Protection MP 5 1 Media Transport Control Media Protection Enhancement MP 5 2 Media Transport Control Media Protection Enhancement MP 5 3 Media Transport Con
15. Development testing is per formed on SIMP in environ ments that have a code base frozen CM 3 Configuration Change Con trol Configuration Management CM 3 1 Configuration Change Con trol Control Enhancement Configuration Management CM 3 2 Configuration Change Con trol Control Enhancement Configuration Management Continued on next page 184 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 3 3 Configuration Change Con trol Control Enhancement Configuration Management Configuration changes in SIMP are automated using a combination of puppet yum and rsync While not all files on an oper ating system are managed by those mechanisms many are Changes to critical files that are managed by puppet revert back to their original state These mechanisms were not meant to defeat an attack by a malicious in sider CM 3 4 Configuration Change Con trol Control Enhancement Configuration Management CM 4 Security Impact Analysis Configuration Management All features or bugs in SIMP are vetted through the development process by be ing placed on the product backlog and discussed with the entire team There is a security representative on the SIMP team that is part of that vetting proce
16. Integrated SIMP and Electrical Logstash modules Changes the existing Logstash module to allow users to apply default SIMP filters pupmod pki Now generate a system RSA public key against the passed private key pupmod puppetlabs postgresql Initial import of the Puppet Labs PostgreSQL module Modifications were made to support the SIMP concat pupmod puppetlabs puppetdb New import of the Puppet Labs PuppetDB module pupmod puppetlabs stdlib Updated to version 4 5 1 pupmod rsyslog Migrated to Rsyslog 7 and the new RainerScript Added acceptance tests pupmod simp Now set the SELinux Boolean use_nfs_home_dirs when using NFS for home directories fixfiles is now run prior to the final runpuppet client script runs due to various issues with autorelabel over time pupmod tftpboot Updated to use native packages and pull as much as possible 3 16 Changelog 97 SIMP Documentation Release 0 0 simp doc Updated tables across the board to be more readable Updated documentation relating to user management and user key management using SSH Rebranded the documentation and updated the color scheme Updated the default system passwords pupmod vsftpd Completely refactored to meet the new module layout guidance The user and group are now able to be modified from the defaults Added a full suite of Beaker tests simp utils simp config was r
17. Local account creation is audited with auditd as are all of root s actions Su dosh logs all commands for someone running sudosh This will not work if the SIMP implementation uses specific sudo rules Instead sudo actions are logged us ing auditd Ldap modifica tions are logged in the Idap logs AC 2 5 Account Management Control Enhancement Access Control Shell accounts are logged out after 15 minutes of in activity AC 2 6 Account Management Control Enhancement Access Control AC 2 7 Account Management Control Enhancement Access Control SIMP has a default admin istrators group 700 that users can be assigned to Additional roles and groups are up to the implementa tions Role changes are logged in the LDAP logs AC 3 Access Enforcement Access Control AC 3 2 Access Enforcement Con trol Enhancement Access Control Continued on next page 132 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 3 3 Access Enforcement Con trol Enhancement Access Control DAC has been built into Unix for a long time and is expected to work Im plementations may want to check that user assignments to groups properly enforce DAC they way they expect New as of SIMP 5 0 is the use of
18. Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 5 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 6 Physical Access Control Physical and Environmental Control Enhancement Protection PE 4 Access Control for Trans Physical and Environmental mission Medium Protection PE 5 Access Control for Output Physical and Environmental Devices Protection PE 6 Monitoring Physical Ac Physical and Environmental cess Protection PE 6 1 Monitoring Physical Physical and Environmental Access Control Enhance Protection ment PE 6 2 Monitoring Physical Physical and Environmental Access Control Enhance Protection ment PE 7 Visitor Control Physical and Environmental Protection PE 7 1 Visitor Control Control Physical and Environmental Enhancement Protection PE 7 2 Visitor Control Control Physical and Environmental Enhancement Protection PE 8 Access Records Physical and Environmental Protection PE 8 1 Access Records Control Physical and Environmental Enhancement Protection PE 8 2 Access Records Control Physical and Environmental Enhancement Protection PE 9 Power Equipment and Physical and Environmental Power Cabling Protection Continued on next page 4 5 Security Concepts Appendices 175 SIMP Documentation Release 0 0 Table 4 4 continued from previous page
19. SIMP bootstrap is scheduled to run If this host is not autosigned by Puppet sign your Puppet certs to begin bootstrap Otherwise it should already be running Tail root puppet bootstrap log for details Wait for completion and reboot To remove this message delete root bootstrap_msg gt root bootstrap_msg sed i 2i if f root bootstrap_msg nthen n cat root bootstrap_msg nfi root bashrc source root bashrec Enable the firstboot bootstrapping script wget no check certificate O etc init d runpuppet http Sksserver ks runpuppet chmod 700 etc rce d init d runpuppet chkconfig add runpuppet chkconfig level 35 runpuppet on Send 4 5 4 SIMP RPMs Red Hat Enterprise Linux Name Source BackupPC 3 2 1 10 SIMP 4 el6 x86_64 rpm https d1 bintray com simp 4 2 X Ext BackupPC 3 2 1 10 SIMP 4 122 Chapier 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 1 continued from previous page Name Source activemq 5 9 1 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 activemq 5 activemq info provider 5 9 1 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 activemq in bitmap console fonts 0 3 15 el16 noarch rpm Red Hat Optional Repository bitmap fangsongti fonts 0 3 15 el6 noarch rpm Red Hat Optional Repository bitmap fonts compat 0 3 15 el6 noarch rpm Red Hat Optional Repository
20. e pupmod aide Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 e pupmod apache Remove the apache_version fact and simply use the version controls built into the Apache configuration language Update all custom functions to properly scope definitions Ensure that mod_ldap is installed in SIMP gt 5 0 e pupmod simp apache Prevent apache from restarting after downloading a CRL e pupmod clamav Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 e pupmod common gt Deprecated Replaced by pupmod simplib e pupmod simplib Updated to fix regression with CCE 4241 6 Single user mode is now properly password protected Fixed the secure_mountpoints code so that it no longer incorrectly bind mounts tmp or var tmp We no longer supply crontab or anacrontab in global_etcd Remove dynamic_swappiness cron job if a static value is set Ensure that the passgen function fails on invalid scenarios This prevents the accidental cration of empty passwords Allow the value 2 to be used for rp_filterinsimplib sysctl Added ability to return remote ip addrs e pupmod dhcp Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 e pupmod iptables 2 6 Changelog 27 SIMP Documentation Release 0 0 Fixed
21. ipv6 irgbalance krb5 workstation libaio libutempter logrotate logwatch lsof lsscsi mdadm microcode_ctl mutt net snmp net tools netlabel_tools ntp openssh clients openssh server pam_krb5 pam_pkcs11 pciutils psacct quota redhat lsb rpm rsync rsyslog smartmontools sssd stunnel subversion sudo sysstat tcp_wrappers tmpwatch unzip usbutils vim enhanced vilock wget which zip Puppet stuff rsync facter puppet In case of broken repo these should be installed hdparm kbd libhugetibfs policycoreutils prelink rootfiles selinux policy targeted 4 5 Security Concepts Appendices 121 SIMP Documentation Release 0 0 setserial sysfsutils udftools Don t install these rhn check rhn setup rhnsd subscription manager yum rhn plugin send spre ksserver KSSERVER wget O tmp diskdetect sh http Sksserver ks diskdetect sh chmod 750 tmp diskdetect sh tmp diskdetect sh wget O tmp repodetect sh http Sksserver ks repodetect sh chmod 750 tmp repodetect sh tmp repodetect sh 7 Sksserver Send Spost ostype LINUXDIST if Sostype CentOS J then sed i enabled d etc yum repos d CentOS Base repo sed i a enabled 0 etc yum repos d CentOS Base repo fi ksserver KSSERVER Notify users that bootstrap will run on firstboot echo Welcome to SIMP If this is firstboot
22. space on var to keep your defined number of days worth of logs As you grow your Elasticsearch cluster to handle increasing log loads you will want to ensure that your keep_days is set to handle your entire cluster appropriately Note You should have at least 4G of memory available on any Elasticsearch node Important You should NOT install Logstash Elasticsearch nor Kibana on your Puppet master There will likely be conflicts with Apache and resource limitations 3 11 7 Logstash Module Recommended SIMP Setup The following example manifest can be applied to a single host with a large var volume and 4GB of memory Add these settings to only your Logstash node apache ssl sslverifyclient S hiera kibana ssl_verify_client kibana redirect_web_root true kibana ssl_allowroot hiera client_nets kibana ssl_verify_client none You can add more groups under ldap_groups if you want others to be able to access your Kibana instance Remember whitespace matters kibana method_acl method ldap Tenable true limits users valid user defaults ldap_groups cn administrators ou Group dc your dc domain defaults logstash simp keep_days 30 elasticsearch simp manage_httpd conf classes logstash simp kibana In the case of the Elasticsearch node setup below it may be better to use a group match to pull your Hiera settings To do
23. the PAM settings are enforced on top of the LDAP settings for two layers of control Due to this partnership items such as account lockouts may need to be reset on both the local system and the LDAP server If the suggested settings in the SIMP provided default Lightweight Directory Interchange Formats LDIF are not used implementations must ensure that security is maintained through manual procedures Use of group accounts for users is strongly discouraged System services may need to have accounts but all of these should be managed by Puppet using the user and group native types A 2 5 4 2 3 Device Identification and Authentication Devices are identified by a Media Access Control MAC address prior to receiving an IP address via the Dynamic Host Configuration Protocol DHCP In the default SIMP architecture IP addresses are fixed mappings to their associated MAC address i e not assigned dynamically There is no authentication for the binding of MAC addresses to IP addresses due to the nature of the DHCP protocol Device authentication occurs through the mapping of the MAC to the IP through the internally controlled DHCP and the mapping of the IP to the host name through the internally controlled Domain Name System DNS service for each individual Puppet client After kickstart each client system generates an internal cryptographic identifier and communicates that information with the Puppet server to be approved by an administrator at
24. w e w e tc resolv co tc nsswitch tc host conf tc krb5 conf tc initlog c nf p wa k CFG_sys conf p wa k CFG_sys p wa k CFG_sys p wa k CFG_sys onf p wa k CFG_sys w tc default p wa k CFG_sys w lib firmware microcode dat p wa k CFG_sys w e w e w e w e w e w e tc fstab p tc hosts all tc hosts den tc exports tc yum conf tc yum repos wa k CFG_sys ow p wa k CFG_sys y p wa k CFG_sys p wa k CFG_sys p wa k yum config d p wa k yum config a exit always F arch b32 S ptrace k paranoid a exit always F arch b64 S ptrace k paranoid a always exit F arch b32 S personality k paranoid a always exit F arch b64 S personality k paranoid w etc aide conf p wa k CFG_aide w etc aide conf d default aide p wa k CFG_aide w etc rc d init d auditd p wa k auditd w var log audit log p wa k audit logs w etc pam_ldap conf p a k CFG_etc_ldap w etc ntp conf p wa k CFG_ntp w etc ntp keys p wa k CFG_ntp w etc ntp ntpservers p wa k CFG_ntp w etc pki private p wa k PKI w etc pki public p wa k PKI w etc pki cacerts p wa k PKI w etc pki private ws69 kw awesome sauce pem p wa k PKI w etc pki public ws69 kw awesome sauce pub p wa k PKI w var log audit log 1 w var log audit log 2 p rwa k audit logs p rwa k audit logs w var log audit log 3 p rwa k audit logs
25. 1 1 0 el6 noarch rpm https d1 bintray com simp 4 2 X Ext elasticsearch curator 1 1 es2unix 1 6 1 0 el6 noarch rpm https d1 bintray com simp 4 2 X Ext es2unix 1 6 1 0 el6 noarch 1 facter 2 4 1 1 e16 x86_64 rpm http yum puppetlabs com el 6 products x86_64 facter 2 4 1 1 el fping 2 4b2 10 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 fpins freeradius ldap 2 2 6 4 e16 x86_64 rpm Red Hat Base Repository freeradius utils 2 2 6 4 e16 x86_64 rpm Red Hat Base Repository ganglia 3 7 1 2 el6 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 gang ganglia devel 3 7 1 2 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 gang ganglia gmetad 3 7 1 2 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 gang ganglia gmond 3 7 1 2 el16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 gang ganglia gmond python 3 7 1 2 el16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 gang glibe 2 12 1 166 e16_7 1 x86_64 rpm Red Hat Updates Repository glibc common 2 12 1 166 e16_7 1 x86_64 rpm Red Hat Updates Repository glibc devel 2 12 1 166 e16_7 1 x86_64 rpm Red Hat Updates Repository glibc devel 2 12 1 166 e16_7 1 1686 rpm Red Hat Updates Repository glibc headers 2 12 1 166 e16_7 1 x86_64 rpm Red Hat Updates Reposit
26. 1503 RPMs e Facter upgraded to 2 4 e PuppetDB upgraded to 2 3 8 1 3 16 7 Fixed Bugs e pupmod aide Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 e pupmod apache Remove the apache_version fact and simply use the version controls built into the Apache configuration language Update all custom functions to properly scope definitions Ensure that mod_ldap is installed in SIMP gt 5 0 92 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 pupmod simp apache Prevent apache from restarting after downloading a CRL pupmod clamav Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 pupmod common gt Deprecated Replaced by pupmod simplib pupmod simplib Updated to fix regression with CCE 4241 6 Single user mode is now properly password protected Fixed the secure_mountpoints code so that it no longer incorrectly bind mounts tmp or var tmp We no longer supply crontab or anacrontab in global_etcd Remove dynamic_swappiness cron job if a static value is set Ensure that the passgen function fails on invalid scenarios This prevents the accidental cration of empty passwords Allow the value 2 to be used for rp_filterin simplib sysctl Added ability to return remote ip addrs pupmod dhcp Change the call to the rsyslog init scrip
27. 2 X Ext libyaml devel 0 1 4 2 el6 x logstash 1 4 2 1_2cOf5al noarch rpm https download elasticsearch org logstash logstash packages cen logstash contrib 1 4 2 1_efd53ef noarch rpm https download elastic co logstash logstash packages centos logs mcollective 2 2 3 1 SIMP 1 el6 noarch rpm https d1 bintray com simp 4 2 X Ext mcollective 2 2 3 1 SIMP 1 mcollective client 2 2 3 1 SIMP 1 el6 noarch rpm https d1 bintray com simp 4 2 X Ext mcollective client 2 2 3 1 S mcollective common 2 2 3 1 SIMP 1 el6 noarch rpm https d1 bintray com simp 4 2 X Ext mcollective common 2 2 3 mcollective filemgr agent 1 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective filen mcollective filemgr client 1 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective filen mcollective filemgr common 1 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective filen mcollective iptables agent 3 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective iptal mcollective iptables client 3 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective iptal mcollective iptables common 3 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective iptal mcollective logstash audit 2 0 0 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective logs mcollective nrpe
28. 3 2 Contingency Training Contingency Planning Control Enhancement CP 4 Contingency Plan Testing Contingency Planning and Exercises CP 4 1 Contingency Plan Testing Contingency Planning and Exercises Control En hancement CP 4 2 Contingency Plan Testing Contingency Planning and Exercises Control En hancement CP 4 3 Contingency Plan Testing Contingency Planning and Exercises Control En hancement CP 6 Alternate Storage Site Contingency Planning CP 6 1 Alternate Storage Site Contingency Planning Control Enhancement CP 6 2 Alternate Storage Site Contingency Planning Control Enhancement CP 6 3 Alternate Storage Site Contingency Planning Control Enhancement CP 7 Alternate Processing Site Contingency Planning CP 7 1 Alternate Processing Site Contingency Planning Control Enhancement CP 7 2 Alternate Processing Site Contingency Planning Control Enhancement CP 7 3 Alternate Processing Site Contingency Planning Control Enhancement Continued on next page 4 5 Security Concepts Appendices 189 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CP 7 4 Alternate Processing Site Contingency Planning Control Enhancement CP 7 5 Alternate Processing Site Contingency Planning Control Enhancement CP 8 Tel
29. 45 2 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac pssh 2 3 1 5 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 pssh 2 3 1 5 puppet 3 7 4 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppet 3 7 4 1 e puppet dashboard 1 2 23 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppet dashboar puppet server 3 7 4 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppet server 3 puppetdb 2 3 8 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppetdb 2 3 8 puppetdb terminus 2 3 8 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppetdb termin puppetlabs stdlib 4 5 1 2 20150121 git7a9 1f20 e16 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 puppetlabs st puppetserver 1 1 1 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppetserver 1 1 python argparse 1 2 1 2 1 el6 noarch rpm http mirror 5ninesolutions com centos 6 7 0s x86_64 Packages p python backports 1 0 3 el16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 python backr python backports ssl_match_hostname 3 4 0 2 2 el6 noarch rpm http mirror 5ninesolutions com centos 6 7 os x86_64 Packages p python elasticsearch 1 2 0 0 e16 noarch rpm https d1 bintray com simp 4 2 X Ext python elasticsearch 1 2 0 python importlib 1 0 2 1 e
30. 5 Security Concepts Appendices 201 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 7 4 Software and Information System and Information In Integrity Control Enhance tegrity ment SI 8 Spam Protection System and Information In tegrity SI 8 1 Spam Protection Control System and Information In Enhancement tegrity SI 8 2 Spam Protection Control System and Information In Enhancement tegrity SI 9 Information Input Restric System and Information In tions tegrity SI 10 Information Input Valida System and Information In tion tegrity SI 11 Error Handling System and Information In tegrity SI 13 Predictable Failure Preven System and Information In tion tegrity SI 13 1 Predictable Failure Preven System and Information In tion Control Enhancement tegrity SI 13 2 Predictable Failure Preven System and Information In tion Control Enhancement tegrity SI 13 3 Predictable Failure Preven System and Information In tion Control Enhancement tegrity SI 13 4 Predictable Failure Preven System and Information In tion Control Enhancement tegrity Control ID Control Name Control Family SIMP Implementation Method Control ID Control Name Control Family SIMP Implementation Method CA 1 Security Assessment and Se
31. 6 dependencies x86_64 rubygem rd rubygem ronn 0 7 3 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ro rubygem stomp 1 3 2 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem st rubygem stomp doc 1 3 2 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem st scap security guide 0 1 21 3 el6 noarch rpm Red Hat Base Repository sendmail milter 8 14 4 9 el6 x86_64 rpm http mirror netdepot com centos 6 7 os x86_64 Packages sendm lt hiera 3 0 2 1 el6 noarch rpm https d1 bintray com simp 4 2 X Ext hiera 3 0 2 1 el6 noarch rpn 126 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 1 continued from previous page Name Source simp lastbind 2 4 23 0 x86_64 rpm https dl bintray com simp 4 2 X Ext simp lastbind 2 4 23 0 x86_ simp ppolicy check password 2 4 39 0 el16 x86_64 rpm https d1 bintray com simp 4 2 X Ext simp ppolicy check passwo sudosh 2 1 0 2 2 e16 x86_64 rpm https dl bintray com simp 4 2 X Ext sudosh2 1 0 2 2 e16 x86_64 syslinux tftpboot 4 04 3 el6 noarch rpm Red Hat Base Repository tanukiwrapper 3 5 9 1 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 tanukiwrap trousers 0 3 13 2 e16 x86_64 rpm Red Hat Base Repository voms 2 0 12 3 el16 x86_64 rpm http mirror symnds com distributions fedora
32. 7 w etc sudoers p wa k CFG_sys Generally good things to audit var spool at p wa k CFG_sys e e e e e e e e e e tc at deny p wa k CFG_sys tc cron deny p wa k CFG_cron tc cron d p wa k CFG_cron tc cron daily p wa k CFG_cron tc cron hourly p wa k CFG_cron tc cron monthly p wa k CFG_cron tc cron weekly p wa k CFG_cron tc crontab p wa k CFG_cron tc anacrontab p wa k CFG_cron tc login defs p wa k CFG_sys tc securetty p wa k CFG_sys e e e e e e e e e tc shells p wa k CFG_shell tc profile p wa k CFG_shell tc bashrc p wa k CFG_shell tc csh cshre p wa k CFG_shell tc csh login p wa k CFG_shell tc sysconfig p wa k CFG_sys tc inittab p wa k CFG_sys tc rc d init d p wa k CFG_sys tc rc local p wa k CFG_sys tc rc sysinit p wa k CFG_sys e e e e e e e e e e e e tc xinetd d p wa k CFG_sys tc ld so conf p wa k CFG_sys tc ld so conf d p wa k CFG_sys tc sysctl conf p wa k CFG_sys tc modprobe d 00_simp_blacklist conf p wa k CFG_sys tc modprobe conf d p wa k CFG_sys tc pam d p wa k CFG_pam tc pam_smb conf p wa k CFG_pam tc aliases p wa k CFG_sys tc ssh sshd_config p wa k CFG_sys tc issue p wa k CFG_sys tc issue net p wa k CFG_sys tc snmp snmpd conf p wa k CFG_sys 118 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 w e w e w e
33. 99 Command Line Interface 34 99 Community Enterprise Operating System 34 99 CPU 34 99 D DHCP 34 99 DNS 34 99 Domain Name System 34 99 Dynamic Host Configuration Protocol 34 99 E ENC 34 99 External Node Classifier 34 99 F Federal Information Processing Standard 34 99 FIPS 34 99 FQDN 34 100 Fully Qualified Domain Name 34 100 G Graphical User Interface 34 100 GUI 34 100 H Hard Disk Drive 34 100 HDD 34 100 Hiera 34 100 Internet Protocol 6 Tables 34 100 Internet Protocol Address 34 100 Internet Protocol Tables 34 100 IP 34 100 IP Address 34 100 IP6Tables 34 100 IPTables 34 100 K Kerberos 35 100 Key Distribution Center 35 100 L LDAP 35 100 Lightweight Directory Access Protocol 35 100 M MAC 35 100 MAC Address 35 100 Media Access Control 35 100 Media Access Control Address 35 100 N NAT 35 100 Network Address Translation 35 100 Network File System 35 100 NFS 35 100 P PAM 35 100 Parallel Secure Shell 35 101 PEM 35 100 PERL 35 100 PKI 35 101 217 SIMP Documentation Release 0 0 Pluggable Authentication Modules 35 100 Practical Extraction and Report Language 35 100 Preboot Execution Environment 35 101 Privacy Enhanced Mail 35 100 PSSH 35 101 Public Key Infrastructure 35 101 Puppet 35 101 PXE 35 101 R RAM 35 101 Random Access Memory 35 101 R
34. AIDE which is triggered by a cron job AIDE logs any detected file changes in syslog Each implementation may add additional files that are managed by Puppet or watched by AIDE The AIDE baseline database is updated periodically to handle the installation and updating of system RPMs and reduce false positives SI 7 SI 7 1 SI 7 2 SI 7 4 3 2 Remote Maintenance Remote maintenance can be performed on SIMP using SSH Local maintenance can be performed at the console or via serial port if available SSH sessions are tracked and logged using the security features built into SIMP Console access requires someone to have access to the physical or virtual console along with the root password Auditing of those actions also occurs in accordance with the configured audit policy It is up to the implementation to decide how to distribute authentication information for remote maintenance MA 4 MA 4 1 MA 6 4 3 3 Incident Response While Puppet is not intended to be a security product primarily its features help provide security functionality such as dynamic reconfigurations and wide scale consistent mitigation application If an implementation chooses they can leverage Puppet s ability to reconfigure systems as part of incident response IR 112 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 4 3 4 Contingency Planning SIMP does not provide any direct support for contingency planning Some of the mechanisms pro
35. AT 4 Security Training Records Awareness and Training AT 5 Contacts with Security Awareness and Training Groups and Associations CM 1 Configuration Management Configuration Management Policy and Procedures CM 2 Baseline Configuration Configuration Management SIMP has strictly enforced version control during de velopment The baseline files for SIMP are kept and maintained in a git repository Files are pack aged and a series of auto tests are performed on each release Once released there is a version num ber associated for distribu tion Additionally custom puppet modules are in the form of RPMs and have version numbers associated with them All documenta tion is also built with source code Continued on next page 4 5 Security Concepts Appendices 163 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 2 1 Baseline Configuration Control Enhancement Configuration Management CM 2 2 Baseline Configuration Control Enhancement Configuration Management SIMP has strictly enforced version control during de velopment The baseline files for SIMP are kept and maintained in a git reposi tory Files are packaged and a series of auto tests are per formed on the release Once released there is a version number associated for dis tribution All documenta tion is also
36. CP 4 3 Contingency Plan Testing Contingency Planning and Exercises Control En hancement CP 6 Alternate Storage Site Contingency Planning Continued on next page 4 5 Security Concepts Appendices 169 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CP 6 1 Alternate Storage Site Contingency Planning Control Enhancement CP 6 2 Alternate Storage Site Contingency Planning Control Enhancement CP 6 3 Alternate Storage Site Contingency Planning Control Enhancement CP 7 Alternate Processing Site Contingency Planning CP 7 1 Alternate Processing Site Contingency Planning Control Enhancement CP 7 2 Alternate Processing Site Contingency Planning Control Enhancement CP 7 3 Alternate Processing Site Contingency Planning Control Enhancement CP 7 4 Alternate Processing Site Contingency Planning Control Enhancement CP 7 5 Alternate Processing Site Contingency Planning Control Enhancement CP 8 Telecommunications Ser Contingency Planning vices CP 8 1 Telecommunications Contingency Planning Services Control Enhance ment CP 8 2 Telecommunications Contingency Planning Services Control Enhance ment CP 8 3 Telecommunications Contingency Planning Services Control Enhance ment CP 8 4 Telecommunications Contin
37. Continued on next page 3 15 SIMP RPMs 87 SIMP Documentation Release 0 0 Table 3 1 continued from previous page Name Version Default pupmod libvirt 4 1 0 15 false pupmod logrotate 4 1 0 2 true pupmod mcafee 4 1 0 2 false pupmod mozilla 4 1 0 1 false pupmod multipathd 4 1 0 2 false pupmod named 4 2 0 6 true pupmod network 4 1 0 4 true pupmod nfs 4 1 0 12 false pupmod nscd 5 0 0 4 true pupmod ntpd 4 1 0 8 true pupmod oddjob 1 0 0 1 false pupmod onyxpoint gpasswd 1 0 0 1 true pupmod openldap 4 1 1 3 true pupmod openscap 4 2 0 2 false pupmod pam 4 1 0 12 true pupmod pam 4 1 0 11 true pupmod pki 4 1 0 4 true pupmod polkit 4 1 0 1 false pupmod postfix 4 1 0 4 true pupmod pupmod 6 0 0 19 true pupmod puppetlabs apache 1 0 1 2 false pupmod puppetlabs inifile 1 2 0 1 true pupmod puppetlabs java 1 2 0 0 false pupmod puppetlabs java_ks 1 2 0 1 false pupmod puppetlabs mysql 2 2 3 1 false pupmod richardc datacat 0 6 1 0 false pupmod rsync 4 2 0 2 true pupmod rsyslog 5 0 0 0 true pupmod saz memcached 4 0 0 2 false pupmod selinux 1 0 0 4 true pupmod simp 1 1 0 4 true pupmod simp 1 1 0 3 true pupmod simp activemq 2 0 0 0 false pupmod simp elasticsearch 2 0 0 3 false pupmod simp kibana 3 0 1 3 false pupmod simp logstash 1 0 0 6 false pupmod simp mcollective 2 0 0 0 false pu
38. Control Access Control This control is only met by Enhancement defining all connections that SIMP allows internally and externally For now since this is a remote access con trol it should suffice to con tinue to note that the only remote access protocol al lowed by default is SSH AC 18 Wireless Access Access Control AC 18 1 Wireless Access Control Access Control Enhancement AC 18 2 Wireless Access Control Access Control Enhancement AC 18 3 Wireless Access Control Access Control Enhancement AC 18 4 Wireless Access Control Access Control Enhancement AC 18 5 Wireless Access Control Access Control Enhancement AC 19 Access Control for Mobile Access Control Devices AC 19 1 Access Control for Mobile Access Control Devices Control Enhance ment AC 19 2 Access Control for Mobile Access Control Devices Control Enhance ment AC 19 3 Access Control for Mobile Access Control Devices Control Enhance ment AC 19 4 Access Control for Mobile Access Control Devices Control Enhance ment AC 20 Use of External Information Access Control Systems Continued on next page 140 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 20 1 Use of External Information Access Control Systems Control Enhance ment AC 20 2 Use of Ex
39. D cn LDAPAdmin ou People dc your dc domain f lt 1ldif_file gt Removing Users from a Group To remove users from a group add the following information to the root ldifs lt 1ldif File gt file Replace the information below within lt gt with the installed system s information Example Idif to remove a user from a group 3 2 User Management 45 SIMP Documentation Release 0 0 dn cn lt Group Name gt ou Group dc your dc domain changetype modify delete memberUid memberUid lt UID1 gt memberUid lt UID2 gt memberUid lt UIDX gt Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f lt ldif_file gt Updating an SSH Public Key To update an SSH public key add the following information to the root ldifs lt 1ldif File gt file Replace the information below within lt gt with the installed system s information Example ldif to update SSH public key dn uid lt User UID gt ou People dc your dc domain changetype modify replace sshPublicKkey sshPublicKey lt User OpenSSH Public Key gt Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f lt ldif_file gt Forcing a Password Reset To force a password reset add the following information to the root ldifs lt 1ldif File gt file Replace the information below within lt gt with the installed sys
40. Default Files Watched by AIDE boot NOR bin NOR sbin NOR lib NOR opt NOR usr NOR root NOR usr sre usr tmp etc PER etc mtab etc etc exports NORMAL etc fstab NORMAL etc passwd NORMAL etc group NORMAL etc gshadow NORMAL etc shadow NORMAL etc security opasswd NORMAL etc hosts allow NORMAL etc hosts deny NORMAL etc sudoers NORMAL etc skel NORMAL etc logrotate d NORMAL etc resolv conf DATAONLY etc nscd conf NORMAL etc securetty NORMAL etc profile NORMAL etc bashrce NORMAL etc bash_completion d NORMAL etc login defs NORMAL etc zprofile NORMAL etc zshrce NORMAL etc zlogin NORMAL etc zlogout NORMAL etc profile d NORMAL etc X11 NORMAL etc yum conf NORMAL etc yumex conf NORMAL Bopp D gt SD E n 114 Chapier 4 SIMP Security Concepts SIMP Documentation Release 0 0 etc yumex profiles conf NORMAL etc yum NORMAL etc yum repos d NORMAL var log LOG var log sa var log aide aide log var log aide aide report etc audit LSPP etc libaudit conf LSPP usr sbin stunnel LSPP var spool at LSPP etc at allow LSPP etc at deny LSPP etc cron allow LSPP etc cron deny LSPP etc cron d LSPP etc cron daily LSPP etc cron hourly LSPP etc cron monthly LSPP etc cron weekly LSPP etc crontab LSPP var spool cron root LSPP etc login defs LSPP etc securetty LSPP var log faillog LSPP var log lastlog LSPP et
41. Ext pdsh mod netgroup 2 28 0 pdsh remd exec 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh remd exec 2 28 0 x86 pdsh remd ssh 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh remd ssh 2 28 0 x86_ perl Archive Zip 1 30 2 e16 noarch rpm Red Hat Base Repository perl Crypt DES 2 05 9 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl DateTime Format DateParse 0 05 4 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl DateTime Format Mail 0 3001 6 e16 noarch rpm Red Hat Base Repository perl DateTime Format W3CDTF 0 04 8 e16 noarch rpm Red Hat Base Repository perl File RsyncP 0 72 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl Math Calc Units 1 07 6 e16 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl Net FTP AutoReconnect 0 3 3 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl Net FTP RetrHandle 0 2 3 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl Net SNMP 5 2 0 4 e16 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl Sort Versions 1 5 12 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 perl perl Time modules 2006 08 14 5 el16 noarch rpm Red Hat Base Repo
42. Fixed reported bugs in syncrepl pp Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod openscap Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 Changed default ssg base path to usr share xml scap ssg content pupmod pam Moved pam_mkhomedir to a higher position in the stack than pam_systemd This resolves some issues that were occurring due to a missing home directory on initial login pupmod pam Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod pki Now allow directories in the cacerts directories This previously caused failures that needed to be manually addressed on each node pupmod rsync Fixed provider to run with dry run when puppet is run with a noop pupmod simp Ensure that SSSD is used by default on EL7 systems since nscd and nslcd have functionality issues Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod ssh Modernized the Ciphers MACs and Kex Added explicit cases for FIPS and non FIPS mode as well as reasonable default cases for RHEL7 and below Updated to use the new augeasproviders module dependencies Added a function ssh_format_host_entry_for_sorting that will properly sor
43. Flow Enforce ment Control Enhance ment Access Control AC 4 16 Information Flow Enforce ment Control Enhance ment Access Control AC 4 17 Information Flow Enforce ment Control Enhance ment Access Control AC 5 Separation of Duties Access Control AC 6 Least Privilege Access Control SIMP was built using a minimalist approach Only the services applications RPMs and their dependen cies and network rules that are needed are imple mented Adding additional services users or software are done using built in RedHat CentOS features or puppet For example ser vices cannot be manually added without first register ing them with puppet AC 6 1 Least Privilege Control Enhancement Access Control File permissions and ad ministrative functions are denied to users who are not administrators using Unix DAC Roles can be defined by a implementation Typ ically it s done using ldap groups and sudosh Suoders rules can be set for roles that need a limited set of commands functions Continued on next page 4 5 Security Concepts Appendices 135 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 6 2 Least Privilege Control Enhancement Access Control Direct remote root login is not allowed on SIMP Users must a
44. Identification and Authenti Authentication Control cation Enhancement TA 3 2 Device Identification and Identification and Authenti Authentication Control cation Enhancement TA 3 3 Device Identification and Identification and Authenti DHCP is used to statically Authentication Control cation define the IP addresses of Enhancement each puppet client IA 4 Identifier Management Identification and Authenti Local accounts expire cation 35 days after their pass words expire There is no mechanism implemented to detect inactive LDAP accounts Implementations might wish to mitigate this by regularly reviewing and removing unneeded accounts TA 4 1 Identifier Management Identification and Authenti Control Enhancement cation TA 4 2 Identifier Management Identification and Authenti Control Enhancement cation TA 4 3 Identifier Management Identification and Authenti Control Enhancement cation Continued on next page 148 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page cation Control ID Control Name Control Family SIMP Implementation Method IA 4 4 Identifier Management Identification and Authenti Control Enhancement cation IA 4 5 Identifier Management Identification and Authenti Control Enhancement cation IA 5 Authenticator Management Identification and Authenti 3 Authenticator strength is en
45. Incident Response Enhancement IR 4 5 Incident Handling Control Incident Response Enhancement IR 5 Incident Monitoring Incident Response IR 5 1 Incident Monitoring Con Incident Response trol Enhancement IR 6 Incident Reporting Incident Response IR 6 1 Incident Reporting Control Incident Response Enhancement IR 6 2 Incident Reporting Control Incident Response Enhancement Continued on next page 4 5 Security Concepts Appendices 191 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method IR 7 Incident Response Assis Incident Response tance IR 7 1 Incident Response Assis Incident Response tance Control Enhance ment IR 8 Incident Response Plan Incident Response MA 1 System Maintenance Policy Maintenance and Procedures MA 2 Controlled Maintenance Maintenance MA 2 1 Controlled Maintenance Maintenance Control Enhancement MA 2 2 Controlled Maintenance Maintenance Control Enhancement MA 3 Maintenance Tools Maintenance MA 3 1 Maintenance Tools Control Maintenance Enhancement MA 3 2 Maintenance Tools Control Maintenance Enhancement MA 3 3 Maintenance Tools Control Maintenance Enhancement MA 3 4 Maintenance Tools Control Maintenance Enhancement MA 4 Non Local Maintenance Maintenance Remote maintenance can be performed
46. MAC All stock SIMP modules work with MAC enabled It s up to each implementation to en sure their applications and modules are made to work with MAC enabled AC 3 4 Access Enforcement Con trol Enhancement Access Control DAC has been built into Unix for a long time and is expected to work Imple ments may want to check that user assignments to groups properly enforce DAC they way they expect AC 3 5 Access Enforcement Con trol Enhancement Access Control SIMP implements file permissions per the SCAP Security Guide SSG RHEL7 guidance There are some exceptions of file permissions being more or less restrictive than the guide Mitigations and re sponses to those variances will be published once final RHEL7 SCAP content is available AC 3 6 Access Enforcement Con trol Enhancement Access Control Continued on next page 4 5 Security Concepts Appendices 133 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 4 1 Information Flow Enforce Access Control IPTables enforces flow ment Control Enhance control to the puppet ment master and clients The default rules allow the services needed for kick start and puppet and SSH of course IPTables is managed by puppet so that any user modifications t
47. Media Protection Enhancement MP 6 3 Media Sanitization Control Media Protection Enhancement MP 6 4 Media Sanitization Control Media Protection Enhancement MP 6 5 Media Sanitization Control Media Protection Enhancement MP 6 6 Media Sanitization Control Media Protection Enhancement PE 1 Physical and Environmental Physical and Environmental Protection Policy and Pro Protection cedures PE 2 Physical Access Authoriza Physical and Environmental tions Protection Continued on next page 174 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method PE 2 1 Physical Access Au Physical and Environmental thorizations Control Protection Enhancement PE 2 2 Physical Access Au Physical and Environmental thorizations Control Protection Enhancement PE 2 3 Physical Access Au Physical and Environmental thorizations Control Protection Enhancement PE 3 Physical Access Control Physical and Environmental Protection PE 3 1 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 2 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 3 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 4
48. Non repudiation Control Audit and Accountability Enhancement AU 10 3 Non repudiation Control Audit and Accountability Enhancement AU 10 4 Non repudiation Control Audit and Accountability Enhancement AU 10 5 Non repudiation Control Audit and Accountability Enhancement AU 12 1 Audit Generation Control Audit and Accountability Enhancement AU 11 Audit Record Retention Audit and Accountability AU 12 Audit Generation Audit and Accountability 1 Auditd provides the audit generation ca pability and is run ning on all SIMP systems by default b The audit rules files configures events that are audited c The audit rules applies the list of audit rules de fined in SIMP Secu rity Concepts docu ment AU 12 1 Audit Generation Control Audit and Accountability Auditd stamps audit records Enhancement with the system time The system time is obtained from a central time source and synchronized between SIMP systems AU 12 2 Audit Generation Control Audit and Accountability Auditd provides logging in Enhancement standard formats Addi tionally logs that are sent through syslog adhere to that standard AU 13 Monitoring For Information Audit and Accountability Disclosure AU 14 Session Audit Audit and Accountability AU 14 1 Session Audit Control En Audit and Accountability Sessions that use the sudo hancement shell have all keystrokes recorded Those sessions can be viewed in text format or replayed to the
49. PE 14 2 Temperature and Humidity Physical and Environmental Controls Control Enhance Protection ment PE 15 Water Damage Protection Physical and Environmental Protection PE 15 1 Water Damage Protection Physical and Environmental Control Enhancement Protection PE 16 Delivery and Removal Physical and Environmental Protection PE 17 Alternate Work Site Physical and Environmental Protection PE 18 Location of Information Physical and Environmental System Components Protection Continued on next page 176 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method PE 18 1 Location of Informa Physical and Environmental tion System Components Protection Control Enhancement PE 19 Information Leakage Physical and Environmental Protection SI 1 System and Information In System and Information In tegrity Policy and Proce tegrity dures SI 2 1 Flaw Remediation Control System and Information In Patches that are part of the Enhancement tegrity software base for SIMP are tested within the develop ment environment There is automated testing that is constantly being extended to test more features There are times that patches to the base operating system Centos or RedHat are needed to resolve issues in SIMP Those are also tested at build time but re quire ad
50. Planning covery and Reconstitution Control Enhancement CP 10 6 Information System Re Contingency Planning covery and Reconstitution Control Enhancement IR 1 Incident Response Policy Incident Response and Procedures IR 2 Incident Response Training Incident Response IR 2 1 Incident Response Training Incident Response Control Enhancement IR 2 2 Incident Response Training Incident Response Control Enhancement IR 3 Incident Response Testing Incident Response and Exercises IR 3 1 Incident Response Testing Incident Response and Exercises Control En hancement IR 4 Incident Handling Incident Response IR 4 1 Incident Handling Control Incident Response Enhancement IR 4 2 Incident Handling Control Incident Response If an implementation Enhancement chooses they can leverage puppet s ability to recon figure systems as part of incident response While puppet is not intended to be a security product its features can help provide security functionality such as dynamic reconfigura tions IR 4 3 Incident Handling Control Incident Response Continued on next page 4 5 Security Concepts Appendices 171 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method IR 4 4 Incident Handling Control Incident Response Enhancement IR 4 5 Incident
51. Protection SC 12 5 Cryptographic Key Estab lishment and Management Control Enhancement System and Communica tions Protection Continued on next page 158 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 13 Use of Cryptography The forms of cryptography used are applied through SSH SSL and TLS Red Hat FIPs mode enabling is on the near term horizon for SIMP Once enabled it will be documented here and should allow implemtations to further explain how this control is being met There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS The Security Concepts docucment provides ad ditional details on default services protocols that are used SC 13 1 Use of Cryptography Con trol Enhancement The forms of cryptography used are applied through SSH SSL and TLS There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS that are documented in the Security Concepts document SC 13 2 Use of Cryptography Con trol Enhancement The forms of cryptography used are applied through SSH SSL and TLS There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS that are documented in
52. SIMP makes every effort to ad dress problems discovered by these tools Some con figuration settings will not align with tools since the product was meant to be used for operational settings where some security fea tures cause a loss in func tionality Implementations have the option of further hardening their system fur ther at the risk of losing some functionality RA 5 1 Vulnerability Scanning Risk Assessment SCAP Security Guide is Control Enhancement the two primary tool used to check for suspected con figuration errors Puppet also continues to protect clients against unwanted changes RA 5 2 Vulnerability Scanning Risk Assessment SCAP Security Guide is Control Enhancement the two primary tool used to check for suspected con figuration errors Puppet also continues to protect clients against unwanted changes RA 5 3 Vulnerability Scanning Risk Assessment Regular vulnerability scan Control Enhancement ning is performed during development of SIMP RA 5 4 Vulnerability Scanning Risk Assessment Part of the vulnerability Control Enhancement scanning process deter mines what information can be determined by a malicious outside user RA 5 5 Vulnerability Scanning Risk Assessment The compliance tools re Control Enhancement quire that privileged ac counts be used to perform testing RA 5 6 Vulnerability Scanning Risk Assessment Control Enhancement Con
53. There are access con trol enforcement that can be proven through tests on those controls If this con trol is allocated to SIMP alone it s unlikely it can be met Since SIMP is the infrastructure that applica tions would use showing that application users can not access the SIMP envi ronment is a better way to prove this control is met SC 3 Security Function Isolation System and Communica tions Protection The spirit of this control is providing logical separation so that users are not able to access administrative func tions There is no no tion of partitioning within SIMP There are access con trol enforcement that can be proven through tests on those controls If this con trol is allocated to SIMP alone it s unlikely it can be met Since SIMP is the infrastructure that applica tions would use showing that application users can not access the SIMP envi ronment is a better way to prove this control is met SC 3 1 Security Function Isolation Control Enhancement System and Communica tions Protection SC 3 2 Security Function Isolation Control Enhancement System and Communica tions Protection SC 3 3 Security Function Isolation Control Enhancement System and Communica tions Protection SC 3 4 Security Function Isolation Control Enhancement System and Communica tions Protection SC 3 5 Security Function Isolation Control Enhanc
54. a bug that would cause issues with Ruby 1 8 7 Fixed DNS resolution in IPv6 Prevent IPv6 1 spoofed addresses by default pupmod simp elasticsearch Ensured that Elasticsearch works properly with the new version of Apache Removed our default ES tuning since the default works better for LogStash Ensure that Puppet manages the Elasticsearch logging file pupmod functions Fixed sysv rb to explicitly require puppet util selinux which caused puppet describe to have errors pupmod simp logstash Fix issues with both TCPWrappers and IPTables when used with LogStash pupmod nfs Updated the mountd port to be 20048 by default for SELinux issues in RHEL7 pupmod ntp Updated against NTP Security Vulnerabilities Red Hat Article 1305723 Ensure that restrict entries use DDQ format pupmod openldap The Password Policy overlay was getting loaded into the default ldif even if you didn t want to use it This has been fixed Made the password policy overlay align with the latest SIMP build of the plugin This means that you must have version simp ppolicy check password 2 4 39 0 or later available to the system being configured Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 Fixed reported bugs in syncrepl pp Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs fo
55. a later time All further communication between the Puppet server and the clients over the Puppet protocol is encrypted subsequently and authenticated with this identifier Automatic approval can be set up in tightly controlled environments however this option is not suggested for open environments IA 3 IA 3 3 4 2 4 Identifier Management Managing user identifiers also known as user names involves administrative procedures that are unique for each implementation Disabling unused local accounts is the only control that SIMP can enforce technologically In this case if an account has an expired password that has not been changed 35 days after expiration the account will be disabled If a user does not have a password e g he or she only authenticates with SSH keys then there is no inherent technological mechanism for enforcement due to the nature of the software I A 4 e 4 2 5 Authenticator Management Authenticators for users are passwords and or SSH keys the management of each is implementation specific SSH keys do not expire therefore implementations must provide a procedure for removing invalid keys Removing public keys from LDAP is one practical solution When using passwords local and LDAP passwords provided for users should be set to change at first log on This is the default in the SIMP provided LDIFs Once a user attempts to change a password the settings in PAM and LDAP enforce complexity requirements By default SI
56. agent 3 0 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective nrpe mcollective nrpe client 3 0 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective nrpe mcollective nrpe common 3 0 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective nrpe mcollective package agent 4 3 0 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pack 124 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 1 continued from previous page Name Source mcollective package client 4 3 0 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pack mcollective package common 4 3 0 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pack mcollective puppet agent 1 7 2 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pup mcollective puppet client 1 7 2 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pup mcollective puppet common 1 7 2 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pup mcollective service agent 3 1 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective serv mcollective service client 3 1 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective serv mcollective service common 3 1 2 1 noar
57. an open source tool that provides a means for SIMP implementations to have logs and events collected searched and forwarded filtered or unfiltered to another host SIMP comes with three separate but related modules The modules are e Logstash Installs the RPMs and configuration needed for log inputs filters and outputs e Kibana Installs the RPMs and configuration needed for the Kibana 3 web interface e Elasticsearch Installs the RPMs and configuration needed for Elasticsearch 3 11 2 Logstash Architecture The overall model for Logstash is very simple It takes inputs from various sources optionally applies filters and outputs the results to a specified target It s likely that you can already forward logs to Logstash and output them in a useful format as part of your existing architecture 3 11 Logstash 69 SIMP Documentation Release 0 0 Logstash filters can manipulate logs after ingest and before output Examples of existing filters include fixing logs to split combine lines adding fields normalizing time stamps and adding GeolP fields Depending on the type of log manipulation that is desired there is likely a filter and associated documentation that already exists 3 11 3 Logstash SIMP Architecture Applying the SIMP Logstash Elasticsearch and Kibana modules provides an implementation with a functioning log reduction and search capability Unless scale dictates otherwise these three modules can easily be
58. and daemon junk It clogs up the logs and doesn t do anyone any good a exit never F auid 4294967295 Ignore system services In most guides this is tagged onto every rule but that just makes for more processing time a exit never F auid 0 F auid lt 500 unsuccessful file operations CCE 26712 0 CCE 26651 0 a always exit F arch b64 S creat S mkdir S mknod S link S symlink S mkdirat a always exit F arch b64 S creat S mkdir S mknod S link S symlink S mkdirat a always exit F arch b32 S creat S mkdir S mknod S link S symlink S mkdirat a always exit F arch b32 S creat S mkdir S mknod S link S symlink S mkdirat a always exit F perm a F exit EACCES k access a always exit F perm a F exit EPER k access Permissions auditing CCE 26280 8 CCE 27173 4 CCE 27174 2 CCE 27175 9 CCE 27177 5 CCE 27178 3 CCE 27179 1 CCE 27180 9 CCE 27181 7 CCE 27182 5 CCE 27183 3 mknodat mknodat mknodat mknodat 116 Chapter 4 SIMP Security Concepts Lit Lit Lit Lit SIMP Documentation Release 0 0 CCE 27184 1 CCE 27185 8 a always exit F arch b64 S chown S fchmod S fchmodat S fchown S fchownat a always exit F arch b32 S chown S fchmod S fchmodat S fchown S fchownat Audit useful items that someone does when su ing to root aE SR SE things like cron as well
59. applied to a single host The intent of providing Logstash in SIMP is to replace the default Rsyslog server with a capability that is easier to search and analyze over time Once your Logstash server is set up you simply need to direct your hosts to forward logs to your Logstash server In a default SIMP configuration this can be done by setting the log_server variable in hiera Note SIMP does NOT apply any filters to the logs by default It is up to each implementation to define and apply filters that meet their local requirements While multiple output targets may be defined SIMP only defines the Elasticsearch output by default Please see the Elasticsearch Puppet module for details on how to define additional output targets 3 11 4 SIMP Logstash Fow Logstash SIMP and Security The provided SIMP modules for Logstash Elasticsearch and Kibana have been built with connection security in mind Overriding these settings could adversely affect the security of the logging infrastructure The following list describes the security features in place with the default SIMP module settings e User Name and Password Protection for Kibana The Kibana web can be exposed to a defined list of hosts If you are connecting to Kibana from anything other than the localhost a user name and password is required for authentication Both LDAP and local database users are supported Syslog over Stunnel The default behavior in SIMP is to encrypt sysl
60. built with source code CM 2 3 Baseline Configuration Control Enhancement Configuration Management All old versions of SIMP re main in the code repository CM 2 4 Baseline Configuration Control Enhancement Configuration Management CM 2 5 Baseline Configuration Control Enhancement Configuration Management 1 SIMP provides a minimal list of pack ages and services installed The mini mal list of packages can be found in kickstart files and the appendix of this document Addi tional packages are installed by each implementation or as SIMP modules are applied b It s not feasible to techni cally deny additional applications from be ing installed There is nothing in SIMP that can stop and RPM from being applied Applications that re quire network access to service activation must be registered with puppet Continued on next page 164 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 2 6 Baseline Configuration Control Enhancement Configuration Management As a project SIMP is de velopmental only The envi ronments where it is tested is up to the implementation Development testing is per formed on SIMP in environ ments that have a code base frozen CM 3 Configuration Change
61. conditions set forth in the Apache License Version 2 0 the latest version is available at the Apache License website The SIMP Development Team makes no representation about the suitability of the SIMP product for any purpose It is provided as is without expressed or implied warranty If SIMP is modified in any way except for designed customization please identify the new copy as a variant of SIMP Additional products are distributed as part of the SIMP suite By using SIMP the user agrees to abide by the licenses for the included products 209 SIMP Documentation Release 0 0 210 Chapter 5 License CHAPTER 6 Contact If you have questions please contact the SIMP team simp simp project org 211 SIMP Documentation Release 0 0 212 Chapter 6 Contact CHAPTER 7 Help If you are looking for assistance please email the SIMP mailing lists simp simp project org 213 SIMP Documentation Release 0 0 214 Chapter 7 Help CHAPTER 8 Indices and tables e genindex e search 215 SIMP Documentation Release 0 0 216 Chapter 8 Indices and tables Index A Access Control List 33 99 ACL 33 99 Advanced Intrusion Detection Environment 33 99 AIDE 33 99 Auditd 33 99 B Basic Input Output System 33 99 BIOS 33 99 C CA 34 99 CentOS 34 99 Central Processing Unit 34 99 Certificate Authority 34 99 CLI 34
62. elasticsearch 1 2 0 0 e16 noarch rpm https dl bintray com simp 4 2 X Ext python elasticsearch 1 2 0 python importlib 1 0 2 1 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python ordereddict 1 1 2 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python pyes 0 20 1 0 el6 noarch rpm https d1 bintray com simp 4 2 X Ext python pyes 0 20 1 0 e16 nc python pyro 4 14 2 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python redis 2 0 0 1 e16 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python six 1 9 0 2 e16 noarch rpm Red Hat Base Repository python unittest2 0 5 1 3 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python urllib3 1 5 7 e16 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth qstat 2 11 9 20080912svn311 el6 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 qstat radiusclient ng 0 5 6 5 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 radit razor server 0 14 1 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 razor server 0 14 razor torquebox 3 0 1 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 razor torquebox rlwrap 0 37 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x8
63. epel 6 x86_64 vom Community ENTerprise Operating System Name Source BackupPC 3 2 1 10 SIMP 4 el6 x86_64 rpm https d1 bintray com simp 4 2 X Ext BackupPC 3 2 1 10 SIMP 4 activemq 5 9 1 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 activemq 5 activemq info provider 5 9 1 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 activemq in bitmap console fonts 0 3 15 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac bitmap fangsongti fonts 0 3 15 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac bitmap fonts compat 0 3 15 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac bitmap miscfixed fonts 0 3 15 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac chkrootkit 0 49 9 el6 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 chkrootkit 0 clamav 0 98 7 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 clamav 0 98 clamav db 0 98 7 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 clamav db 0 clamav devel 0 98 7 1 el16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 clamav devel clamav milter 0 98 7 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 clamav milte clamav unofficial sigs 3 7 1 7 el6 noarch rpm http mi
64. isoinfo i SIMP_Update iso R x isoinfo i SIMP_Update iso Rf grep noarch simp utils gt Install the new simp utils RPM yum y localupdate simp utils rpm Unpack the DVD onto the system usr local bin unpack_dvd SIMP_Update iso Run the migration script this may take some time do NOT hit CTRL C usr share simp upgrade_script migrate_to_environments Run the puppet agent puppet agent t Stop the new puppetserver service it may not be running service puppetserver stop Remove any left over PID files rm var run puppetserver puppetserver Kill any running puppet master processes pkill f puppet master Wait for 10 seconds to let things finalize if necessary 3 10 Upgrading SIMP 67 gt sin SIMP Documentation Release 0 0 sleep 10 10 Start the new Puppet Server service puppetserver start Table Executing the Migration Script Your new Puppet Server should now be running and a run of puppet agent t should complete as usual 3 10 5 Converting from Extdata to Hiera SIMP now uses Hiera natively instead of Extdata Tools have been put into place by Puppet Labs and SIMP to make the conversion as easy as possible Two scripts have been provided to automatically convert generic csv files and simp_def csv to yaml The first example shows how to convert an Extdata csv file called foo csv into a Hiera ya
65. j DROP 3 14 6 Network based Initial Server Build This section provides guidance to install the initial SIMP server via an existing kickstart infrastructure Prepare the Kickstart To kickstart the initial server copy the netboot cfg file into the kickstart location from ks at the root level of the extracted DVD Replace the KS_SERVER and KS_BASE variables in the netboot cfg file to match the system settings Kickstart the System Kickstart the system against the netboot cfg file this will build a functional SIMP server identical to the one that the user would have received from the DVD Post Installation This section describes the post installation procedures to use the server Setting up the new YUM repo All of the SIMP systems must be able to reference two YUM locations after install The first is the Local repo which is spawned from the Local directory at the top of the DVD This is expected to be referenced as http yum_server yum SIMP lt Architecture gt by the clients The second location is the Updates repo which contains a repo with all of the base operating system RPMs This is expected to be referenced as http yum_server yum RedHat CentOS lt Version gt lt Architecture gt Updates by the clients 3 14 SIMP FAQs 81 SIMP Documentation Release 0 0 The user is responsible for adjusting these locations in the pre existing system however the table below lists the steps to adjust the
66. libreoffice math libreoffice pdfimport bluefish gnome media pulseaudio file roller inkscape gedit plugins planner ensure gt latest 3 8 3 Graphical Desktop Setup Below is an example manifest called etc puppet modules site manifests gui pp for setting up a graphical desktop on a user workstation class site gui include xwindows gdm include windowmanager gnome include vnc client Compiz Stuff package fusion Leon emerald themes compiz fusion extras compiz fusion extras gnome vinagre ensure gt latest 3 8 4 Workstation Repositories Below is an example manifest called etc puppet modules site manifests repos pp for setting up workstation repositories class site repos Whatever local yumrepo statements you need for installing your packages and keeping your systems up to date 3 8 Managing Workstation Infrastructures 61 SIMP Documentation Release 0 0 3 8 5 Virtualization on User Workstations Below is an example manifest called etc puppet modules site manifests virt pp for allowing vir tualization on a user workstation We allow users to run VMs on their workstations If you don t want this just don t include this class If this is installed VM creation and management is still limited by PolicyKit class site virt include libvirt kvm include libvirt ksm include
67. network redhat network redhat add_eth emi bridge gt br0O hwaddr gt macaddress_eml network redhat add_eth bro net_type gt Bridge hwaddr gt macaddress_eml require gt Network Redhat Add_eth em1 common swappiness conf default high_swappiness gt 80 max_Swappiness gt 100 If 80 of memory is used flush caches exec flush_cache_himem command gt bin echo 1 gt proc sys vm drop caches onlyif gt inline_template bin lt memoryfree split s 0 to_f memorysize split s 0 to_f lt 0 2 true false gt package virt manager ensure gt latest 3 8 6 Network File System Below is an example manifest called et c puppet modules site automount pp for Network File System setup If you are not using NFS you do not need to include this class site automount include autofs file net nsure gt directory mode gt 0755 A global share 62 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Autofs map master share mount_point gt net map_name gt etc autofs share map Map the share autofs map entry share options gt fstype nfs4 port 2049 soft location gt S infs_server share Target gt share 3 8 7 Setting up a Printer Environment Below are example manifests for s
68. no longer incorrectly bind mounts tmp or var tmp We no longer supply crontab or anacrontab in global_etcd Remove dynamic_swappiness cron job if a static value is set Ensure that the passgen function fails on invalid scenarios This prevents the accidental cration of empty passwords Allow the value 2 to be used for rp_filterin simplib sysctl Added ability to return remote ip addrs pupmod dhcp Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 pupmod iptables Fixed a bug that would cause issues with Ruby 1 8 7 Fixed DNS resolution in IPv6 Prevent IPv6 1 spoofed addresses by default pupmod simp elasticsearch Ensured that Elasticsearch works properly with the new version of Apache Removed our default ES tuning since the default works better for LogStash Ensure that Puppet manages the Elasticsearch logging file pupmod functions Fixed sysv rb to explicitly require puppet util selinux which caused puppet describe to have errors pupmod simp logstash Fix issues with both TCPWrappers and IPTables when used with LogStash pupmod nfs Updated the mountd port to be 20048 by default for SELinux issues in RHEL7 pupmod ntp Updated against NTP Security Vulnerabilities Red Hat Article 1305723 Ensure that restrict entries use DDQ format pupmod openldap The Password Policy overlay
69. os x86_64 Pac perl Crypt DES 2 05 9 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 perl Crypt D perl DateTime Format DateParse 0 05 4 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 perl DateTim perl DateTime Format Mail 0 3001 6 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac perl DateTime Format W3CDTF 0 04 8 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac perl File RsyncP 0 72 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 perl File Rsy perl Math Calc Units 1 07 6 e16 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 perl Math Ca perl Net FTP AutoReconnect 0 3 3 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 perl Net FTP 4 5 Security Concepts Appendices 129 SIMP Documentation Release 0 0 Table 4 2 continued from previous page Name Source perl Net FTP RetrHandle 0 2 3 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 perl Net FTP perl Net SNMP 5 2 0 4 el16 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 perl Net SNN perl Sort Versions 1 5 12 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 perl Sort Ver perl Time modules 2006 08 14 5 el16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac perl XML RSS 1
70. package common 4 3 0 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pack mcollective puppet agent 1 7 2 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pup mcollective puppet client 1 7 2 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pup mcollective puppet common 1 7 2 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pup mcollective service agent 3 1 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective serv mcollective service client 3 1 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective serv mcollective service common 3 1 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective serv mcollective sysctl data 2 0 0 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective sysc mrepo 0 8 7 2 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 mrepo 0 8 7 mysql connector python 1 1 6 1 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 mysql conne nscd 2 12 1 166 e16_7 1 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages nspr 4 10 8 1 e16_6 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac nss 3 19 1 3 e16_6 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages nss softokn 3
71. pub exec openssl verify CApath cacerts Important The screen displays lt Host Name gt lt Your Domain gt lt Host Name gt lt Your Domain gt pub OK If anything other than OK appears for each host analyze the error and ensure that the CA certificates are correct If the TXT_DB error number 2 appears revoke the certificate that is being regenerated The table below lists the steps to revoke the certificate 1 Navigate to etc puppet environments simp keydist 2 Run OPENSSL_CONF default cnf openssl ca revoke keydist x lt Host to Revoke gt x lt Host to Revoke gt pub 3 4 Apply Certificates This section provides guidance on obtaining official certificates and generating a Fake CA 54 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 3 4 1 Obtaining Official Certificates All SIMP systems must have Public Key Infrastructure PKI keypairs generated for the server These keys reside in the etc puppet keydist directory and are served to the clients over the Puppet protocol Note These keypairs are not the keys that the Puppet server uses for its operation Do not get the two confused The table below lists the steps to add any keys for the server that were received from a proper CA to etc puppet keydist 1 Type mkdir etc puppet keydist lt Client System FODN gt x x 2 Type mv lt Certificate Directory gt lt FQDN gt pem pub etc puppet
72. puppet etc puppet keydist 4 Type chmod R u rwX g rX o rwx etc puppet keydist Table Official Certificates Procedure The table below lists the steps to create and populate the etc puppet keydist cacerts directory 1 Type cd etc puppet environments simp modules pki files keydist 2 Type mkdir cacerts and copy the root CA public certificates into cacerts in Privacy Enhanced Mail PEM format one per file 3 Type cd cacerts 4 Type for file in pem do ln s file openssl x509 in file hash noout 0 done 2 4 2 Generating Fake CAs If server certificates have not or could not be obtained at the time of client installation the SIMP team provides a way to create them for the system so that it will work until proper certificates are provided Note This option should not be used for any operational system that can use proper enterprise PKI certificates The instructions below lists the steps to generate the Fake CAs 1 Type cd etc puppet environments simp FakeCA 2 Type vi togen 3 Remove old entries from the file and add the Fully Qualified Domain Name FQDN of the systems one per line for which certificates will be created Note To use alternate DNS names for the same system separate the names with commas and without spaces For example name alt namel alt name2 4 Type wc cacertkey Note Ensure that the cacertkey file is not empty If it is enter text into the file then save and clos
73. screen Continued on next page 146 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Authentication Organi zational Users Control Enhancement cation Control ID Control Name Control Family SIMP Implementation Method TA 1 Identification and Authen Identification and Authenti tication Policy and Proce cation dures TA 2 1 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 2 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 3 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 4 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 5 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 6 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 7 User Identification and Identification and Authenti Authentication Organi cation zational Users Control Enhancement TA 2 8 User Identification and Identification and Authenti The authentic
74. section titled Set up the Replicated Servers to the manifest of the master node being demoted Once this is complete manually remove the active database from the LDAP server being demoted and then run Puppet The SIMP team is working to enable SIMP to handle this transition automatically in the future 3 14 10 SFTP Restricted Account This section describes the method for restricting an account to SSH File Transfer Protocol SFTP access only Add a User Create a user account based on the following example user foo uid gt lt UID gt gid gt lt GID gt shell gt lt Path to SFTP Server gt On a SIMP system shell would be usr libexec openssh sftp server Modify etc shells To modify etc shells to include the shell information provided in the previous user account example add common shells in Hiera and add usr libexec openssh sftp server to the list 3 14 11 SSH Authorized Keys Setup This section provides guidance on managing SSH keys within the SIMP environment 86 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 LDAP Enabled When enabled ssh keys are both stored and retrieved directly from LDAP See Also Managing Users with LDAP Without LDAP If not using LDAP or in addition to LDAP SSH _ authorized keys can be placed in etc ssh local_keys lt USERNAME gt This location can be changed by setting the ssh server conf authorizedkeysfile parameter i
75. server vserv The table below lists the steps to set up the tunnel 1 On the workstation type ssh l vuser L 590 lt Port Number gt localhost 590 lt Port Num ber gt proxy your domain Note This command takes the user to the proxy 2 On the proxy type ssh l vuser L 590 lt Port Number gt localhost 590 lt Port Num ber gt vserv your domain Note This command takes the user to the VNC server Table Set Up SSH Tunnel Procedure Note The port number in 590 lt Port Number gt is the same port number as previously described For example if the lt Port Number gt was 6 then all references below to 590 lt Port Number gt become 5906 Set Up Clients On vclnt your domain type vncviewer localhost 590 lt Port Number gt x xx to open the Re mote Desktop viewer 3 9 VNC 65 SIMP Documentation Release 0 0 Troubleshooting VNC Issues If nothing appears in the terminal window X may have crashed To determine if this is the case type ps ef grep XKeepsCrashing If any matches result stop the process associated with the command and try to restart vncviewer on velnt your domain 3 10 Upgrading SIMP This chapter provides information on how to upgrade a running instance to the latest codebase 3 10 1 Pre Upgrade Recommendations The following process should be followed before upgrade 1 Run puppet agent disable to disable puppet Note If you think you
76. suit the necessary environment Make sure the following is done in the dhcpd conf e The next server setting in the pxeclients class block points to the IP Address of the TFTP server e Create a Subnet block and edit the following Make sure the router and netmask are correct for your environment Enter the hardware ethernet and fixed address for each client that will be kickstarted SIMP environments should not allow clients to pick random IP Address in a subnet The MAC address must be associated with and IP Address here You can add additional ones as needed Enter the domain name for option domain name Enter the IP Address of the DNS server for option domain name servers Save and close the file Run puppet agent t on the Puppet Master to apply the changes 2 3 5 Configure PXE Boot Sample kickstart templates have been provided in the var www ks directory on the SIMP server and on the SIMP DVD under ks Pre boot images are locate in the DVD under images pxeboot If you have an existing Preboot Execution Environment PXE setup you can use these to PXE a SIMP client Follow your own sites procedures for this In this section we describe how to configure the Kickstart and TFTP servers to PXE boot a SIMP client The DHCP server setup also required for PXE booting is discussed in and earlier chapter Note This example sets up a PXE boot for a system that is the same OS as the SIMP Server If you are setting up a
77. t_pupsrvs join t_pupsrvs gt Run puppet agent t on the client to receive the appropriately mapped NAT address of the Puppet server If the user cannot connect to the NAT d Puppet server change the values in the etc hosts directory to the correct values and try running puppet agent t again 3 14 9 Redundant LDAP This section describes how to set up redundant OpenLDAP servers in SIMP The version of OpenLDAP in RHELS only supports syncrep Multi master replication has been added in a more recent version of OpenLDAP but is not currently supported in SIMP Syncrep is optimal for Wide Area Network WAN situations and is the SIMP default Set up the Master If the standard puppet_servers pp file in SIMP is being used the user has a working master server If not the following example demonstrates how to use the SIMP openldap module to create a server using the puppet_servers pp file Source Code for Using an OpenLDAP Server openldap These are some common variables See etc puppet manifests vars pp for the stock version Sldap_master ldap ldapmaster your domain class ldap_common include openldap slapd_pki openldap slapd conf default suffix gt dc your dc domain rootdn gt dn LDAPAdmin ou People dc your dc domain rootpw gt SSHA klskfSasoghaagasgasgaggawawg tisCertificateFile gt etc pki public fqdn pub tlisCertificateKeyFile gt etc pki private fqd
78. that they were supplied by Red Hat Inc See also RHEL RHEL Red Hat Enterprise Linux A commercial Linux operating system produced by Red Hat Inc RHEL is designed to provide an Enterprise ready Linux distribution suitable to multiple target applications 2 7 Glossary of Terms 35 SIMP Documentation Release 0 0 RPM RPM Package Manager A package management system The name RPM is associated with the rpm file format files in this format software packaged in such files and the package manager itself RPM was developed primarily for GNU Linux distributions the file format is the baseline package format of the Linux Standard Base RSA An algorithm for public key cryptography that is based on the presumed difficulty of factoring large integers the factoring problem RSA stands for Ron Rivest Adi Shamir and Leonard Adleman who first publicly described itin 1977 Ruby A dynamic reflective general purpose object oriented programming language that combines syntax inspired by Perl with Smalltalk like features Ruby originated in Japan during the mid 1990s and was first developed and designed by Yukihiro Matz Matsumoto It was influenced primarily by Perl Smalltalk Eiffel and Lisp Ruby supports multiple programming paradigms including functional object oriented imperative and reflective It also has a dynamic type system and automatic memory management it is therefore similar in varying respects to Smalltalk Python
79. the Security Concepts document SC 13 3 Use of Cryptography Con trol Enhancement SC 13 4 Use of Cryptography Con trol Enhancement SC 14 Public Access Protections System and Communica tions Protection SC 15 Collaborative Computing Devices System and Communica tions Protection Continued on next page 4 5 Security Concepts Appendices 159 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 15 1 Collaborative Computing System and Communica Devices Control Enhance tions Protection ment SC 15 2 Collaborative Computing System and Communica Devices Control Enhance tions Protection ment SC 15 3 Collaborative Computing System and Communica Devices Control Enhance tions Protection ment SC 16 Transmission of Security System and Communica Attributes tions Protection SC 16 1 Transmission of Secu System and Communica rity Attributes Control tions Protection Enhancement SC 17 Public Key Infrastructure System and Communica In an operational setting Certificates tions Protection SIMP does not establish keys It does come with the ability to create server keys using a custom appli cation know as FakeCA SSH keys can also be estab lished using standard unix command line
80. the targets of unpack_dvd pupmod xinetd Fixed The default log_type should be SYSLOG authpriv instead of SYSLOG daemon info pupmod vne Removed banners that broke some VNC clients simp cli simp config a ANSWERFILE fails when an item has no answer simp config A ANSWERFILE prompts when an an item has no answer The misleading help documentation for ff has been removed The Config Item use_fips now echoes its command unless silent The simp doc command path to the documentation has been corrected General usability improvements DVD A default IP is no longer provided when booting from the ISO simp config will set the network properly The default kickstart no longer attempts to chkconfig any services in the post section New Features pupmod auditd Completely overhauled the module with a focus on better acceptance testing and format compliance pupmod augeasproviders This was updated to 2 1 3 The update to 2 1 3 caused the addition of all of the pupmod augeasproviders modules below augeasproviders_apache Imported 2 1 3 to support the Augeasproviders stack augeasproviders_base Imported 2 1 3 to support the Augeasproviders stack augeasproviders_core Imported 2 1 3 to support the Augeasproviders stack augeasproviders_grub 1 8 New Features 9 SIMP Documentation Release 0 0 Imported 2 1 3 to support the Augeasproviders stack augeas
81. this you should add the following to a file like etc puppet manifests nodegroups pp 3 11 Logstash 71 SIMP Documentation Release 0 0 if Strusted certname es d your domain Shostgroup elasticsearch Then ensure that a file called elasticsearch yaml is present in the only not simp_4 etc puppet environments simp hieradata hostgroups directory and contains the following etc puppet hieradata hostgroups directory and contains the following content All nodes running elasticsearch in your cluster should use these settings elasticsearch simp cluster_name a_unique_hard_to_guess_name This can be no more than the total number of ES nodes that you have in your cluster elasticsearch simp replicas 2 elasticsearch simp java_install true classes telasticsearch simp Make sure you point your clients to the Logstash server by setting the log_server variable to the fqdn of the Logstash server in hiera This is further covered in Using LogStash and ElasticSearch With the default settings applied you should be able to connect to port 443 on your Kibana host If connecting from localhost you will not be prompted for a password If you are connecting from an external host a valid LDAP account with that user being defined in the Kibana Class is needed The page is SSL protected so use https lt hostname gt kibana With the web interface
82. tion tion col port Puppet Out HTTPS TCP 8140 Communications to the Puppet server rsyslog Out syslog TCP UDP 6514 This is encrypted when communicating with a SIMP syslog server DNS Out DNS TCP UDP 53 Normal name resolution Client NTPD Out NTP TCP UDP 123 Only connects to an external time source by default SSHD In SSH TCP 22 SSH is allowed from any source IP by default LDAP Out LDAP TCP 389 Connections are protected by bi directional authenticated encryption 4 2 10 Separation of Duties SIMP enforces separation of duties using account groups Groups are created with each implementation to separate roles or duties properly The SIMP team recommends that this management be done using posixGroups in LDAP for full operating System support AC 5 106 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 4 2 11 Least Privilege SIMP does not allow root to directly SSH into a system The root user must be at a console or at a virtual instance of the physical console to log on Otherwise users must log on as themselves and perform privileged commands using sudo or sudosh AC 6 NIST 800 53 least privilege security controls give people access to objects only as needed SIMP provides only the needed software services and ports to allow the system to be functional and scalable The system then relies on a given implementation to perform proper account management and user role assignmen
83. to change the expiration time from one year the default to five years for any newly created certificate for file in grep rl 365 etc puppet Config FakeCA do sed i s 365 1825 file done 3 6 6 Puppet Certificates Puppet certificates are issued and maintained strictly within Puppet They are different from the server certificates and should be managed with the puppet cert tool For the complete documentation on the puppet cert tool visit the Puppet Labs cert manual detailing its capabilities On a SIMP system these certificates are located in the var 1lib puppet ss1 directory and are set to expire every five years 3 6 7 Applications This section describes how to add services to the servers To perform this action it is important to understand how to use Ptables and what the svckill rb script does on the system 3 6 8 IPTables By default the SIMP system locks down all incoming connections to the server save port 22 Port 22 is allowed from all external sources since it is expected that the user will want to be able to SSH into the systems from the outside at all times The default alteration for the IPtables start up script is such that it will fail safe This means that if the IPtables rules are incorrect the system will not open up the Ptables rule set completely Instead the system will deny access to all ports except port 22 to allow for recovery via SSH There are many examples of how to use the I
84. tools In an operational settings both sets of keys should be ob tained from valid key in frastructures There is also a CA that puppet uses to gen erate and manage keys for puppet only SC 18 Mobile Code System and Communica tions Protection SC 18 1 Mobile Code Control En System and Communica hancement tions Protection SC 18 2 Mobile Code Control En System and Communica hancement tions Protection SC 18 3 Mobile Code Control En System and Communica hancement tions Protection SC 18 4 Mobile Code Control En System and Communica hancement tions Protection SC 19 Voice Over Internet Proto System and Communica col tions Protection SC 20 Secure Name Address Res System and Communica olution Service Authorita tions Protection tive Source SC 20 1 Secure Name Address Res System and Communica olution Service Authorita tions Protection tive Source Control En hancement Continued on next page 160 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 21 Secure Name Address Res olution Service Recursive or Caching Resolver System and Communica tions Protection SC 210 Secure Name Address Res olution Service Recursive or Caching Resolver Con trol Enhancement System and Communica tions Protection SC 22 Arc
85. up a PXE boot for a system that is the same OS as the SIMP Server If you are setting up a PXE boot for a different OS then you must make sure that the OS packages are available for all systems you are trying to PXE boot through YUM There are notes through out the instructions to help in setting multiple OS but they are not comprehensive You should understand DHCP KS YUM and TFTP relationships for PXE booting before attempting this 3 3 Client Management 51 SIMP Documentation Release 0 0 Setting Up Kickstart This section describes how to configure the kickstart server 1 Locate the following files in the var www ks directory a pupclient_x86_64 cfg b diskdetect sh 2 Open each of the files and follow the instructions provided within them to replace the variables You need to know the IP a pupclient_x86_64 cfg 1 Note KSSERVER should be replaced with Kickstart Server IP not Yum IP They are the same if you used the defaults 2 In the URL line use the YUM SERVER ip not the Kickstart server IP Although on a default SIMP system the YUM and kicktart server are the same server so it is not a problem 3 Use the commands in the top of the file in the comments section to generate the password hashes b diskdetect sh The diskdetect sh script is responsible for detecting the first active disk and applying a disk configuration Edit this file to meet any necessary requirements or use this file as a starting p
86. want to set it your self The URI for your LDAP server The directory that will hold files used to sync oprational directories The server that remote syncs Maximum rsync timeout in seconds 2 8 2 Configuration This briefly describes what is being configured in the different sections indicated in the table above 2 8 Installation_Miscellaney 37 SIMP Documentation Release 0 0 ce You may make changes to the default settings in puppet config print environment path simp hieradata simp_def yaml or one of the other yaml files in the hieradata directory These Hiera files can be used after initial set up to change settings The Hiera Overview section gives an introduction of using Hiera in SIMP FIPS e Turning on and off FIPS mode sets kernel parameters and systems environment variables to ensure the system is FIPS 140 2 compliant e FIPS is on by default If you ever want to have your system to beFIPS compliant you will want to ensure that the system is built with this enabled It may easily be disabled once the system is built GRUB e Grub password in etc grub conf DNS e The etc resolv conf e The DNS server capabilities are not configured by this SYSTEM e Basic network setup e Startup files in etc init d e Configuration files under etc sysconfig e Rsyslog settings PUPPET e Autosign
87. will need more than 4 hours to complete this task also disable puppet in root s crontab 2 You may wish to block all communications with agents while updating the server This is not required but could spare you some headaches if something doesn t work properly The simplest way to do this is to set the catalog retrieval capability to 127 0 0 1 in etc puppet auth conf as shown below path catalog method find Uncomment this when complete and delete the other entries fallow 1 allow 127 0 0 1 Using the syntax above you can add fully qualified domain names one at a time to the allow list and only those hosts will be able to retrieve their catalog from the running server 127 0 0 1 serves as a placeholder so that no host can actually retrieve their catalog 3 10 2 Migrating To Environments SIMP 4 1 and 5 0 used the traditional Rack based Puppet Master Starting with 4 2 and 5 1 SIMP now uses the Clojure based Puppet Server Unfortunately there are some conflicts with directly upgrading from the Puppet Master to the Puppet Server since some of the RPM package prerequisites conflict This new Puppet Server can properly utilize Puppet Environments To provide our users with this capability and to facilitate more dynamic workflows in the future the SIMP team has migrated all existing material to a native simp environment To help facilitate your migration the SIMP team has created two migration
88. 14 3 22 el6_6 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac nss softokn freebl 3 14 3 22 el6_6 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac nss sysinit 3 19 1 3 el6_6 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages nss tools 3 19 1 3 el6_6 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages nss util 3 19 1 1 el6_6 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages openss 1 0 le 42 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac openssl devel 1 0 le 42 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac pdsh 2 28 0 x86_64 rpm https dl bintray com simp 4 2 X Ext pdsh 2 28 0 x86_64 rpm pdsh mod dshgroup 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh mod dshgroup 2 28 0 pdsh mod machines 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh mod machines 2 28 0 pdsh mod netgroup 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh mod netgroup 2 28 0 pdsh remd exec 2 28 0 x86_64 rpm https dl bintray com simp 4 2 X Ext pdsh remd exec 2 28 0 x86 pdsh remd ssh 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh remd ssh 2 28 0 x86_ perl Archive Zip 1 30 2 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7
89. 3 Type exec usr bin ssh agent bin bash to ensure that ssh agent has a shell running 4 Type usr bin ssh add to attach the user s certificates 5 Optional Type usr bin ssh add 1 to double check that the user s certificates were added successfully 6 Type ssh lt HOST gt x to SSH to a target machine that has the template code configuration applied If successful the user should be authenticated and gain access to the target machine without entering a password If the user is prompted for a password check to see if the permissions are set up properly and that the certificate keys are in the correct locations In addition check the etc security access conf file to ensure that it contains the user or user s group in an allow statement See access conf 5 for details 3 3 Client Management This chapter provides guidance to install and configure SIMP clients based on the standard SIMP system installed using the SIMP DVD 3 3 1 System Requirements Before installing clients the system should consist of the following minimum requirements e Hardware Virtual Machine VM Capable of running RHEL 6 or 7 64 bit compatible e RAM 512 MB e HDD 5 GB 3 3 2 Configuring the Puppet Master Perform the following actions as root on the Puppet Master system prior to attempting to install a client 3 3 3 Configure DNS Most static files are pulled over rsync by Puppet in this implementation for network efficiency Specific director
90. 6_64 rlwrap 0 37 rrdtool 1 4 4 0 20 e16 x86_64 rpm https d1 bintray com simp 4 2 X Ext rrdtool 1 4 4 0 20 e16 x86_ ruby augeas 0 4 1 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 ruby augeas ruby json 1 5 5 3 el6 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 ruby json ruby Idap 0 9 7 10 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 ruby ruby mysql 2 8 2 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 ruby ruby rgen 0 6 5 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 ruby rgen 0 ruby shadow 2 2 0 2 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 ruby shado rubygem activerecord 2 3 16 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ac rubygem activesupport 2 3 16 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ac rubygem deep_merge 1 0 0 2 e16 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem de rubygem fastthread 1 0 7 1 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem fa rubygem ffi 1 4 0 2 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ffi rubygem highline 1 6 11 1 noarch rpm https dl bintray com simp 4 2 X Ext rubygem highline 1 6 11 1 rubygem hpricot 0 8 6 1 e16 x86_64 rpm ht
91. Con trol Configuration Management CM 3 1 Configuration Change Con trol Control Enhancement Configuration Management CM 3 2 Configuration Change Con trol Control Enhancement Configuration Management CM 3 3 Configuration Change Con trol Control Enhancement Configuration Management Configuration changes in SIMP are automated using a combination of puppet yum and rsync While not all files on an oper ating system are managed by those mechanisms many are Changes to critical files that are managed by puppet revert back to their original state These mechanisms were not meant to defeat an attack by a malicious in sider CM 3 4 Configuration Change Con trol Control Enhancement Configuration Management CM 4 Security Impact Analysis Configuration Management All features or bugs in SIMP are vetted through the development process by be ing placed on the product backlog and discussed with the entire team There is a security representative on the SIMP team that is part of that vetting process CM A 1 Security Impact Analysis Control Enhancement Configuration Management CM 4 2 Security Impact Analysis Control Enhancement Configuration Management Continued on next page 4 5 Security Concepts Appendices 165 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Con
92. Concepts Appendices 187 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 7 1 Least Functionality Con Configuration Management trol Enhancement CM 7 2 Least Functionality Con Configuration Management Applications can be in trol Enhancement stalled but new services will not run unless first reg istered with puppet Ad ditionally puppet modules must be modified to ensure that Ptables opens up the necessary services Mini mally for a service to re main active it must be reg istered with puppet or the svckill rb script will stop them To be clear there is nothing in SIMP that pre vents the installation of RPMs from the command line or YUM CM 7 3 Least Functionality Con Configuration Management The registration process for trol Enhancement ports protocols and ser vices are handled via pup pet CM 8 Information System Com Configuration Management ponent Inventory CM 8 1 Information System Com Configuration Management ponent Inventory Control Enhancement CM 8 2 Information System Com Configuration Management To the extent possible pup ponent Inventory Control pet tracks clients that are Enhancement within it s control It s not meant to be a true inventory mechanism CM 8 3 Information System Com Configuration Manageme
93. Handling Control Incident Response Enhancement IR 5 Incident Monitoring Incident Response IR 5 1 Incident Monitoring Con Incident Response trol Enhancement IR 6 Incident Reporting Incident Response IR 6 1 Incident Reporting Control Incident Response Enhancement IR 6 2 Incident Reporting Control Incident Response Enhancement IR 7 Incident Response Assis Incident Response tance IR 7 1 Incident Response Assis Incident Response tance Control Enhance ment IR 8 Incident Response Plan Incident Response MA 1 System Maintenance Policy Maintenance and Procedures MA 2 Controlled Maintenance Maintenance MA 2 1 Controlled Maintenance Maintenance Control Enhancement MA 2 2 Controlled Maintenance Maintenance Control Enhancement MA 3 Maintenance Tools Maintenance MA 3 1 Maintenance Tools Control Maintenance Enhancement MA 3 2 Maintenance Tools Control Maintenance Enhancement MA 3 3 Maintenance Tools Control Maintenance Enhancement MA 3 4 Maintenance Tools Control Maintenance Enhancement Continued on next page 172 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method MA 4 Non Local Maintenance Maintenance Remote maintenance can be performed on SIMP using SSH or direct console ac cess SSH sessions ar
94. MP requires 14 character passwords with at least one character from three of the four designated categories i e upper case letters lower case letters numbers or special characters and no more than three consecutive characters from each category IA 5 IA 5 1 IA 5 4 Password ageing and history is enforced through a combination of PAM and LDAP By default the previous 24 passwords cannot be reused IA 5 1 e 104 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 There are a number of default passwords in SIMP that are required for installation Each implementation requires the user to change the default passwords and protect the new passwords In addition there are embedded passwords within the SIMP system that are used due to a lack of software supported alternatives 4 2 6 Access Control This section describes the various levels of access control including account management access enforcement infor mation flow enforcement separation of duties least privilege session controls permitted actions without identification and authentication security attributes and remote access 4 2 7 Account Management Account management procedures should be created and maintained for each implementation of SIMP The procedures should include the information listed in MIST 800 53 control AC 2 SIMP has the mechanisms in place to enforce most account management policies The mechanisms for account management have severa
95. Method SI 4 Information System Mon System and Information In itoring Tools and Tech tegrity niques SI 4 1 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 2 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 3 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 4 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 5 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 6 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 7 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 8 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 9 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 10 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SL 4 11 Information System Mon System and Information In Continued on next page
96. OS 6 7 x86_64 Warning The default system passwords have changed Please see the User s Guide for details 2 6 1 Manual Changes Requred e Bugs in the simplib secure_mountpoints class formerly common secure_mountpoints Note This only affects you if you did not have a separate partition for tmp e There were issues in the secure_mountpoints class that caused tmp and var tmp to be mounted against the root filesystem While the new code addresses this it cannot determine if your system has been modified incorrectly in the past e To fix the issue you need to do the following Unmount var tmp may take multiple unmounts Unmount tmp may take multiple unmounts Remove the bind entries for tmp and var tmp from etc fstab Run puppet with the new code in place 2 6 2 Deprecations e simp hiera 24 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 The simp hiera RPM has been replaced by the upstream hiera package from Puppet Labs The original simp hiera fork had been maintained due to a need that the alias function now serves Please run the hi era_upgrade script to convert your existing SIMP environment You may also set the environment variable HIERA_UPGRADE to a path of your choice to update any other hieradata that you may have on your system pupmod simp common The common namespace has been deprecated in favor of the new simplib namespace This removes a com monl
97. P Hiera File Structure etc puppet hiera yaml Hiera s config file used to control the hierarchy of your backends etc puppet hieradata Default location of the yaml files which contain your node data etc puppet hieradata simp_classes yaml The list of default classes to include on any SIMP system etc puppet hieradata simp_def yaml Contains the variables needed to configure a working SIMP system Modified by simp config etc puppet hieradata hosts By populating this directory with some host name yaml file you can assign parameters to host some host name etc puppet hieradata domains Same principal as hosts but domain names etc puppet manifests Contains site pp and all other node manifests BE CAREFUL when modifying this directory site pp contains your globals This directory can be used to supplement or even REPLACE Hiera with nodes Note that Hiera cannot regex hostnames to apply manifests so a node manifest will have to be created here if you wish to have that ability 2 5 Hiera Overview 23 SIMP Documentation Release 0 0 SIMP 4 2 0 1 2 6 Changelog Contents e Changelog Manual Changes Requred Deprecations Significant Updates Upgrade Guidance Expectations Security Announcements x CVEs Addressed RPM Updates Fixed Bugs New Features Known Bugs SIMP 4 2 0 1 Package 4 2 0 1 This release is known to work with e RHEL 6 7 x86_64 e Cent
98. PXE boot for a different OS then you must make sure that the OS packages are available for all systems you are trying to PXE boot through YUM There are notes through out the instructions to help in setting multiple OS but they are not comprehensive You should understand DHCP KS YUM and TFTP relationships for PXE booting before attempting this Setting Up Kickstart This section describes how to configure the kickstart server 1 Locate the following files in the var www ks directory a pupclient_x86_64 cfg 2 3 Client Management 17 SIMP Documentation Release 0 0 b diskdetect sh 2 Open each of the files and follow the instructions provided within them to replace the variables You need to know the IP a pupclient_x86_64 cfg 1 Note KSSERVER should be replaced with Kickstart Server IP not Yum IP They are the same if you used the defaults 2 In the URL line use the YUM SERVER ip not the Kickstart server IP Although on a default SIMP system the YUM and kicktart server are the same server so it is not a problem 3 Use the commands in the top of the file in the comments section to generate the password hashes b diskdetect sh The diskdetect sh script is responsible for detecting the first active disk and applying a disk configuration Edit this file to meet any necessary requirements or use this file as a starting point for further work It will work as is for most systems as long as your disk device na
99. Perl Lisp Dylan Pike and CLU Service Account An account that is not for use by a human user but which still requires login access to a host SFTP SSH File Transfer Protocol A network protocol that provides file access file transfer and file management functionalities over any reliable data stream It was designed by the Internet Engineering Task Force IETF as an extension of the Secure Shell protocol SSH version 2 0 to provide secure file transfer capability but is also intended to be usable with other protocols SIMP System Integrity Management Platform A security framework that sits on top of RHEL or CentOS SSH Secure Shell An application for secure data communication remote shell services or command execution between networked computers SSH utilitizes a server client model for point to point secure communication SSL Secure Sockets Layer The standard security technology for using PK keys to provide a secure channel be tween two servers See also TLS Sudosh An application that acts as an echo logger to enhance the auditing of privileged activities at the command line of the operating system Utilities are available for playing back sudosh sessions in real time TFTP Trivial File Transfer Protocol A file transfer protocol generally used for automated transfer of configuration or boot files between machines in a local environment TLS Transport Layer Security A cryptographic protocol that provides network communicatio
100. Ptables module in the source code the Apache module at etc puppet modules apache is a particularly good example In addition look at the definitions in the IPt ables module to understand their purpose and choose the best option Refer to the IPtables page of the Developers Guide for a good summary and example code HTML version only 3 6 9 svekill rb To ensure that the system does not run more services than are required the svckil1l rb script has been implemented to stop any service that is not properly defined in the Puppet catalogue To prevent services from stopping refer to the instructions in the My Services Are Dying FAQ section 3 6 10 GUI SIMP was designed as a minimized system but it is likely that the user will want to have a GUI on some of the systems Refer to the nfrastructure Setup section for information on setting up GUIs for the systems 3 6 SIMP Administration 59 SIMP Documentation Release 0 0 3 7 Backing up the Puppet Master This section details all of the steps required for backing up the Puppet Master Note SIMP by default provides two ways to back up data They are BackupPC and Git If there is a different preferred method the user may install it and configure it first Warning BackupPC may or may not work properly for you on RHEL7 systems The SIMP team is currently evaluating other options for an inbuilt backup system 1 Backup var lib puppet ssl 2 Backup etc puppe
101. RRELEASE ARCH for consistency class site tftpboot include tftpboot tftpboot linux_model MODEL NAME kernel gt OSTYPE MAJORRELEASE ARCH vmlinuz initrd gt OSTYPE MAJORRELEASE ARCH initrd img ks gt http KSSERVER ks pupclient_x86_64 cfg extra gt ksdevice bootif nipappend 2 tftpboot assign_host default model gt MODEL NAME 2 Add the tftpboot site manifest on your puppet server node via Hiera Create the file or edit if it exists etc puppet environments simp hieradata hosts lt tftp server fqdn gt yam By default the TFTP server is the same as your puppet server o in the deault case it will exist Add the following example code to that yaml file classes site tftpboot 3 After updating the above file type puppet agent t tags tftpboot on the Puppet server Note To PXE boot more OSs create in the tftpboot pp file a tftpboot linux_model block for each OS type using the extra directories and kickstart files created using the notes in previous sections Point individual systems to them by adding assign_host lines with their MAC pointing to the appropriate model name 3 3 Client Management 53 SIMP Documentation Release 0 0 3 3 6 Setting Up the Client The following lists the steps to PXE boot the system and set up the client 1 Set up your client s BJOS or virtual settings to boot off the network
102. SE_ARCH directory where OSTYPE and MAJORRELEASE under linux install are the OS type and OS major version of the systems you will be PXE booting Under this directory your should find a directory named OSTYPE MAJORRELEASE MINORRELEASE ARCH and a link to this directory named OSTYPE MAJORRELEASE ARCH 52 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Under OSTYPE MAJORRELEASE MINORRELEASE ARCH your should find the files e initrd img e vmlinuz If these are not there then you must create the directories as needed and copy the files from var www yum OSTYPE MAJORRELEASE ARCH images pxeboot or from the images directory on the SIMP DVD Important The link is what is used in the TFTP configuration files Note If you want to be able to PXE boot different OS then add a directory for each on and obtain the pxeboot images and copy them under the linux install directory SIMP only provides images for the OS for the SIMP server Manifest Create a site manifest for the TFTP server on the Puppet server 1 Create the file etc puppet environment simp modules site manifests tftpboot pp Use the source cc a Replace KSSERVER with the IP address of Kickstart server or the code to look up the IP Address using Hiera b Replace OSTYPE MAJORRELEASE and ARCH with the correct value for the systems you will be PXE booting c MODEL NAME is usually of the form OSTYPE MAJO
103. SI 4 1 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 2 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment Continued on next page 198 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page itoring Tools and Tech niques Control Enhance ment tegrity Control ID Control Name Control Family SIMP Implementation Method SI 4 3 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 4 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 5 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 6 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 7 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 8 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 9 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhan
104. SIMP Documentation Release 0 0 THE SIMP TEAM December 17 2015 Contents 1 Changelog 3 Jal Manual Changes Regured is 4 26 64 lt 20 840054 2H db Ge ki be eee he PASS 3 1 2 WDeprecations 5 46 6 ae ke Re OY RR eee ws eA Oe ae Re eR le ee E 4 E3 SieniNcant Updates ese osu 56 Yates ee PPh Peden eee be thant eee eed whos 4 14 Uperade Guidance 35 3 gah tlie eG Bae REREAD Re SRDS BAe SRE es 5 15 Security Anouncements se eca r cge Ree be ee ae E E eee ee Sea a 6 L6 RPM Updates ios iip opa maa e we A A e Be See ee ee E ee 6 L7 Fixed Bugs sera new oe Ga we ee ee al a O eS e ae ee e a Y 6 1 8 Ney Features e s gon ds A ahs Go Be ae a OE ES RE SSS 9 IO Known BUSS afk eden ee holy be amp E he Be OO ach ay bw oe ee ee oe ee ai 12 2 SIMP Installation Guide 13 2A mrod ctiom serci Sone ced SG eee dS Ste Bee eet Oe Bae E a enn amp Manus 13 2 2 SIMP Server Installations se 6 gos eek A gh ered aoe wae a ecb a a aye ce et Bowes 14 2 3 Chent Management is bh 4084 hoe PA Oe dade tae wae A ed ee A 16 24 Apply Certificates scssi pe ehh ee es a Ow A BU ew amp GS SOS Bay Bow amp 20 2D Peta Overviews ta 484g Rowe ee HA LARA ERE ee Re EE be ee ae SS 22 26 Changelog o sor poa ke Sage ee eG Ba RS ae PS BSS Bhs eS es 24 2 7 Glossaty of Terms i i6 24 344 2b b A be ebb E EGA eee wae ee eee eee eo 33 2 8 Installation Muscellaney 34 4 inea 2b ee405 dd bad bea we M4 Pewee PEA Bede 37 29 Angicessanditables os Sos we ee o
105. SSD is used by default on EL7 systems since nscd and nslcd have functionality issues Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod ssh Modernized the Ciphers MACs and Kex Added explicit cases for FIPS and non FIPS mode as well as reasonable default cases for RHEL7 and below Updated to use the new augeasproviders module dependencies Added a function ssh_format_host_entry_for_sorting that will properly sort SSH Host entries for inclusion with concat pupmod stunnel Had a variable options in st unnel erb that should have been scoped as options pupmod sudo Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod sudosh Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 pupmod sysctl Removed support for the old parsed file provider and moved to using the new Augeas based provider pupmod tftpboot Purging of non Puppet managed items in pxelinux cfg is now optional pupmod simp tpm Chapter 1 Changelog SIMP Documentation Release 0 0 1 8 IMA is disabled by default simp gpgkeys Ensure that the keys are set in the correct locations for the target SIMP distribution simp rsync Removed spurious install messages simp util Fixed
106. System and Service Acqui tem Services sition SA 9 1 External Information Sys System and Service Acqui tem Services Control En sition hancement SA 10 Developer Configuration System and Service Acqui Management sition SA 10 1 Developer Configuration System and Service Acqui Management Control sition Enhancement SA 10 2 Developer Configuration System and Service Acqui Management Control sition Enhancement SA 11 Developer Security Testing System and Service Acqui sition SA 11 1 Developer Security Testing System and Service Acqui Control Enhancement sition SA 11 2 Developer Security Testing System and Service Acqui Control Enhancement sition SA 11 3 Developer Security Testing System and Service Acqui Control Enhancement sition SA 12 Supply Chain Protection System and Service Acqui sition SA 12 1 Supply Chain Protection System and Service Acqui Control Enhancement sition SA 12 2 Supply Chain Protection System and Service Acqui Control Enhancement sition SA 12 3 Supply Chain Protection System and Service Acqui Control Enhancement sition SA 12 4 Supply Chain Protection System and Service Acqui Control Enhancement sition Continued on next page 206 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Components Control En hancement sition Control ID Control Name Contr
107. Techniques System and Communica Control Enhancement tions Protection SC 31 Covert Channel Analysis System and Communica tions Protection SC 31 1 Covert Channel Analysis System and Communica Control Enhancement tions Protection SC 32 Information System Parti System and Communica tioning tions Protection SC 33 Transmission Preparation System and Communica Integrity tions Protection Continued on next page 162 Chapier 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 34 Non modifiable Executable System and Communica Programs tions Protection SC 34 1 Non modifiable Exe System and Communica cutable Programs Control tions Protection Enhancement SC 34 2 Non modifiable Exe System and Communica cutable Programs Control tions Protection Enhancement Table SIMP SCTM SIMP SCTM Operational Controls Control ID Control Name Control Family SIMP Implementation Method AT 1 Security Awareness and Awareness and Training Training Policy and Proce dures AT 2 1 Security Awareness Con Awareness and Training trol Enhancement AT 3 Security Training Awareness and Training AT 3 1 Security Training Control Awareness and Training Enhancement AT 3 2 Security Training Control Awareness and Training Enhancement
108. The simp hiera RPM has been replaced by the upstream hiera package from Puppet Labs The original simp hiera fork had been maintained due to a need that the alias function now serves Please run the hi era_upgrade script to convert your existing SIMP environment You may also set the environment variable HIERA_UPGRADE to a path of your choice to update any other hieradata that you may have on your system pupmod simp common The common namespace has been deprecated in favor of the new simplib namespace This removes a com monly conflicting module name from the SIMP ecosystem You will need to run the migrate_to_simplib script to update all of the relevant files This script will only migrate items in the existing SIMP environment You may also set the environment variable UPGRADE_PATHS to run the script on multiple external paths All code was migrated pupmod simp functions The functions namespace has been deprecated in favor of the new simplib namespace This removes a commonly conflicting module name from the SIMP ecosystem You will need to run the migrate_to_simplib script to update all of the relevant files This script will only migrate items in the existing SIMP environment You may also set the environment variable UPGRADE_PATHS to run the script on multiple external paths The following items were not migrated append_if_no_such_line gt Use simp_file_line delete_lines gt Use augeas init_mo
109. VNC Standard Setup Note You must have the pupmod vnc RPM installed to use VNC on your system To enable remote access via VNC on the system include vnc server in Hiera for the node The default VNC setup that comes with SIMP can only be used over SSH and includes three default settings Setting Type Setting Details Standard Port 5901 Resolution 1024x768 16 Low Resolution Port 5902 Resolution 800x600 16 High Resolution Port 5903 Resolution 1280x1024 16 Table VNC Default Settings To connect to any of these settings SSH into the system running the VNC server and provide a tunnel to 127 0 0 1 lt VNC Port gt Refer to the SSH client s documentation for specific instructions To set up additional VNC port settings refer to the code in etc puppet modules vnc manifests server pp lt file etc puppet modules vnc manifests server pp gt __ for examples Important Multiple users can log on to the same system at the same time with no adverse effects however none of these sessions are persistent To maintain a persistent VNC session use the vncserver application on the remote host Type man vncserver to reference the manual for additional details 3 9 2 VNC Through a Proxy The section describes the process to VNC through a proxy This setup provides the user with a persistent VNC session Important In order for this setup to work the system must have a VNC server
110. _64 globus gss as globus gssapi gsi 11 22 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gssap globus openssl module 4 6 2 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus opens gpxe bootimgs 0 9 7 6 14 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac gpxe roms qemu 0 9 7 6 14 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac gweb 2 1 8 1 noarch rpm https d1 bintray com simp 4 2 X Ext gweb 2 1 8 1 noarch rpm haveged 1 9 1 2 e16 x86_64 rpm http lug mtu edu epel 6 x86_64 haveged 1 9 1 2 e16 x86_64 rpm hiera 3 0 2 1 el6 noarch rpm https d1 bintray com simp 4 2 X hiera 3 0 2 1 el6 noarch rpm hmaccalc 0 9 12 2 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac incron 0 5 9 1 el16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 incron 0 5 9 java 1 7 0 openjdk 1 7 0 85 2 6 1 3 e16_7 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages java 1 7 0 openjdk demo 1 7 0 85 2 6 1 3 el6_7 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages java 1 7 0 openjdk devel 1 7 0 85 2 6 1 3 el16_7 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages java 1 7 0 openjdk sre 1 7 0 85 2 6 1 3 e16_7 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 update
111. _group home gt _svc_account_homedir managehome gt true shell gt bin bash file _svc_account_homedir ssh nsure gt directory owner gt _svc_account_user group gt _svc_account_group mode gt 0700 ssh_authoriz ed_key _svc_account_user type gt ssh rsa key gt _svc_account_ssh_public_key target gt S _svc_account_homedir ssh authorized_keys require gt File _ User S _s svc_account_homedir ssh vc_account_user file _svc_account_homedir ssh id_rsa mode gt 0600 owner gt S _svc_account_user group gt _svc_account_group content gt _svc_account_ssh_private_key file etc ssh local_keys _svc_account_user owner gt root group gt _svc_account_group mode gt 0644 source gt puppet site ssh_autokeys _svc_account_user pub sudo user_specification _svc_account_user user_list gt host_list gt runas gt cmnd gt passwd gt _svc_account_group fqdn rrot bin cat var log app log false Allow this service account from everywhere pam access manage Allow _svc_account_user users gt _svc_account_user origins gt ALL 48 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Local User Account class site service_account include ssh _local_account_user localuser S_local_accou
112. al and Environmental Control Enhancement Protection Continued on next page 194 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Protection Control ID Control Name Control Family SIMP Implementation Method PE 3 5 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 6 Physical Access Control Physical and Environmental Control Enhancement Protection PE 4 Access Control for Trans Physical and Environmental mission Medium Protection PE 5 Access Control for Output Physical and Environmental Devices Protection PE 6 Monitoring Physical Ac Physical and Environmental cess Protection PE 6 1 Monitoring Physical Physical and Environmental Access Control Enhance Protection ment PE 6 2 Monitoring Physical Physical and Environmental Access Control Enhance Protection ment PE 7 Visitor Control Physical and Environmental Protection PE 7 1 Visitor Control Control Physical and Environmental Enhancement Protection PE 7 2 Visitor Control Control Physical and Environmental Enhancement Protection PE 8 Access Records Physical and Environmental Protection PE 8 1 Access Records Control Physical and Environmental Enhancement Protection PE 8 2 Access Records Control Physical and Environmental Enhancement Protection PE 9 Power E
113. al services or modules that do not use SSH or SSL The SIMP Security Concepts document details the default allowed proto cols and the mechanisms in place to protect them It s also worth noting that the SIMP team has taken ever measure possible to remove encryption ciphers available to operating system appli cations In the event this breaks an application im plementations might have to add those ciphers back SC 8 1 Transmission Integrity Control Enhancement System and Communica tions Protection With the exception of the services needed for kick start most communications within SIMP are protected by SSH or SSL Imple mentations can add addi tional services or modules that do not use SSH or SSL The SIMP Security Concepts document details the default allowed proto cols and the mechanisms in place to protect them It s also worth noting that the SIMP team has taken ever measure possible to remove encryption ciphers available to operating system appli cations In the event this breaks an application im plementations might have to add those ciphers back SC 8 2 Transmission Integrity Control Enhancement System and Communica tions Protection Continued on next page 156 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implement
114. ance ment Configuration Management CM 5 5 Access Restrictions for Change Control Enhance ment Configuration Management Continued on next page 166 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 5 6 Access Restrictions for Change Control Enhance ment Configuration Management CM 5 7 Access Restrictions for Change Control Enhance ment Configuration Management Most of the critical files that are managed by puppet can not be permanently changed on a puppet client without disabling puppet and rsync If they are changed pup pet will revert them back to their original state CM 6 Configuration Settings Configuration Management Part d of this control is met my SIMP The oth ers are not SIMP uses puppet to monitor changes to configuration settings If changes to puppet con trolled settings are manu ally made they revert back to their original state CM 6 1 Configuration Settings Control Enhancement Configuration Management The puppet master is the central point of manage ment for a SIMP system While not required the pup pet master usually hosts a kickstart server so that clients are built the same ev ery time CM 6 2 Configuration Settings Control En
115. and more repeatable Important Correct time across all systems is important to the proper functioning of SIMP and Puppet in general If a user has trouble connecting to the Puppet server and errors regarding certificate validation appear check the Puppet server and client times to ensure they are synchronized Warning Keep in mind as the installation process begins that Puppet does not work well with capital letters in host names Therefore they should not be used 2 2 3 SIMP Default Passwords and Settings Below is a table containing the default passwords found on a basic SIMP server Important All default passwords should be changed during the initial configuration proceess Table SIMP Default Passwords 14 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 Utility Password Grub GrubPassword Root User RootPassword Simp User UserPassword A table of settings that can be changed defined during installation is located in Appendix B List of Installation Vari ables Review this if you are unfamiliar with SIMP 2 2 4 Preparing the SIMP Server Environment 1 Boot the system and ensure the SIMP ISO is selected Press Enter to run the standard SIMP install or choose from the customized options list When the installation is complete the system will restart automatically Log on as root and type the default password shown in Table 2 1 Type the defa
116. and will allow logins via SSH even if your password has expired This has been noted by Red Hat and is in the pipeline e If you are running libvirtd when svckill runs it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service This does not actually kill the service but is instead an error of the startup script and causes no damage to your system 2 7 Glossary of Terms Note Many terms here have been reproduced from various locations across the Internet and are governed by the licenses surrounding the source material Please see the reference links for specifics on usage and reproducability ACL Access Control List A list of permissions attached to an object An ACL specifies which users or system processes are granted access to objects as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation AIDE Advanced Intrusion Detection Environment An intrusion detection system for checking the integrity of files under Linux AIDE can be used to help track file integrity by comparing a snapshot of the system s files prior to and after a suspected incident It is maintained by Rami Lehti and Pablo Virolainen Auditd The userspace component to the Linux Auditing System It is responsible for writing audit records to the disk Viewing the logs is done with the ausearch or aureport utilities Configuring the audit rules is done with the audit
117. as been corrected General usability improvements DVD A default IP is no longer provided when booting from the ISO simp config will set the network properly The default kickstart no longer attempts to chkconfig any services in the post section 2 6 8 New Features e pupmod auditd Completely overhauled the module with a focus on better acceptance testing and format compliance pupmod augeasproviders This was updated to 2 1 3 The update to 2 1 3 caused the addition of all of the pupmod augeasproviders modules below augeasproviders_apache Imported 2 1 3 to support the Augeasproviders stack augeasproviders_base Imported 2 1 3 to support the Augeasproviders stack augeasproviders_core Imported 2 1 3 to support the Augeasproviders stack augeasproviders_grub Imported 2 1 3 to support the Augeasproviders stack augeasproviders_mounttab Imported 2 1 3 to support the Augeasproviders stack augeasproviders_nagios Imported 2 1 3 to support the Augeasproviders stack augeasproviders_pam Imported 2 1 3 to support the Augeasproviders stack augeasproviders_postgresql Imported 2 1 3 to support the Augeasproviders stack augeasproviders_puppet Imported 2 1 3 to support the Augeasproviders stack 30 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 augeasproviders_shellvar Imported 2 1 3 to support the Augeasprovid
118. ash from slappasswd gt Type ldapadd Z x W D cn LDAPAdmin ou People dc your dc domain f root ldifs adduser ldif Ensure that an administrative account is created as soon as the SIMP system has been properly configured Adminis trative accounts should belong to the administratorsLDAP group gidNumber 700 Members of this LDAP group can utilize sudo sudosh for privilege escalation Note The pwdReset TRUE command causes the user to change the assigned password at the next login This command is useful to pre generate the password first and change it at a later time This command appears to be broken in some versions of nss_ldap Therefore to avoid future issues set shadowLastChange to a value around 10000 Adding Users Without a Password Create a root 1difs directory and add the following information to the root 1ldifs adduser 1ldif file Replace the information within lt gt with the installed system s information Example ldif example to add a user dn uid lt User UID gt o0u People dc your dc domain uid lt User UID gt en lt User UID gt objectClass account objectClass posixAccount objectClass top objectClass shadowAccount objectClass ldapPublicKey sshPublicKey lt User SSH Public Key gt loginShell bin bash uidNumber lt User UID Number gt 3 2 User Management 43 SIMP Documentation Release 0 0 gidNumber lt User Prima
119. ates x86_64 Packages glibc static 2 12 1 166 e16_7 1 1686 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages glibc utils 2 12 1 166 el16_7 1 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages glibc 2 12 1 166 e16_7 1 1686 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages globus callout 3 13 2 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus callou globus common 15 30 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus comm globus gsi callback 5 8 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi ca globus gsi cert utils 9 11 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi ce globus gsi credential 7 9 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi cr globus gsi openssl error 3 5 2 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi of globus gsi proxy core 7 7 2 el6 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi pr globus gsi proxy ssl 5 7 2 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi pr globus gsi sysconfig 6 8 2 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gsi sy globus gss assist 10 15 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86
120. ation Method SC 9 Transmission Confidential ity System and Communica tions Protection With the exception of the services needed for kick start most communications within SIMP are protected by SSH or SSL Imple mentations can add addi tional services or modules that do not use SSH or SSL The SIMP Security Concepts document details the default allowed proto cols and the mechanisms in place to protect them It s also worth noting that the SIMP team has taken ever measure possible to remove encryption ciphers available to operating system appli cations In the event this breaks an application im plementations might have to add those ciphers back SC 9 1 Transmission Confidential ity Control Enhancement System and Communica tions Protection With the exception of the services needed for kick start most communications within SIMP are protected by SSH or SSL Imple mentations can add addi tional services or modules that do not use SSH or SSL The SIMP Security Concepts document details the default allowed proto cols and the mechanisms in place to protect them It s also worth noting that the SIMP team has taken ever measure possible to remove encryption ciphers available to operating system appli cations In the event this breaks an application im plementations might have to add those ciphers back SC 9 2 Transmission Confidential ity Control Enhancement System an
121. ation mecha nisms used within SIMP are all resistant to replay at tacks by default Known vulnerabilities can occur in the protocols As they are known vendors release patches which must them be applied by the imple mentation Privileged ac counts use the same pro tocols as unprivileged ac counts Continued on next page 4 5 Security Concepts Appendices 147 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method TA 2 9 User Identification and Identification and Authenti The authentication mecha Authentication Organi cation nisms used within SIMP are zational Users Control all resistant to replay at Enhancement tacks by default Known vulnerabilities can occur in the protocols As they are known vendors release patches which must them be applied by the imple mentation IA 3 Device Identification and Identification and Authenti Identification of each pup Authentication cation pet client occurs before an IP address can be as signed This is controlled using DHCP each client must have an address bound by MAC address De vices identification and au thentication with puppet oc curs using SSL certificates The clients must each have a SSL certificate installed to establish a valid session with the puppet master TA 3 1 Device Identification and
122. ator must register principals with the KDC 3 12 Using Kerberos 5 in SIMP 73 SIMP Documentation Release 0 0 Create the Admin Principal The first principal to be registered is an admin principal that manages the environment since it is in the admin group This principal must be created on the KDC system Before creating the admin principal the user must first create an Access Control List ACL To accomplish this add the following Puppet code to the site manifest for the KDC system If a custom implementation of Kerberos is being used changes may need to be made to the code Code for Creating an Admin Principal Kerberos krb5_acl S domain _admin principal gt admin domain operation_mask gt x The table below lists the steps to create an admin principal that is appropriate for common organizations These steps should be accomplished after creating the ACL by using the code provided in the previous example 1 After using the code from the previous example run puppet agent t to allow the changes to take effect 2 To finish creating the principal type usr bin kadmin local r lt Your Domain gt q addprinc lt User Name gt admin Note By following this step all features of the admin principal can be used remotely 3 To load the principal type usr bin kinit lt User Name gt adminx Table Creating the Admin Principal Procedure Create the Host Principa
123. augeasproviders_ssh Imported 2 1 3 to support the Augeasproviders stack augeasproviders_sysctl Imported 2 1 3 to support the Augeasproviders stack pupmod augeasproviders This was updated to 2 1 3 The update to 2 1 3 caused the addition of all of the pupmod augeasproviders modules below pupmod cgroups Added acceptance tests pupmod common gt Deprecated Replaced by pupmod simplib pupmod simplib Created parse_hosts function Added full tests for evaluating the ability to toggle FIPS mode pupmod kibana Add Kibana dashboards to the Kibana module 96 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Allows users to apply default SIMP Kibana Dashboards pupmod logstash Integrated SIMP and Electrical Logstash modules Changes the existing Logstash module to allow users to apply default SIMP filters pupmod richardc datacat Incorporated the richardc datacat module into the core for user convenience pupmod freeradius Split the Freeradius module based on version so that it can be properly selected against the installed version of Freeradius This may take two runs to coalesce pupmod puppetlabs inifile Updated to version 1 2 0 pupmod puppetlabs puppetdb Updated to version 5 0 0 0 pupmod simp kibana Add Kibana dashboards to the Kibana module Allows users to apply default SIMP kibana Dashboards pupmod simp logstash
124. be more readable Updated documentation relating to user management and user key management using SSH Rebranded the documentation and updated the color scheme Updated the default system passwords pupmod vsftpd Completely refactored to meet the new module layout guidance The user and group are now able to be modified from the defaults Added a full suite of Beaker tests 1 8 New Features 11 SIMP Documentation Release 0 0 simp utils simp config was rewritten to allow for new features and flexibility Now provided as a Ruby gem simp cli simp doc Removed several obsolete sections and cleaned up a great deal of the language simp rsync Content has been restructured to eliminate licensing conflicts ClamAV has been refactored into a separate GPL package pupmod simp rsyslog Module has been rewritten to support rsyslog 7 4 Facter 2 4 Facter now returns the following facts as their actual boolean or integer values instead of converting them into strings activeprocessorcount is_virtual mtu_ lt INTERFACE gt physicalprocessorcount processorcount selinux_enforced selinux sp_number_processors sp_packages Mcollective Mcollective is now available to be installed and used with SIMP It uses SSL TLS along with user certifi cates for proper encryption and authentication PuppetDB PuppetDB is now supported by SIMP and installed by default P
125. ble lists the steps for a local setup 1 Navigate to srv rsync bind_dns 2 Modify the named files to correctly reflect the environment At a minimum the following files under srv rsync bind_dns default should be edited e named etc named conf e named etc zones your domain named var named forward your domain db e named var named reverse 0 0 10 db Important For the named var named forward your domain db and named var named reverse 0 0 10 db files add clients as needed Make sure to rename both of these files to more appropriately match your system configuration e Ata minimum review named etc named conf and check update the following Update the P for allow query and allow recursion 16 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 Delete any unnecessary zone stanzas i e forwarding if not necessary Substitute in the FQDN of your domain for all occurrences of your domain 1 Type puppet agent t tags named on the Puppet Master to apply the changes Validate DNS and ensure the etc resolv conf is updated appropriately 2 If an error about the rndc key appears when starting bind copy the rndc key to etc then re run the puppet command cp p var named chroot etc rndc key etc rndc key 2 3 4 Configure DHCP Perform the following actions as root on the Puppet Master system prior to attempting to install a client Open the srv rsync dhcpd dhcpd conf file and edit it to
126. boot tftpboot linux_model MODEL NAME kernel gt OSTYPE MAJORRELEASE ARCH vmlinuz initrd gt OSTYPE MAJORRELEASE ARCH initrd img ks gt http KSSERVER ks pupclient_x86_64 cfg extra gt ksdevice bootif nipappend 2 tftpboot assign_host default model gt MODEL NAME 2 Add the tftpboot site manifest on your puppet server node via Hiera Create the file or edit if it exists etc puppet environments simp hieradata hosts lt tftp server fqdn gt yam By default the TFTP server is the same as your puppet server o in the deault case it will exist Add the following example code to that yaml file classes site tftpboot 3 After updating the above file type puppet agent t tags tftpboot on the Puppet server Note To PXE boot more OSs create in the tftpboot pp file a tftpboot linux_model block for each OS type using the extra directories and kickstart files created using the notes in previous sections Point individual systems to them by adding assign_host lines with their MAC pointing to the appropriate model name 2 3 6 Setting Up the Client The following lists the steps to PXE boot the system and set up the client 2 3 Client Management 19 SIMP Documentation Release 0 0 1 Set up your client s BJOS or virtual settings to boot off the network Make sure the MAC address of the client is set up in DHCP see Config
127. c hosts LSPP etc sysconfig LSPP etc inittab LSPP etc grub LSPP etc rce d LSPP etc ld so conf LSPP etc localtime LSPP etc sysctl conf LSPP etc modprobe d 00_simp_blacklist conf LSPP etc pam d LSPP etc security LSPP etc aliases LSPP etc postfix LSPP etc ssh sshd_config LSPP etc ssh ssh_config LSPP etc stunnel LSPP etc vsftpd ftpusers LSPP etc vsftpd LSPP etc issue LSPP etc issue net LSPP etc cups LSPP var log and httpd 4 5 2 Audit Rules For audit 1 6 5 and higher Ignore errors This may sound counterintuitive but we d rather skip bad rules and load the 4 5 Security Concepts Appendices 115 SIMP Documentation Release 0 0 rest than miss half the file Warnings are still logged in the daemon restart output i Remove any existing rules D Continue loading rules on failure Particularly with the automatically generated nature of these rules in Puppet it is possible that one or more may fail to load We want to continue in that case so that we audit as much as possible z Increase buffer size to handle the increased number of messages Feel free to increase this if the machine panic s Default 8192 b 16394 Set failure mode to panic Default 2 E 2 Rate limit messages Default 0 If you set this to non zero you almost definitely want to set f to 1 above r 0 Get rid of all anonymous
128. c python 1 libarchive devel 2 8 3 4 el6_2 x86_64 rpm http mirror netdepot com centos 6 7 os x86_64 Packages libarch libconfuse 2 7 4 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 libconfuse 2 libconfuse devel 2 7 4 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 libconfuse de libev 4 03 3 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 libev 4 03 3 libselinux ruby 2 0 94 5 8 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac libyaml 0 1 4 2 e16 x86_64 rpm https d1 bintray com simp 4 2 X Ext libyaml 0 1 4 2 e16 x86_64 libyaml devel 0 1 4 2 e16 x86_64 rpm https d1 bintray com simp 4 2 X Ext libyaml devel 0 1 4 2 e16 x logstash 1 4 2 1_2cOf5al noarch rpm https download elasticsearch org logstash logstash packages cen logstash contrib 1 4 2 1_efd53ef noarch rpm https download elastic co logstash logstash packages centos logs 128 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 2 continued from previous page Name Source mcollective 2 2 3 1 SIMP 1 el6 noarch rpm https d1 bintray com simp 4 2 X Ext mcollective 2 2 3 1 SIMP 1 mcollective client 2 2 3 1 SIMP 1 el6 noarch rpm https dl bintray com simp 4 2 X Ext mcollective client 2 2 3 1 S mcollective common 2 2 3 1 SIMP 1 el6 noarch rpm https d1 bi
129. cation AC 14 Ser Rationale vice Application TFTP TFTP is a simple file transfer application that in the SIMP environment does not allow for writing to the files being accessed This application is primarily used to support the Preboot Execution Environment PXE booting of hosts and the updating of network devices There is no option to authenticate systems at this level by protocol design TFTP is limited to a user s local subnet using Ptables and is enforced additionally with TCPWrappers DHCP By default system IP addresses are not pooled but are rather statically assigned to a client which is identified by the MAC address DHCP is limited to the local subnet Apache YUM RPMs are stored in a directory for systems to use for both kickstart and package updating Sensitive information should never be stored here Apache YUM is limited to the local subnet DNS The DNS protocol does not require identification nor authentication DNS is limited to the local subnet Table Actions Without Identification and Authentication 4 2 Technical Security 107 SIMP Documentation Release 0 0 4 2 14 Security Attributes SELinux is now available in SIMP SELinux is an implementation of mandatory access control It can be set to enforcing mode during the SIMP configuration or turned on at a later time All of the SIMP packaged modules have been designed to work with SELinux set to enforcing AC 16 4 2 15 Remot
130. cations can be in stalled but new services will not run unless first reg istered with puppet Ad ditionally puppet modules must be modified to ensure that Ptables opens up the necessary services Mini mally for a service to re main active it must be reg istered with puppet or the svckill rb script will stop them To be clear there is nothing in SIMP that pre vents the installation of RPMs from the command line or YUM CM 7 3 Least Functionality Con trol Enhancement Configuration Management The registration process for ports protocols and ser vices are handled via pup pet CM 8 Information System Com ponent Inventory Configuration Management CM 8 1 Information System Com ponent Inventory Control Enhancement Configuration Management CM 8 2 Information System Com ponent Inventory Control Enhancement Configuration Management To the extent possible pup pet tracks clients that are within it s control It s not meant to be a true inventory mechanism Continued on next page 168 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 8 3 Information System Com Configuration Management ponent Inventory Control Enhanc
131. ce ment SI 4 10 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 11 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 12 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 13 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 14 Information System Mon System and Information In Continued on next page 4 5 Security Concepts Appendices 199 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 4 15 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 16 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 4 17 Information System Mon System and Information In itoring Tools and Tech tegrity niques Control Enhance ment SI 5 System Alerts Advisories System and Information In The only part of the con and Directives tegrity trol a that is met by SIMP is the tracking of security alerts for products that are part of the code base The devel
132. cess at key inter nal boundary points Since SIMP implements IPTables on all hosts by default each node might be con sidered an internal bound ary Note internal bound aries are more likely imple mented via vlans or internal layer 3 devices SC 7 1 Boundary Protection Con trol Enhancement System and Communica tions Protection SC 7 2 Boundary Protection Con trol Enhancement System and Communica tions Protection SC 7 3 Boundary Protection Con trol Enhancement System and Communica tions Protection SC 7 4 Boundary Protection Con trol Enhancement System and Communica tions Protection Continued on next page 154 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page trol Enhancement tions Protection Control ID Control Name Control Family SIMP Implementation Method SC 7 5 Boundary Protection Con System and Communica Iptables as configured by trol Enhancement tions Protection default blocks all incoming traffic except for what is ex plicitly allowed SC 7 6 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 7 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 8 Boundary Protection Con System and Communica trol Enhancement ti
133. ch rpm http yum puppetlabs com el 6 products x86_64 mcollective serv mcollective sysctl data 2 0 0 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective sysc mrepo 0 8 7 2 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 mrer mysql connector python 1 1 6 1 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 mys nscd 2 12 1 166 e16_7 1 x86_64 rpm Red Hat Updates Repository nspr 4 10 8 1 e16_6 x86_64 rpm Red Hat Base Repository nss 3 19 1 3 e16_6 x86_64 rpm Red Hat Updates Repository nss softokn 3 14 3 22 el6_6 x86_64 rpm Red Hat Base Repository nss softokn freebl 3 14 3 22 el16_6 x86_64 rpm Red Hat Base Repository nss sysinit 3 19 1 3 el6_6 x86_64 rpm Red Hat Updates Repository nss tools 3 19 1 3 el6_6 x86_64 rpm Red Hat Updates Repository nss util 3 19 1 1 el16_6 x86_64 rpm Red Hat Updates Repository openssl 1 0 le 42 e16 x86_64 rpm Red Hat Base Repository openssl devel 1 0 le 42 e16 x86_64 rpm Red Hat Base Repository pdsh 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh 2 28 0 x86_64 rpm pdsh mod dshgroup 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh mod dshgroup 2 28 0 pdsh mod machines 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X Ext pdsh mod machines 2 28 0 pdsh mod netgroup 2 28 0 x86_64 rpm https d1 bintray com simp 4 2 X
134. ck to their original state CM 6 1 Configuration Settings Control Enhancement Configuration Management The puppet master is the central point of manage ment for a SIMP system While not required the pup pet master usually hosts a kickstart server so that clients are built the same ev ery time CM 6 2 Configuration Settings Control Enhancement Configuration Management Puppet is not intended to be a security mechanism to prevent unauthorized changes to files For files that are managed by puppet that changed they will revert back to their original state This control is really about protecting from unauthorized changes so access control to the puppet master should suffice to meet it Changes to files are audited using auditd Puppet changes are also audited Its up to the implementation to perform altering on those changes CM 6 3 Configuration Settings Control Enhancement Configuration Management This control is not fully met by SIMP It s important to point out that SIMP does provide logging of events to syslog It s currently up to the implementation to alert on those events CM 7 Least Functionality Configuration Management There isn t an explicit list of services that SIMP de nies Instead it was built to provide only the essential functionality Additional services get added only as needed Continued on next page 4 5 Security
135. ctl utility During startup the rules in etc audit audit rules are read by auditctl The audit daemon itself has some configuration options that the admin may wish to customize They are found in the auditd conf file BIOS Basic Input Output System A type of firmware used to perform hardware initialization during the booting process power on startup on IBM PC compatible computers Source Wikipedia BIOS 2 7 Glossary of Terms 33 SIMP Documentation Release 0 0 CA Certificate Authority An entity that issues X 509 digital certificates CentOS Community Enterprise Operating System An Enterprise grade Operating System that is mostly compat ible with a prominent Linux distribution CLI Command Line Interface A means of interacting with a computer program where the user or client issues commands to the program in the form of successive lines of text command lines Source Wikipedia Command Line Interface CPU Central Processing Unit A central processing unit CPU is the electronic circuitry within a computer that catries out the instructions of a computer program by performing the basic arithmetic logical control and input output I O operations specified by the instructions Source Wikipedia Central Processing Unit DHCP Dynamic Host Configuration Protocol A network protocol that enables a server to automatically assign an IP address to a computer DNS Domain Name System A database system that translates a compu
136. curity Assessment and Authorization Policies Authorization CA 2 Security Assessments Security Assessment and Authorization CA 2 1 Security Assessments Security Assessment and Control Enhancement Authorization CA 2 2 Security Assessments Security Assessment and Control Enhancement Authorization CA 3 Information System Con Security Assessment and nections Authorization CA 3 1 Information System Con Security Assessment and nections Control Enhance Authorization ment CA 3 2 Information System Con Security Assessment and nections Control Enhance Authorization ment CA 5 Plan of Action and Mile Security Assessment and stones Authorization Continued on next page 202 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CA 5 1 Plan of Action and Mile Security Assessment and stones Control Enhance Authorization ment CA 6 Security Authorization Security Assessment and Authorization CA 7 Continuous Monitoring Security Assessment and Authorization CA 7 1 Continuous Monitoring Security Assessment and Control Enhancement Authorization CA 7 2 Continuous Monitoring Security Assessment and Control Enhancement Authorization Pl 1 Security Planning Policy Planning The SIMP installation man and Procedure
137. d ules are provided for the ELK stack Continued on next page 142 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AU 4 Audit Storage Capacity Audit and Accountability The audit partition is con figured as a separation par tition from the system files reducing the likelihood of audit interfering with sys tem operations Implemen taions can change this but it s highly discouraged AU 5 Response to Audit Process ing Failures Audit and Accountability 1 Implementation Spe cific b The au dit conf file config ures the system to log to syslog when disk space becomes low If the disk be comes full the audit daemon will be sus pended but the sys tem will remain ac tive This is con trary to some indus try guidance to put the system into single user mode when disk space becomes an is sue Implementations may wish to change the default behaviour at the risk of stopping the system from func tioning AU 5 1 Response to Audit Process ing Failures Control En hancement Audit and Accountability SIMP provides a warning to syslog when the disk has 75MB free Each log file can be up to 30MB AU 5 2 Response to Audit Process ing Failures Control En hancement Audit and Accountability AU 5 3 Re
138. d Communica tions Protection SC 10 Network Disconnect System and Communica tions Protection Continued on next page 4 5 Security Concepts Appendices 157 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 11 Trusted Path System and Communica tions Protection SC 12 Cryptographic Key Estab lishment and Management System and Communica tions Protection In an operational setting SIMP does not establish keys It does come with the ability to create server keys using a custom application know as FakeCA SSH keys can also be established using standard Unix com mand line tools In an op erational settings both sets of keys should be obtained from valid key infrastruc tures There is also a CA that puppet uses to generate and manage keys for puppet only SC 120 Cryptographic Key Estab lishment and Management Control Enhancement System and Communica tions Protection SC 12 2 Cryptographic Key Estab lishment and Management Control Enhancement System and Communica tions Protection SC 12 3 Cryptographic Key Estab lishment and Management Control Enhancement System and Communica tions Protection SC 12 4 Cryptographic Key Estab lishment and Management Control Enhancement System and Communica tions
139. d to the user s account as described Add Users with a Password section 3 2 2 Managing Local Service Users Though the SIMP team highly recommends using LDAP to centrally manage your users you may occasionally need to set up a service account or specific local users on your systems This section walks you through doing this in a way that is compatible with SIMP The following examples assume that you are using the site module to set up your users The examples may easily be extrapolated into defined types if you wish but are presented as classes for simplicity If you are not familiar with setting up SSH keys you may want to follow the relevant GitHub documentation Service Account class site service_account include ssh S_svc_account_user svcuser _svc_account_group svcgroup S_svc_account_id AT hy _svc_account_homedir var local _svc_account_user Since this is a service account automatically generate an SSH key for the user and store it on the Puppet master for distribution _svc_account_ssh_private_key ssh_keygen _svc_account_user 2048 true _svc_account_ssh_public_key ssh_keygen _svc_account_user 2048 group _svc_account_group gid gt _svc_account_id allowdupe gt false 3 2 User Management 47 SIMP Documentation Release 0 0 user _svc_account_user uid gt _svc_account_id allowdupe gt false gid gt _svc_account
140. d_nice gt Use init_ulimit init_mod_open_files gt Use init_ulimit line gt Use augeas prepend_if_no_such_line gt Use simp_file_line renice gt No replacement was not correct replace_line gt Use augeas 1 3 Significant Updates e FIPS Mode is now enabled by default This is a SIGNIFICANT change and may impact many of your running applications that use encryption If you are upgrading do NOT enable FIPS mode without extensive testing as it may cause various appli cations to not function properly any longer 4 Chapter 1 Changelog SIMP Documentation Release 0 0 e The rsyslog module has been completely rewritten to support rsyslog 7 4 This is a breaking change from previous releases and will require active updates to existing systems Critical Variable Changes The global rsyslog log_server_list variable is now set to send to all of the servers in the Array by default This variable defaults to the global og_servers Array in Hiera There is a new variable rsyslog failover_log_servers which is an Array of failover log servers to be used for your system These will be tried in order until successful messages can be sent Updated Modules BA x x a aide apache auditd dhcp logstash openldap rsync simp sudosh e In RHEL6 we updated the OpenLDAP password policy overlay to not conflict with the 6 7 updat
141. date at the time a system is initially installed if using the SIMP DVD Implementations should obtain the latest RPMs and apply them in a reasonable manner All SIMP systems will by default attempt to update all packages using YUM nightly Therefore having an updated repository will ensure that the systems are updated on a regular basis Poor Account Management SIMP security access control is based on users being created and managed over time Giving shell access to unnecessary users allows them the opportunity to escalate privileges Use the default LDIFs and local user modules to ensure that account settings remain restrictive Ensure the system has policies and procedures in place to manage accounts Finally ensure that users are in appropriate groups with limited privileges Table SIMP Risk 4 4 Information System Management 113 SIMP Documentation Release 0 0 4 4 3 Vulnerability Scanning The SIMP development and security team performs regular vulnerability scanning of the product using commercial and open source tools Results and mitigations for findings from those tools can be provided upon request CA 2 RA 5 4 4 4 Security Assessment and Authorization Assessment and authorization varies by implementation Implementations are encouraged to use documentation arti facts provided by the SIMP team to assist with assessment and authorization CA 2 4 5 Security Concepts Appendices 4 5 1
142. ditable events 4 2 27 Auditable Events Auditd and rsyslog provide the foundation for SIMP auditing Auditd performs the majority of the security related events however other Linux logs also have security information in them which are captured using rsyslog The default auditable events for SIMP were developed based on several industry best practices including those from the SCAP Security Guide and several government configuration guides The suggested rules by those guides were fine tuned so the audit daemon would not fill logs with useless records or reduce performance These guides should be 4 2 Technical Security 109 SIMP Documentation Release 0 0 referenced for a detailed explanation of why rules are applied Additional justification can be found in the comments of the SIMP audit rules found in the appendix of this guide AU 2 The SIMP development team reviews every release of the major security guides for updated auditable events sugges tions Each of those suggestions is reviewed and applied if deemed applicable AU 2 3 Privileged commands are audited as part of the SIMP auditing configuration This is accomplished by monitoring sudo commands with auditd Keystrokes for administrators that use sudosh are also logged Each session can be replayed using sudosh replay AU 2 4 4 2 28 Content of Audit Records Audit records capture the following information AU 3 e Date and Time e UID and GID of the user performing t
143. ditional testing by implementations as patches are released from vendors Its also important to note that SIMP is packaged and delivered decoupled with the operating system source files Its up to the im plementation to test ven dor specific patches that are not part of the SIMP code base Flaws are tracked using the software project management tool Redmine SI 2 2 Flaw Remediation Control System and Information In Enhancement tegrity SI 2 3 Flaw Remediation Control System and Information In Enhancement tegrity Continued on next page 4 5 Security Concepts Appendices 177 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 2 4 Flaw Remediation Control Enhancement System and Information In tegrity SIMP uses the yellowdog update manager YUM to deliver software patches to clients Each installation usually has at least one YUM repository There is also a cronjob running that runs once per day It s the responsibility of the imple mentation to get patches to the yum server Once they are there the cron job will perform a yum update and the patches will be applied Malicious Code Protection System and Information In tegrity SIMP has modules avail able for mcafee and Cla mAV The ClamAV Imple mentations need need to provide their own version of the mcafee so
144. dog Updater Modified A software installation tool for Linux It is a complete software management system that works with RPM files YUM is designed to be used over a network or the Internet See also RPM 2 8 Installation_Miscellaney This sections provides a list of variables that are configurable during the install 2 8 1 List of Installation Variables Description Enable FIPS 140 2 compliance Do you want to set up network interface use DHCP or Static for NIC Hostname of server IP Address of server Netmask Defau Your DNS server The search domain for DNS Subnet used for clients managed by the puppet server NTP servers IP addr of primary log server rsyslog IP address of failover log server Yum server for simp modules Turn on the audit deamon Turn on iptable deamon The default system run level Do you want to set SELINUX to enforcing Set a grub password on the puppet server Make puppet server the master yum server The FQDN of the puppet server Puppet servers IP address FQDN of Puppet Certificate Authority CA The port Puppet CA will listen on The DNS name of puppet database server The port used by the puppet database server Do you want to use LDAP LDAP Server Base Distinquish Name DN The LDAP Bind Distiquished name LDAP Bind password LDAP Sync Distiquished name LDAP Sync password The LDAP root DN LDAP root password This password is used for manually updating LDAP you will
145. dule to allow users to apply default SIMP filters 2 6 Changelog 31 SIMP Documentation Release 0 0 pupmod pki Now generate a system RSA public key against the passed private key pupmod puppetlabs postgresql Initial import of the Puppet Labs PostgreSQL module Modifications were made to support the SIMP concat pupmod puppetlabs puppetdb New import of the Puppet Labs PuppetDB module pupmod puppetlabs stdlib Updated to version 4 5 1 pupmod rsyslog Migrated to Rsyslog 7 and the new RainerScript Added acceptance tests pupmod simp Now set the SELinux Boolean use_nfs_home_dirs when using NFS for home directories fixfiles is now run prior to the final runpuppet client script runs due to various issues with autorelabel over time pupmod tftpboot Updated to use native packages and pull as much as possible simp doc Updated tables across the board to be more readable Updated documentation relating to user management and user key management using SSH Rebranded the documentation and updated the color scheme Updated the default system passwords pupmod vsftpd Completely refactored to meet the new module layout guidance The user and group are now able to be modified from the defaults Added a full suite of Beaker tests simp utils simp config was rewritten to allow for new features and flexibility Now provided as a Ruby gem simp cl
146. e This requires a manual update on existing systems using the following LDIF dn cn default ou pwpolicies dc your dc domain changetype modify replace pwdCheckModule pwd CheckModule simp_check_password so dn cn noExpire_noLockout ou pwpolicies dc your dc domain changetype modify replace pwdCheckModule pwdCheckModule simp_check_password so The Electrical and SIMP modules for elasticsearch have been combined 1 4 Upgrade Guidance Fully detailed upgrade guidance can be found in the Upgrading SIMP portion of the User s Guide Warning You must have at least 2 2GB of free RAM on your system to upgrade to this release due to the migration to the Clojure based Puppet Server Note Upgrading from releases older than 4 0 is not supported 1 4 1 Expectations Before you begin please be aware that the following actions will take place as a result of the migration script as referenced in the SIMP Upgrade section of the User Guide e The puppet server RPM will be removed e The puppet server RPM will be installed no that s not a typo 1 4 Upgrade Guidance 5 SIMP Documentation Release 0 0 e ALL SIMP Puppet code will be migrated into a new simp environment This will be located at etc puppet environments simp eA backup of your running environment will be made available at etc puppet environments pre_migration simp You will find timestamped directories under the pre_migration simp directory
147. e the file 5 Type gencerts_nopass sh auto 2 4 Apply Certificates 21 SIMP Documentation Release 0 0 Note To avoid using the default Fake CA values remove the auto statement from the gencerts_nopass sh command Table Generating Fake CAs Procedure Warning If the clean sh command is run after the certificates have been generated the running system will break To troubleshoot certificate problems see the section at the end of this chapter If issues arise while generating keys type cd etc puppet Config FakeCA to navigate to the etc puppet Config FakeCA directory then type clean sh to start over After running the clean sh script type gencerts_nopass sh to run the script again using the previous procedure table 2 5 Hiera Overview SIMP now uses Hiera natively instead of Extdata From Puppet Labs website Hiera is a key value lookup tool for configuration data built to set node specific data without repeating yourself It is an attempt to make SIMP more configurable to you the end user It configures Puppet in two ways automatic parameter lookup hiera lookup functions and assigning classes to nodes The former allows you to generate reusable code and concentrates parameter assignment to one directory The latter is a supplement to the failed inheritance model 2 5 1 Setting Parameters Automatic Lookup You can now safely declare any class on any node with include even if the class is para
148. e tracked and logged using the security features built into SIMP Console access requires someone to have access to the physical or virtual console along with the root password Audit ing of those actions also oc curs in accordance with the configured audit policy It s up to the implementation to decide how to distribute au thentication information for remote maintenance MA 4 1 Non Local Maintenance Control Enhancement Maintenance Remote maintenance can be performed on SIMP using SSH or direct console ac cess SSH sessions are tracked and logged using the security features built into SIMP Console access requires someone to have access to the physical or virtual console along with the root password Audt ing of those actions also oc curs in accordance with the configured audit policy It s up to the implementation to decide how to distribute au thentication information for remote maintenance MA 4 2 Non Local Maintenance Control Enhancement Maintenance MA 4 3 Non Local Maintenance Control Enhancement Maintenance MA 4 4 Non Local Maintenance Control Enhancement Maintenance MA 4 5 Non Local Maintenance Control Enhancement Maintenance MA 4 6 Non Local Maintenance Control Enhancement Maintenance Remote maintenance is per formed using SSH SSH in herently provides confiden tiality and integrity of data while in tran
149. e Access Remote access in SIMP is performed over SSH specifically using the OpenSSH software OpenSSH provides both confidentiality and integrity of remote access sessions The SSH IPtables rules allow connections from any host SSH relies on other Linux mechanisms to provide identification and authentication of a user As discussed in the auditing section user actions are audited with the audit daemon and sudosh AC 17 4 2 16 Systems and Communications Protection The following sections provide information regarding application partitioning shared resources and various levels of protection for systems and communications 4 2 17 User and Administration Application Separation Application Partitioning SIMP can be used in a variety of ways The most common is a platform for hosting other services or applications In that case there are only administrative users present Users with accounts will be considered as a type of privileged user SIMP can also be used as a platform for workstations or general users performing non administrative activities In both cases general users with accounts on an individual host are allowed access to the host using the pam access module so long as they have an account on the target host No user may perform or have access to administrative functions unless given sudo or sudosh privileges via Puppet 4 2 18 Shared Resources There are several layers of access control that prevent the unauthorized sharing
150. e SRE Sl He eA Seema Ge a ee eG ee 39 3 SIMP User Guide 41 Si Tntroduction es 2465 55 8a we ed ba ee eke eA de ee a ee a 41 3 2 ser Management s soso a aoe fale fee ee A a ey Bak Be Ge a ay a 42 3 3 Chent Management sts ca 4s Ha Oe eR ae ee a a Se ee al Go ee Y 50 34 Apply Certificates sos ion pr paon oe A a A Ba SOE RE a Ges 54 3 5 Maximum Numberof Nodes i064 2 54 464444664 bee we eee ee E 56 36 lt SIMP Admimisiration 2 5 i 2466 24608 245242 Ree oH be ewe eee Ades 57 3 7 Backing up the Puppet Master s s s ea s dy 4244 6 64 AS ee E Re eRe ee Ee 60 3 8 Managing Workstation Infrastructures sare beep ee a ee EE RRS Ee WS he eA 60 BO SWING es bd Se Se ee Eye ee Sock Sid ek Aa oe a oe ES ee 64 310 Upgr ding SIMP pti 2 4 seed Ge eee EE Be eH BEE eA Re 66 Sell WLogstash s ss le Any ek a we eS A ey Be dh BS BO epee de Se a Se 69 3 12 Using Kerberos 3 i SIMP a cas ee eA a ae ER Ke RR we al be eels 73 3 13 Troubleshooting Common ISSUES i some o a AS OR ROG EE a GS A 75 3AA SIMP FAQS co e402 PL SA ba Sa eR ed oe a akue we ee eae ea A 78 31S SIME RPMS esx sisi i di gak Sng we Re ie Be AS A ac ect at Sed boi ise Braye ek AE ee eds a 87 SiG Changelog gs tect ook GG ea Rd ee a She wh Ak amp BO a Re es A ee a 3 17 Glossary of Terms i 3 23 5 4 4 444 500644 ORLA oo RA hee we AO Ee a ea 3 18 Indices and tables is ei pae eho Soares Go RS Ae BY bow Be Re a ew i SIMP Security Concepts 4 1 Introduction 2 4 4 445 5 hws on wee RR ORS
151. e access mask settings using the umask command that allow only the owner to read and write to the file Implementations may further extend the access control in UNIX by restricting access to application files or using the file Access Control List ACL commands getfacl and setacl Users of SIMP should not change file permissions on operating system files as it may decrease the overall security of the system If a group needs access to a particular file or directory use the set facl command to allow the necessary access without lessening the permissions on the system AC 3 4 2 9 Information Flow Enforcement IPtables on each SIMP system is controlled by the IPtables Puppet module When developing a new module the IPtables rules needed for an application should be included with the module by calling the appropriate methods from the IPtables module The end result should be a running IPtables rule set that includes the default SIMP rules and any rules needed for applications The default communications allowed are included in Default Server Ports and Default Client Ports AC 4 4 2 Technical Security 105 SIMP Documentation Release 0 0 Default Server Ports Appli Di Proto Trans Ports Comment cation rec col port tion Puppet Lo HTTP TCP 8140 The port upon which the Puppet master listens for client connections cal via Apache host Puppet In HTTPS TCP 8141 This is used to ensure that Apache can veri
152. e first time Errors will appear for DHCP These can be safely ingored at this stage Type puppet agent t 2 2 SIMP Server Installation 15 SIMP Documentation Release 0 0 3 Copy CentOS RHEL_MAJOR_MINOR_VERSION ISO s to the server and unpack using the unpack_dvd utility This creates a new tree under srv www yum CentoOS Execute unpack_dvd CentOS RHEL_MAJOR_MINOR_VERSION x86_64 Everything iso 4 Update your system using yum The updates applied will be dependent on what ISO you initially used Execute yum clean all yum makecache 5 Run puppet Ignore the same DHCP errors puppet agent t 6 Type reboot 2 3 Client Management This chapter provides guidance to install and configure SIMP clients based on the standard SIMP system installed using the SIMP DVD 2 3 1 System Requirements Before installing clients the system should consist of the following minimum requirements e Hardware Virtual Machine VM Capable of running RHEL 6 or 7 64 bit compatible e RAM 512 MB e HDD 5 GB 2 3 2 Configuring the Puppet Master Perform the following actions as root on the Puppet Master system prior to attempting to install a client 2 3 3 Configure DNS Most static files are pulled over rsync by Puppet in this implementation for network efficiency Specific directories of interest are noted in this section It is possible to use an existing DNS setup however the following ta
153. e16 x86_64 rpm Red Hat Updates Repository kernel doc 2 6 32 573 3 1 e16 noarch rpm Red Hat Updates Repository kernel firmware 2 6 32 573 3 1 el6 noarch rpm Red Hat Updates Repository kernel headers 2 6 32 573 3 1 e16 x86_64 rpm Red Hat Updates Repository kibana 3 1 0 SIMP 0 noarch rpm https d1 bintray com simp 4 2 X Ext kibana 3 1 0 SIMP 0 noarct Icgdm libs 1 8 10 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 Icgd leiningen 2 0 0 0 2preview 10 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 leiningen lfc libs 1 8 10 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 lfc 1i lfc python 1 8 10 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 lfc p libarchive devel 2 8 3 4 e16_2 x86_64 rpm Red Hat Optional Repository libconfuse 2 7 4 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 libcc libconfuse devel 2 7 4 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 libcc libev 4 03 3 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 libev libselinux ruby 2 0 94 5 8 e16 x86_64 rpm Red Hat Base Repository libyaml 0 1 4 2 e16 x86_64 rpm https dl bintray com simp 4 2 X Ext libyaml 0 1 4 2 e16 x86_64 libyaml devel 0 1 4 2 el16 x86_64 rpm https d1 bintray com simp 4
154. ecommunications Ser Contingency Planning vices CP 8 1 Telecommunications Contingency Planning Services Control Enhance ment CP 8 2 Telecommunications Contingency Planning Services Control Enhance ment CP 8 3 Telecommunications Contingency Planning Services Control Enhance ment CP 8 4 Telecommunications Contingency Planning Services Control Enhance ment CP 9 Information System Contingency Planning The BackupPC module is Backup not currently available in SIMP 5 0 CP 9 1 Information System Contingency Planning Backup Control En hancement CP 9 2 Information System Contingency Planning Backup Control En hancement CP 9 3 Information System Contingency Planning Backup Control En hancement CP 9 5 Information System Contingency Planning Backup Control En hancement CP 9 6 Information System Contingency Planning Backup Control En hancement CP 10 Information System Recov Contingency Planning The BackupPC module is ery and Reconstitution not currently available in SIMP 5 0 CP 10 1 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 2 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 3 Information System Re Contingency Planning covery and Reconstitution Control Enhancement Continued on next page 190 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5
155. ed Hat 35 101 Red Hat Enterprise Linux 35 101 Red Hat 35 101 Red Hat Inc 35 101 RHEL 35 101 RPM 36 101 RPM Package Manager 36 101 RSA 36 101 Ruby 36 101 S Secure Shell 36 101 Secure Sockets Layer 36 101 Service Account 36 101 SFTP 36 101 SIMP 36 101 SSH 36 101 SSH File Transfer Protocol 36 101 SSL 36 101 Sudosh 36 102 System Integrity Management Platform 36 101 T TFTP 36 102 TLS 36 102 Transport Layer Security 36 102 Trivial File Transfer Protocol 36 102 TTY 36 102 V Virtual Machine 36 102 Virtual Network Computing 36 102 VM 36 102 VNC 36 102 W WAN 36 102 Wide Area Network 36 102 X X 509 36 102 Y Yellowdog Updater Modified 37 102 YUM 37 102 218 Index
156. ee ee a ee RS 42 Wechnicalisecurty is 24 4 44 24 4022358 eh bis hee b442 4 e eS Che Sd 43 Operational Security 4 4 seana 45 245 5 e AA Re Baw Ee aw Be aS Ra eee a 4 4 Information System Management s e eca cesas itua ereer e ean eee ee 4 53 Security Concepts APPENdICES i osa ae e nip e a RRR ie a eke E e RS BAS E A 46 Indices and tabl s lt ie ro eee A A ae License Sell Tegal NOCE sei os aa ia died eee Bice Raa Ww E E ee O She ds Bw E ace eS Contact Help Indices and tables 211 213 215 SIMP Documentation Release 0 0 This is the 4 2 0 0 release of SIMP compatible with the 6 7 release of CentOS and Red Hat Enterprise Linux RHEL The System Integrity Management Platform SIMP is a framework designed around the concept that individuals and organizations should not need to repeat the work of automating the basic components of their operating system infrastructure Expanding upon this philosophy SIMP also aims to take care of routine policy compliance to include NIST 800 53 FIPS 140 2 the DISA STIG and the SCAP Security Guides By using the Puppet automation stack SIMP is working toward the concept of a self healing infrastructure that when used with a consistent configuration management process will allow users to have confidence that their systems not only start in compliance but remain in compliance over time Finally SIMP has a goal of remaining flexible enough to properly maintain your operat
157. ement System and Communica tions Protection Continued on next page 4 5 Security Concepts Appendices 153 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 4 Information In Shared Re sources System and Communica tions Protection While difficult for the SIMP team to prove object reuse has been part of previous versions of RedHat com mon criteria testing That testing focusing on Files system objects IPC objects and Memory objects Any issues discovered within the platform that cause object reuse issues are likely to be address in security patches provided by the vendor SC 4 1 Information In Shared Re sources Control Enhance ment System and Communica tions Protection SC 5 Denial of Service Protec tion System and Communica tions Protection SC 5 1 Denial of Service Protec tion Control Enhancement System and Communica tions Protection SC 5 2 Denial of Service Protec tion Control Enhancement System and Communica tions Protection SC 6 Resource Priority System and Communica tions Protection SC 7 Boundary Protection System and Communica tions Protection Most of this control deals with a separate boundary interface FW etc There is a part of this control that deals with controlling net work ac
158. ement CM 8 4 Information System Com Configuration Management ponent Inventory Control Enhancement CM 8 5 Information System Com Configuration Management ponent Inventory Control Enhancement CM 8 6 Information System Com Configuration Management ponent Inventory Control Enhancement CM 9 Configuration Management Configuration Management Plan CM 9 1 Configuration Management Configuration Management Plan Control Enhance ment CP 1 Contingency Planning Pol Contingency Planning icy and Procedures CP 2 Contingency Plan Contingency Planning CP 2 1 Contingency Plan Control Contingency Planning Enhancement CP 2 2 Contingency Plan Control Contingency Planning Enhancement CP 2 3 Contingency Plan Control Contingency Planning Enhancement CP 2 4 Contingency Plan Control Contingency Planning Enhancement CP 2 5 Contingency Plan Control Contingency Planning Enhancement CP 2 6 Contingency Plan Control Contingency Planning Enhancement CP 3 Contingency Training Contingency Planning CP 3 1 Contingency Training Contingency Planning Control Enhancement CP 3 2 Contingency Training Contingency Planning Control Enhancement CP 4 Contingency Plan Testing Contingency Planning and Exercises CP 4 1 Contingency Plan Testing Contingency Planning and Exercises Control En hancement CP 4 2 Contingency Plan Testing Contingency Planning and Exercises Control En hancement
159. ements x CVEs Addressed RPM Updates Fixed Bugs New Features Known Bugs SIMP 4 2 0 1 Package 4 2 0 1 This release is known to work with e RHEL 6 7 x86_64 3 16 Changelog 89 SIMP Documentation Release 0 0 e CentOS 6 7 x86_64 3 16 1 Manual Changes Requred e Bugs in the simplib secure_mountpoints class formerly common secure_mountpoints Note This only affects you if you did not have a separate partition for tmp e There were issues in the secure_mountpoints class that caused tmp and var tmp to be mounted against the root filesystem While the new code addresses this it cannot determine if your system has been modified incorrectly in the past e To fix the issue you need to do the following Unmount var tmp may take multiple unmounts Unmount tmp may take multiple unmounts Remove the bind entries for tmp and var tmp from etc fstab Run puppet with the new code in place 3 16 2 Deprecations e simp hiera The simp hiera RPM has been replaced by the upstream hiera package from Puppet Labs The original simp hiera fork had been maintained due to a need that the alias function now serves Please run the hi era_upgrade script to convert your existing SIMP environment You may also set the environment variable HIERA_UPGRADE to a path of your choice to update any other hieradata that you may have on your system pupmod simp common The common names
160. epel 6 x86_64 glob globus gss assist 10 15 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gss as globus gssapi gsi 11 20 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 globus gssap globus openssl module 4 6 2 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob gpxe bootimgs 0 9 7 6 14 e16 noarch rpm Red Hat Base Repository gpxe roms qemu 0 9 7 6 14 el6 noarch rpm Red Hat Base Repository gweb 2 1 8 1 noarch rpm https d1 bintray com simp 4 2 X Ext gweb 2 1 8 1 noarch rpm hmaccalc 0 9 12 2 e16 x86_64 rpm Red Hat Base Repository incron 0 5 9 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 incrc java 1 7 0 openjdk 1 7 0 85 2 6 1 3 e16_7 x86_64 rpm Red Hat Updates Repository java 1 7 0 openjdk demo 1 7 0 85 2 6 1 3 el16_7 x86_64 rpm Red Hat Updates Repository java 1 7 0 openjdk devel 1 7 0 85 2 6 1 3 el6_7 x86_64 rpm Red Hat Updates Repository java 1 7 0 openjdk src 1 7 0 85 2 6 1 3 e16_7 x86_64 rpm Red Hat Updates Repository kernel 2 6 32 573 3 1 e16 x86_64 rpm Red Hat Updates Repository kernel abi whitelists 2 6 32 573 3 1 e16 noarch rpm Red Hat Updates Repository kernel debug 2 6 32 573 3 1 e16 x86_64 rpm Red Hat Updates Repository kernel debug devel 2 6 32 573 3 1 e16 x86_64 rpm Red Hat Updates Repository kernel devel 2 6 32 573 3 1
161. epositories from nightly YUM updates Methodology The common yum_schedule repos and common yum_schedule disable variables in the pupmod common module control which repositories are enabled for nightly updating Both variables must be specified in array format common yum_schedule repos is used to specify an array of repositories from which updates are provided no other repositories will be used common yum_schedule disable is used to specify an array of repositories from which updates are not provided all other repositories will be used 3 14 5 IPtables NAT Rules See the IPtables Module Reference for notes on using the basic Ptables Module Add NAT Rules The user may be required to add Network Address Translation NAT rules to the Ptables ruleset To achieve this using the Ptables module SIMP 1 1 3 or later is required and the iptables add_rules input statement should be used to affect the appropriate changes The example below shows an IPtable NAT rule Example of an IPtable NAT Rule 80 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 iptables add_rules nat_global table gt nat first gt true absolute gt true header gt false content gt PREROUTING ACCEPT 0 0 POSTROUTING ACCEPT 0 0 OUTPUT ACCEPT 0 0 iptables add_rules nat_test table gt nat header gt false content gt A PREROUTING physdev in ethl
162. ers stack augeasproviders_ssh Imported 2 1 3 to support the Augeasproviders stack augeasproviders_sysctl Imported 2 1 3 to support the Augeasproviders stack pupmod augeasproviders This was updated to 2 1 3 The update to 2 1 3 caused the addition of all of the pupmod augeasproviders modules below pupmod cgroups Added acceptance tests pupmod common gt Deprecated Replaced by pupmod simplib pupmod simplib Created parse_hosts function Added full tests for evaluating the ability to toggle FIPS mode pupmod kibana Add Kibana dashboards to the Kibana module Allows users to apply default SIMP Kibana Dashboards pupmod logstash Integrated SIMP and Electrical Logstash modules Changes the existing Logstash module to allow users to apply default SIMP filters pupmod richardc datacat Incorporated the richardc datacat module into the core for user convenience pupmod freeradius Split the Freeradius module based on version so that it can be properly selected against the installed version of Freeradius This may take two runs to coalesce pupmod puppetlabs inifile Updated to version 1 2 0 pupmod puppetlabs puppetdb Updated to version 5 0 0 0 pupmod simp kibana Add Kibana dashboards to the Kibana module Allows users to apply default SIMP kibana Dashboards pupmod simp logstash Integrated SIMP and Electrical Logstash modules Changes the existing Logstash mo
163. es used in a SIMP system and how to manage them For information on initial certificate setup refer to the Apply Certificates section of the Client Management chapter 3 6 5 Server Certificates Server certificates are the standard PKI certificates assigned either by an official CA or generated using the FakeCA utility offered by SIMP They can be found in the etc pki directory of both the client and server systems These certificates are set to expire annually To change this edit the following files with the number of days for the desired lifespan of the certificates Note This assumes that the user has generated Certificates with the FakeCA provided by SIMP If official certificates are being used these settings must be changed within the official CA not on the SIMP system e etc puppet Config FakeCA CA e etc puppet Config FakeCA ca cnf e etc puppet Config FakeCA default _altnames cnf e etc puppet Config FakeCA default cnf e etc puppet Config FakeCA user cnf In addition any certificates that have already been created and signed will have a config file containing all of its details in etc puppet Config FakeCA output conf Important Editing any entries in the above mentioned config files will not affect the existing certificates To make changes to an existing certificate it must be re created and signed 58 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Below is an example of how
164. ess A unique identifier assigned to net work interfaces for communications on the physical network segment Source lt Wikipedia MAC address NAT Network Address Translation The process of modifying IP address information in IP packet headers while in transit across a traffic routing device NFS Network File System A distributed file system protocol that allows a user on a client computer to access files over a network in a manner similar to how local storage is accessed PAM Pluggable Authentication Modules A mechanism to integrate multiple low level authentication schemes into a high level application programming interface API It allows programs that rely on authentication to be written independent of the underlying authentication scheme PEM Privacy Enhanced Mail An early standard for securing electronic mail This is the public key of a specific certificate This is also the format used for Certificate Authority certificates PERL Practical Extraction and Report Language A high level general purpose interpreted dynamic program ming language PERL was originally developed by Larry Wall in 1987 as a general purpose Unix scripting language to make report processing easier 100 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 PKI Public Key Infrastructure A security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Interne
165. et to securely authenticate to systems and exchange data The exchange of data is done by using a combination of cryptographically bound public and private keys PSSH Parallel Secure Shell A tool that provides parallel versions of OpenSSH and other related tools Puppet An Open Source configuration management tool written and maintained by Puppet Labs Written as a Ruby DSL Puppet provides a declarative language that allows system administrators to provide a consistently applied management infrastructure Users describes system resource and resource state in the Puppet language Puppet discovers system specific information via facter and compiles Puppet manifests into a system specific catalog containing resources and resource dependencies which are applied to each client system PXE Preboot Execution Environment An environment to boot computers using a network interface independently of data storage devices like hard disks or installed operating systems RAM Random Access Memory A form of computer data storage A random access device allows stored data to be accessed in nearly the same amount of time for any storage location so data can be accessed quickly in any random order Red Hat Red Hat Red Hat Inc A collection of many different software programs developed by Red Hat Inc and other members of the Open Source community All software programs included in Red Hat Enterprise Linux are GPG signed by Red Hat Inc to indicate
166. etailed upgrade guidance can be found in the Upgrading SIMP portion of the User s Guide 3 16 Changelog 91 SIMP Documentation Release 0 0 Warning You must have at least 2 2GB of free RAM on your system to upgrade to this release due to the migration to the Clojure based Puppet Server Note Upgrading from releases older than 4 0 is not supported Expectations Before you begin please be aware that the following actions will take place as a result of the migration script as referenced in the SIMP Upgrade section of the User Guide e The puppet server RPM will be removed e The puppet server RPM will be installed no that s not a typo e ALL SIMP Puppet code will be migrated into a new simp environment This will be located at etc puppet environments simp eA backup of your running environment will be made available at etc puppet environments pre_migration simp You will find timestamped directories under the pre_migration simp directory that correspond to runs of the migration script Your old files will be in a backup_data directory and will be linked to a local bare Git repository in the same space 3 16 5 Security Announcements CVEs Addressed 3 16 6 RPM Updates Numerous RPMs were updated in the creation of this release Several were included due to our use of repoclosure to ensure that RPM dependencies are met when releasing a DVD e This version include the latest RedHat 7 1 and CentOS 7 0
167. etting up a printing environment Setting up a Print Client Below is an example manifest called etc puppet modules site manifests print client pp for setting up a print client class site print client inherits site print server polkit local_authority print_support identity gt unix_group action gt org opensuse cupskhelper mechanism x section_name gt Allow all print management permissions result_any gt yes result_interactive gt yes result_active gt yes package cups pdf ensure gt latest package cups pk helper ensure gt latest package system config printer ensure gt present Seiting up a Print Server Below is an example manifest called etc puppet modules site manifests print server pp for setting up a print server class site print server Note this is not set up for being a central print server You ll need to add the appropriate IPTables rules for that to work package cups ensure gt latest service cups nabl gt true ensure gt running hasrestart gt true hasstatus gt true require gt Package cups 3 8 Managing Workstation Infrastructures 63 SIMP Documentation Release 0 0 3 9 VNC Virtual Network Computing VNC is a tool that is used to manage desktops and workstations remotely through the standard setup or a proxy 3 9 1
168. ewritten to allow for new features and flexibility Now provided as a Ruby gem simp cli simp doc Removed several obsolete sections and cleaned up a great deal of the language simp rsync Content has been restructured to eliminate licensing conflicts ClamAV has been refactored into a separate GPL package pupmod simp rsyslog Module has been rewritten to support rsyslog 7 4 Facter 2 4 Facter now returns the following facts as their actual boolean or integer values instead of converting them into strings activeprocessorcount is_virtual mtu_ lt INTERFACE gt physicalprocessorcount processorcount selinux_enforced selinux sp_number_processors sp_packages Mcollective Mcollective is now available to be installed and used with SIMP It uses SSL TLS along with user certifi cates for proper encryption and authentication PuppetDB PuppetDB is now supported by SIMP and installed by default Puppetserver The puppet master service has been replaced by the puppetserver service This is a major rewrite by Puppetlabs Puppetserver scales better for larger agent deployments with a single puppet master Uses Environments by default this allows for tools such as r10K Production environment is a link to simp by default 3 16 9 Known Bugs e There is a symlink that is created at etc puppet environments simp simp which should not be in place This is being tracked as SIMP 661 e SSSD is cur
169. f the settings in every file Instead critical operating system files or files that need to be controlled centrally are managed Implementations can manage additional files if they are deemed necessary CM 6 Security Verification and Flaw Remediation SIMP cannot detect flaws automatically each implementation is responsible for tracking flaws However SIMP provides a way for flaws to be fixed across all clients One or all of the following can help automate flaw remediation CM 6 SI 2 SI 2 1 SI 2 4 4 3 Operational Security 111 SIMP Documentation Release 0 0 Puppet Apply a configuration change to files that are managed by Puppet rsync Use this mechanism to deliver a file to a client This can be used with or without Puppet to synchronize files YUM Update packages nightly with YUM Placing an updated package in YUM and running a YUM update manually or allowing time for the cron job to run will ensure packages on all clients are updated Otherwise a cron job will perform a daily update of packages with YUM PSSH Allow commands to run across a set of nodes with the PSSH utility Through the use of keys this becomes a powerful way to run a one time operation against a large number of nodes The extent of security verification that is performed currently is based on changes to files that Puppet or the Advanced Intrusion Detection Environment AIDE provides There are also Security Content Automation Protocol SCAP p
170. for inclusion with concat e pupmod stunnel Had a variable options in st unnel erb that should have been scoped as options pupmod sudo Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod sudosh Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 pupmod sysctl Removed support for the old parsed file provider and moved to using the new Augeas based provider pupmod tftpboot Purging of non Puppet managed items in pxelinux cfg is now optional e pupmod simp tpm IMA is disabled by default simp gpgkeys Ensure that the keys are set in the correct locations for the target SIMP distribution simp rsync Removed spurious install messages simp util Fixed the targets of unpack_dvd pupmod xinetd Fixed The default log_type should be SYSLOG authpriv instead of SYSLOG daemon info e pupmod vne 2 6 Changelog 29 SIMP Documentation Release 0 0 Removed banners that broke some VNC clients e simp cli simp config a ANSWERFILE fails when an item has no answer simp config A ANSWERFILE prompts when an an item has no answer The misleading help documentation for ff has been removed The Config Item use_fips now echoes its command unless silent The simp doc command path to the documentation h
171. forced using pam_crack_lib so This works for user defined passwords on local and LDAP accounts E It s up to the implementation to change the values for the various pass words F Password history is set to 24 by default in SIMP and enforced with pam G For local accounts password aging is set to 180 days It s set to the same in LDAP but enforced at the time of account creation using ldifs LDAP subsequently uses PAM to enforce the aging Key based passwordless logins do not enforce aging Upon gen eration server and puppet certificates can also be set to expire H Authen ticators for local and LDAP account are protected using operating system access controls The server certificates are also protected using operating system controls Continued on next page 4 5 Security Concepts Appendices 149 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method TA 5 1 Authenticator Management Control Enhancement Identification and Authenti cation 1 Authenticator strength is en forced using pam_crack_lib so This works for user defined passwords on local and LDAP accounts Admin istrators can bypass PAM and set weak passwords in LDAP Under normal cir cumstances users would be forced to change their pass word at login at which point pam enforced complexit
172. ftware for the module to work That mod ule comes with the ability to sync dat updates to clients via rsync The modulde does NOT specify how of ten and what files systems should be scanned SIMP also implements the open source tool chkrootkit that comes installed by default SI 3 1 Malicious Code Protection Control Enhancement System and Information In tegrity The provided anti virus modules are installed via puppet modules Those modules include the ability to sycn data file updates via rsync Therefore all management of malicious code detection is done centrally SI 3 2 Malicious Code Protection Control Enhancement System and Information In tegrity SI 3 3 Malicious Code Protection Control Enhancement System and Information In tegrity SI 3 4 Malicious Code Protection Control Enhancement System and Information In tegrity SI 3 5 Malicious Code Protection Control Enhancement System and Information In tegrity SI 3 6 Malicious Code Protection Control Enhancement System and Information In tegrity Continued on next page 178 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page itoring Tools and Tech niques Control Enhance ment tegrity Control ID Control Name Control Family SIMP Implementation
173. fy all certificates from CA external systems properly prior to allowing access to Puppet Apache YIRM HTTP TCP 80 This is used for YUM and is unencrypted since YUM will not work otherwise DHCPD In DHCP BOOTP UDF416 547 DHCP pooling is disabled by default and should only be used if the implementation requires the use of this protocol TFTP In TFTP TCP UD 9 This is used for kickstart It could also be used to update network devices TFTP does not support encryption rsys Out syslog TCP UD 514 This is encrypted when communicating with a SIMP syslog server log not installed by default named In Out DNS TCP UDP Inbound connections happen to the locally managed hosts Outbound connections happen to other domains per the normal operations of DNS NTPD Out NTP TCP UDP23 Only connects to an external time source by default SSHD In SSH TCP 22 SSH is always allowed from any source IP by default stun In TLS TCP 8730 Stunnel is a protected connection for rsyncing configuration files to nel Puppet clients rsync Lo RSYNC TCP 873 This accepts connections to the localhost and forwards through cal Stunnel host LDAP In LDAP TCP 389 Connections are protected by bi directional authenticated encryption LDAPS In LDAPS TCP 636 Used for LDAP over SSL Default Client Ports Applica Direc Proto Trans Ports Comment
174. g can be customized to include logs from any ap plication They would then be in a central place for viewing and aggregation by users of the Kibana inter face AU 6 6 Audit Review Analysis and Reporting Control En hancement Audit and Accountability AU 6 7 Audit Review Analysis and Reporting Control En hancement Audit and Accountability AU 6 9 Audit Review Analysis and Reporting Control En hancement Audit and Accountability AU 7 Audit Reduction and Report Generation Audit and Accountability Continued on next page 144 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AU 7 1 Audit Reduction and Re port Generation Control Enhancement Audit and Accountability While not true audit re duction RedHat does al low someone with access to audit logs to perform filters using the journald If audit logs are forwarded to a syslog server it s not difficult for an admin to security officer to run batch filters against all of the audit records As of SIMP 4 0 5 an optional Logstash Kibana and Elas ticsearch modules can be applied If applied they provide centralized and in dexed logs An imple mentation can then perform searches against the logs or provide alerts to other parts of the
175. g systems The core applications that make up SIMP and require prerequisite knowledge are Puppet 3 7 or later Domain Name System DNS BIND 9 Dynamic Host Configuration Protocol DHCP Internet Systems Consortium ISC DHCP Lightweight Directory Access Protocol LDAP OpenLDAP RedHat Kickstart including all tools behind it Trivial File Transfer Protocol TFTP PXELinux etc Apache Yellowdog Updater Modified YUM Rsyslog Version 3 Internet Protocol Tables IPtables Basic knowledge of the rules Auditd Basic knowledge of how the daemon works Advanced Intrusion Detection Environment AIDE Basic knowledge of the rules Basic X 509 based PKI Key Management SIMP does as much initial setup and configuration of these tools as possible However without at least some under standing you will be unable to tailor a SIMP system to fit the desired environment A general understanding of how to control and manipulate these tools from the command line interface CLI will be necessary as SIMP does not come stock with a graphical user interface GUI Knowledge of scripting and Ruby programming will also help to further customize a SIMP install but is not required for routine use 13 SIMP Documentation Release 0 0 2 1 2 SIMP Defined The System Integrity Management Platform SIMP is a framework designed around the concept that individuals and organizations should not need to repeat the work of automating t
176. g to strip out inappropriate characters sed i s sgraph lsspace Ll graph i lsspace J 1 2 N file ldif Note Use the and characters to scroll right when using ELinks Add Users Users can be added with or without a password Follow the instructions in the following sections Warning This process should not be used to create users or groups for daemon processes unless the user has experience Adding Users With a Password To add a user to the system Secure Shell SSH to the LDAP server and use the s lappasswd command to generate a password hash for a user 42 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Create a root l1difs directory and add the following information to the root 1ldifs adduser 1ldif file Replace the information within lt gt with the installed system s information Example Idif to add a user dn uid lt User UID gt ou People dc your dc domain uid lt User UID gt en lt User UID gt objectClass account objectClass posixAccount objectClass top objectClass shadowAccount objectClass ldapPublicKkey shadowMax 90 shadowMin 1 shadowWarning 7 shadowLastChange 10167 pwdReset TRUE sshPublicKey lt User SSH Public Key gt loginShell bin bash uidNumber lt User UID Number gt gidNumber lt User Primary GID gt homeDirectory home lt User UID gt userPassword lt Password H
177. gency Planning Services Control Enhance ment CP 9 Information System Contingency Planning The BackupPC module is Backup not currently available in SIMP 5 0 CP 9 1 Information System Contingency Planning Backup Control En hancement CP 9 2 Information System Contingency Planning Backup Control En hancement CP 9 3 Information System Contingency Planning Backup Control En hancement CP 9 5 Information System Contingency Planning Backup Control En hancement CP 9 6 Information System Contingency Planning Backup Control En hancement Continued on next page 170 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Enhancement Control ID Control Name Control Family SIMP Implementation Method CP 10 Information System Recov Contingency Planning The BackupPC module is ery and Reconstitution not currently available in SIMP 5 0 CP 10 1 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 2 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 3 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 4 Information System Re Contingency Planning covery and Reconstitution Control Enhancement CP 10 5 Information System Re Contingency
178. h the ausearch or aureport utilities Configuring the audit rules is done with the auditctl utility During startup the rules in etc audit audit rules are read by auditctl The audit daemon itself has some configuration options that the admin may wish to customize They are found in the auditd conf file BIOS Basic Input Output System A type of firmware used to perform hardware initialization during the booting process power on startup on IBM PC compatible computers Source Wikipedia BIOS CA Certificate Authority An entity that issues X 509 digital certificates CentOS Community Enterprise Operating System An Enterprise grade Operating System that is mostly compat ible with a prominent Linux distribution CLI Command Line Interface A means of interacting with a computer program where the user or client issues commands to the program in the form of successive lines of text command lines Source Wikipedia Command Line Interface CPU Central Processing Unit A central processing unit CPU is the electronic circuitry within a computer that carries out the instructions of a computer program by performing the basic arithmetic logical control and input output I O operations specified by the instructions Source Wikipedia Central Processing Unit DHCP Dynamic Host Configuration Protocol A network protocol that enables a server to automatically assign an IP address to a computer DNS Domain Name System A database system that t
179. hancement Configuration Management Puppet is not intended to be a security mechanism to prevent unauthorized changes to files For files that are managed by puppet that changed they will revert back to their original state This control is really about protecting from unauthorized changes so access control to the puppet master should suffice to meet it Changes to files are audited using auditd Puppet changes are also audited Its up to the implementation to perform altering on those changes Continued on next page 4 5 Security Concepts Appendices 167 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 6 3 Configuration Settings Control Enhancement Configuration Management This control is not fully met by SIMP It s important to point out that SIMP does provide logging of events to syslog It s currently up to the implementation to alert on those events CM 7 Least Functionality Configuration Management There isn t an explicit list of services that SIMP de nies Instead it was built to provide only the essential functionality Additional services get added only as needed CM 7 1 Least Functionality Con trol Enhancement Configuration Management CM 7 2 Least Functionality Con trol Enhancement Configuration Management Appli
180. he National Institute of Standards and Technology NIST Specical Publication 800 53 Revision 3 controls that SIMP currently meets Empty contents means SIMP does not meet that control Implementations are free to take these tables and use them as a starting point for any accreditation activities that follow NIST 800 53 SIMP SCTM Technical Controls Control ID Control Name Control Family SIMP Implementation Method AC 1 Access Control Policy and Access Control Procedures AC 2 1 Account Management Access Control LDAP is used to centrally Control Enhancement manage accounts Local accounts can optionally be added and managed by pup pet AC 2 2 Account Management Access Control Control Enhancement Continued on next page 4 5 Security Concepts Appendices 131 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 2 3 Account Management Control Enhancement Access Control Inactive local accounts ex pire 35 days after pass word expiration LDAP accounts can be set to expire in LDAP and us ing PAM There is no au tomated method included with SIMP to check inac tive LDAP accounts Im plementations should ad dress inactive LDAP ac counts with automated or administrative measures AC 2 4 Account Management Control Enhancement Access Control
181. he action e Command e Event ID e Key e Node Hostname IP Address e Login Session ID e Executable 4 2 29 Audit Storage Audit logs are stored locally on a separate partition in the var log directory The size of this partition is config urable Other default audit storage configurations include e A syslog log is written when the audit partition has 75MB free This can be changed to e mail if e mail infrastructure is in place AU 5 a AU 5 1 e The log file rotates once it reaches 30MB 4 2 30 Audit Reduction and Response SIMP provides a means to capture the proper information for audit records and stores them centrally Each implemen tation must decide and document how it reduces analyzes and responds to audit events AU 5 Auditd like all services in SIMP is controlled by Puppet Stopping the service without disabling Puppet means the service will always be started automatically during a Puppet run The files that control the audit configuration will also revert to their original state if changed manually on a client node In the event auditd fails the system will continue to operate Several security guides have suggested that the system should shut down if auditd fails for any reason However SIMP will not shut down but will provide an alert via syslog when this happens AU 5 1 SIMP also comes with an optional module for the Elasticsearch Logstash Kibana ELK stack These three open source tools can be combined to
182. he basic components of their operating system infrastructure Expanding upon this philosophy SIMP also aims to take care of routine policy compliance to include NIST 800 53 FIPS 140 2 the DISA STIG and the SCAP Security Guides By using the Puppet automation stack SIMP is working toward the concept of a self healing infrastructure that when used with a consistent configuration management process will allow users to have confidence that their systems not only start in compliance but remain in compliance over time Finally SIMP has a goal of remaining flexible enough to properly maintain your operational infrastructure To this end where possible the SIMP components are written to allow all security related capabilities to be easily adjusted to meet the needs of individual applications 2 2 SIMP Server Installation This chapter provides guidance on installing and configuring SIMP using the simp config utility 2 2 1 System Requirements SIMP scales well but how much depends on a number of factors including the number of nodes the processor speed the total memory and the complexity of the manifests The following minimal system requirements are recommended e Central Processing Unit CPU 2 Cores e Random Access Memory RAM 2 2 GB e Hard Disk Drive HDD 50 GB 2 2 2 Using the SIMP Utility The SIMP Utility does not assist users through the entire configuration process however it does make the initial configuration easier
183. hitecture and Provision ing for Name Address Res olution Service System and Communica tions Protection SC 23 Session Authenticity System and Communica tions Protection The forms of cryptography used are applied through SSH SSL and TLS There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS that are documented in the Security Concepts document SC 23 1 Session Authenticity Con trol Enhancement System and Communica tions Protection The forms of cryptography used are applied through SSH SSL and TLS There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS that are documented in the Security Concepts document SC 23 2 Session Authenticity Con trol Enhancement System and Communica tions Protection SC 23 3 Session Authenticity Con trol Enhancement System and Communica tions Protection The forms of cryptography used are applied through SSH SSL and TLS There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS that are documented in the Security Concepts document SC 23 4 Session Authenticity Con trol Enhancement System and Communica tions Protection Continued on next page 4 5 Security Concepts Appendices 161 SIMP Documentation Release 0 0 Table 4 3 continued from
184. house and unpack the ISO around 10G Starting from the directory with the ISO complete the steps outlined below These steps are based on an example ISO of rhel server 6 7 x86_64 dvd iso 3 14 SIMP FAQs 79 SIMP Documentation Release 0 0 1 Type for file in isoinfo Rf i rhel server 6 7 x86_64 dvd iso tac do mkdir p RHEL6 7 x86_64 dirname Sfile isoinfo R x file i rhel server 6 7 x86_64 dvd iso gt RHEL6 7 x86_64Sfile done 2 Typetar C RHEL6 7 x86_64 xzf lt SIMP tarball gt xxx 3 Type mkisofs o SIMP 6 7 lt SIMP Version gt x86_64 iso xx b isolinux isolinux bin c boot cat no emul boot boot load size 4 boot info tabl R m TRANS TBL uid 0 gid 0 RHEL6 7 x86_64 Table Build a SIMP DVD Procedure The fully bootable SIMP DVD is ready to install on a new system Replace the RHEL version and architecture to fit the user s needs See the Changelog for compatible RHEL versions Use the Alternative Method If the Ruby rake utility is installed use the Rakefile provided in the Docs examples directory of the tar file 3 14 4 Excluding Repositories By default SIMP applies updates from all available repositories on a nightly basis This ensures that bug fixes and security updates are applied to all systems without minute management in Puppet manifests This section provides guidance on how to include or exclude specific r
185. i simp doc Removed several obsolete sections and cleaned up a great deal of the language simp rsync Content has been restructured to eliminate licensing conflicts ClamAV has been refactored into a separate GPL package pupmod simp rsyslog Module has been rewritten to support rsyslog 7 4 Facter 2 4 32 Chapter 2 SIMP Installation Guide SIMP Documentation Release 0 0 Facter now returns the following facts as their actual boolean or integer values instead of converting them into strings activeprocessorcount is_virtual mtu_ lt INTERFACE gt physicalprocessorcount processorcount selinux_enforced selinux sp_number_processors sp_packages e Mcollective Mcollective is now available to be installed and used with SIMP It uses SSL TLS along with user certifi cates for proper encryption and authentication e PuppetDB PuppetDB is now supported by SIMP and installed by default e Puppetserver The puppet master service has been replaced by the puppetserver service This is a major rewrite by Puppetlabs Puppetserver scales better for larger agent deployments with a single puppet master Uses Environments by default this allows for tools such as r10K Production environment is a link to simp by default 2 6 9 Known Bugs e There is a symlink that is created at etc puppet environments simp simp which should not be in place This is being tracked as SIMP 661 e SSSD is currently broken
186. ies of interest are noted in this section It is possible to use an existing DNS setup however the following table lists the steps for a local setup 1 Navigate to srv rsync bind_dns 2 Modify the named files to correctly reflect the environment At a minimum the following files under srv rsync bind_dns default should be edited named etc named conf named etc zones your domain named var named forward your domain db named var named reverse 0 0 10 db Important For the named var named forward your domain db and named var named reverse 0 0 10 db files add clients as needed Make sure to rename both of these files to more appropriately match your system configuration 50 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 At a minimum review named etc named conf and check update the following Update the P for allow query and allow recursion Delete any unnecessary zone stanzas i e forwarding if not necessary Substitute in the FODN of your domain for all occurrences of your domain 1 Type puppet agent t tags named on the Puppet Master to apply the changes Validate DNS and ensure the etc resolv conf is updated appropriately 2 If an error about the rndc key appears when starting bind copy the rndc key to etc then re run the puppet command cp p var named chroot etc rndc key etc rndc key 3 3 4 Configure DHCP Perform the following actions as root on the Puppet Master system p
187. ifs lt 1ldif File gt file Replace the information below within lt gt with the installed system s information Example Idif to add a group 44 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 dn cn lt Group Name gt ou Group dc your dc domain objectClass posixGroup objectClass top cn lt Group Name gt gidNumber lt GID gt description Some Descriptive Text Type ldapadd Z x W D cn LDAPAdmin ou People dc your dc domain f lt ldif_file gt Removing a Group To remove a group add the following information to the root ldifs lt 1ldif File gt file Replace the infor mation below within lt gt with the installed system s information Example Idif to remove a group dn cn lt Group Name gt ou Group dc your dc domain changetype delete Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f lt 1ldif_file gt Adding Users to a Group To add users to a group add the following information to the root ldifs lt ldif File gt file Replace the information below within lt gt with the installed system s information Example Idif to add to a group dn cn lt Group Name gt ou Group dc your dc domain changetype modify add memberUid memberUid lt UID1 gt memberUid lt UID2 gt memberUid lt UIDX gt Type ldapmodify Z x W
188. in two ways First per the Bob example above you may be using an FQDN to identify a host on your network If DNS is not properly configured then there is no way for the host to understand that you should have access from this remote system Second the default PKZ settings in SIMP ensure that all connections are validated against the FQDN of the client system In the case of an LDAP connection a misconfiguration in DNS may result in an inability to authenticate against the LDAP service In the following sections we will assume that we have a host named system my domain with the IP address 1 2 3 4 Testing a Forward Lookup The following should return the expected IP address for your system S nslookup system my domain Testing a Reverse Lookup The following should return the expected hostname for your system This hostname must be either the primary name in the PKI certificate or a valid alternate name S nslookup 1 2 3 4 PKI Issues If both PAM and DNS appear to be correct you should next validate that your PKI certificates are both valid and functional See Checking Your SIMP PKI Communication for additional guidance 76 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 3 13 3 Checking Your SIMP PKI Communication SIMP comes with a fully functional Public Key Infrastructure in the guise of an aptly named Fake CA The Fake CA can be very useful for getting y
189. ing in etc puppet autosign conf e File Serving in etc puppet fileserver conf e Puppet server and Certificate Authority CA information in etc puppet puppet conf e Server certificates for the puppet host Fake CA LDAP e If you select use_Idap and set this server as your LDAP server OpenLDAP Puppet will enable the LDAP service on this server and all clients will be set to reference it for authentication e If you select use_ldap and set another server as your LDAP server then the clients including this server will use the specified server instead e If you choose not to use LDAP the system is set up to use traditional local authentication only 38 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 RSYNC e The puppet server is configured to rsync data directories for services like DNS DHCP or TFTP YUM e Base YUM repositories for RPM updates 2 9 Indices and tables e genindex e search 2 9 Indices and tables 39 SIMP Documentation Release 0 0 40 Chapter 2 SIMP Installation Guide CHAPTER 3 SIMP User Guide Contents 3 1 Introduction This guide will walk a user through the process of managing a SIMP system This system includes at a minimum a SIMP server with properly configured networking information and a working Puppet server Additionally this document outlines the process of managing clients and users associated with the SIMP system 3 1 1 Level of Kno
190. ional infrastructure To this end where possible the SIMP components are written to allow all security related capabilities to be easily adjusted to meet the needs of individual applications Contents SIMP 4 2 0 1 Contents 1 SIMP Documentation Release 0 0 2 Contents CHAPTER 1 Changelog Contents e Changelog Manual Changes Requred Deprecations Significant Updates Upgrade Guidance x Expectations Security Announcements x CVEs Addressed RPM Updates Fixed Bugs New Features Known Bugs SIMP 4 2 0 1 Package 4 2 0 1 This release is known to work with e RHEL 6 7 x86_64 e CentOS 6 7 x86_64 1 1 Manual Changes Requred e Bugs in the simplib secure_mountpoints class formerly common secure_mountpoints Note This only affects you if you did not have a separate partition for tmp e There were issues in the secure_mountpoints class that caused tmp and var tmp to be mounted against the root filesystem While the new code addresses this it cannot determine if your system has been modified incorrectly in the past SIMP Documentation Release 0 0 e To fix the issue you need to do the following Unmount var tmp may take multiple unmounts Unmount tmp may take multiple unmounts Remove the bind entries for tmp and var tmp from etc fstab Run puppet with the new code in place 1 2 Deprecations e simp hiera
191. ir infrastructure AU 8 Time Stamps Audit and Accountability Auditd uses the system clock to time stamp audit events AU 8 1 Time Stamps Control En hancement Audit and Accountability Time is an essential com ponent of puppet There fore NTPD is used to syn chronize puppet clients with the puppet server That default configuration can be changed to synchronize puppet each server client with another time source AU 9 Protection of Audit Infor mation Audit and Accountability File system permissions and SELinux protect the con tent of var log audit and etc audit AU 9 1 Protection of Audit Infor mation Control Enhance ment Audit and Accountability AU 9 2 Protection of Audit Infor mation Control Enhance ment Audit and Accountability AU 9 3 Protection of Audit Infor mation Control Enhance ment Audit and Accountability AU 9 4 Protection of Audit Infor mation Control Enhance ment Audit and Accountability Continued on next page 4 5 Security Concepts Appendices 145 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AU 10 Non repudiation Audit and Accountability AU 10 1 Non repudiation Control Audit and Accountability Enhancement AU 10 2
192. iscount 1 6 8 1 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem rd rubygem ronn 0 7 3 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ro rubygem stomp 1 3 2 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem st rubygem stomp doc 1 3 2 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem st scap security guide 0 1 21 3 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac sendmail milter 8 14 4 9 el6 x86_64 rpm http mirror netdepot com centos 6 7 o0s x86_64 Packages sendm lt simp lastbind 2 4 23 0 x86_64 rpm https dl bintray com simp 4 2 X Ext simp lastbind 2 4 23 0 x86_ simp ppolicy check password 2 4 39 0 el6 x86_64 rpm https dl bintray com simp 4 2 X Ext simp ppolicy check passwo sudosh 2 1 0 2 2 e16 x86_64 rpm https dl bintray com simp 4 2 X Ext sudosh2 1 0 2 2 e16 x86_64 syslinux tftpboot 4 04 3 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac tanukiwrapper 3 5 9 1 el16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 tanukiwrap trousers 0 3 13 2 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac voms 2 0 12 3 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 voms 2 0 12 4 5 5 SIMP SCTM This SCTM was developed based on t
193. ith an op tional module to install and perform regular runs of the SCAP Security Guide Do ing so will report for a user defined frequency OVAL results of security settings of a host against SSG rec ommendations SI 6 3 Security Functionality Ver ification Control Enhance ment System and Information In tegrity SIMP comes with an op tional module to install and perform regular runs of the SCAP Security Guide Do ing so will report for a user defined frequency OVAL results of security settings of a host against SSG rec ommendations Software and Information Integrity System and Information In tegrity SIMP comes with AIDE in stalled Puppet also serves the purpose of checking the integrity of files During each client run a change in file integrity means the file needs to be restored to it s original state S 70 Software and Information Integrity Control Enhance ment System and Information In tegrity AIDE baselines are not performed beyond initial install unless otherwise configured Implementa tions can re baseline the database SI 7 2 Software and Information Integrity Control Enhance ment System and Information In tegrity SI 7 3 Software and Information Integrity Control Enhance ment System and Information In tegrity AIDE is managed by pup pet and is therefore cen trally managed Continued on next page 4
194. ity Control Enhance tegrity pet and is therefore cen ment trally managed SI 7 4 Software and Information System and Information In Integrity Control Enhance tegrity ment SI 8 Spam Protection System and Information In tegrity SI 8 1 Spam Protection Control System and Information In Enhancement tegrity SI 8 2 Spam Protection Control System and Information In Enhancement tegrity SI 9 Information Input Restric System and Information In tions tegrity SI 10 Information Input Valida System and Information In tion tegrity SI 11 Error Handling System and Information In tegrity SI 13 Predictable Failure Preven System and Information In tion tegrity SI 13 1 Predictable Failure Preven System and Information In tion Control Enhancement tegrity SI 13 2 Predictable Failure Preven System and Information In tion Control Enhancement tegrity SI 13 3 Predictable Failure Preven System and Information In tion Control Enhancement tegrity SI 13 4 Predictable Failure Preven System and Information In tion Control Enhancement tegrity Table SIMP SCTM SIMP SCTM Management Controls Control ID Control Name Control Family SIMP Implementation Method AT 1 Security Awareness and Awareness and Training Training Policy and Proce dures Continued on next page 182 Chapier 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5
195. k Python Perl Lisp Dylan Pike and CLU Service Account An account that is not for use by a human user but which still requires login access to a host SFTP SSH File Transfer Protocol A network protocol that provides file access file transfer and file management functionalities over any reliable data stream It was designed by the Internet Engineering Task Force IETF as an extension of the Secure Shell protocol SSH version 2 0 to provide secure file transfer capability but is also intended to be usable with other protocols SIMP System Integrity Management Platform A security framework that sits on top of RHEL or CentOS SSH Secure Shell An application for secure data communication remote shell services or command execution between networked computers SSH utilitizes a server client model for point to point secure communication SSL Secure Sockets Layer The standard security technology for using PK keys to provide a secure channel be tween two servers See also 7LS 3 17 Glossary of Terms 101 SIMP Documentation Release 0 0 Sudosh An application that acts as an echo logger to enhance the auditing of privileged activities at the command line of the operating system Utilities are available for playing back sudosh sessions in real time TFTP Trivial File Transfer Protocol A file transfer protocol generally used for automated transfer of configuration or boot files between machines in a local environment TLS T
196. keydist lt FQDN gt x x 3 Type chown R root puppet etc puppet keydist 4 Type chmod R u rwX g rX o rwx etc puppet keydist Table Official Certificates Procedure The table below lists the steps to create and populate the etc puppet keydist cacerts directory 1 Typecd etc puppet keydist 2 Typemkdir cacerts and copy the root CA public certificates into cacerts in Privacy Enhanced Mail PEM format one per file 3 Type cd cacerts 4 Type for file in pem do ln s file openssl x509 in file hash noout 0 done Table etc puppet keydist cacerts Directory Creation Procedure 3 4 2 Generating Fake CAs If server certificates have not or could not be obtained at the time of client installation the SIMP team provides a way to create them for the system so that it will work until proper certificates are provided Note This option should not be used for any operational system that can use proper enterprise PKI certificates The table below lists the steps to generate the Fake CAs 1 Type cd etc puppet Config FakeCA 2 Type vi togen 3 Remove old entries from the file and add the Fully Qualified Domain Name FQDN of the systems one per line for which certificates will be created Note To use alternate DNS names for the same system separate the names with commas and without spaces For example name alt namel alt name2 4 Type wc cacertkey Note Ensure that the cacertkey file is
197. l default settings including Central account management using OpenLDAP AC 2 1 Password expiration Local accounts expire 35 days after password expiration AC 2 3 LDAP accounts do not expire automatically due to inactivity implementations should audit LDAP accounts regularly Auditing of administrative actions to capture local account creation and modifications to LDAP accounts is done via the var log slapd_audit 1og file for ldap accounts and var log audit 1log for local accounts AC 2 4 Shell session timeouts after 15 minutes of inactivity AC 2 5 This can be circumvented by running a command that opens an endless pipe such as bin cat However this command cannot be enforced more heavily due to the high likelihood of breaking system applications If the optional gnome module is used the GNOME screen saver will lock the screen after 15 minutes of inactivity Assignment of users into groups locally or centrally via LDAP AC 2 7 By default SIMP will have an ad ministrators groups that has the ability to run sudosh Implementations should further define administrators or user groups and limit them with the Puppet sudo class 4 2 8 Access Enforcement SIMP uses the implementation of Discretionary Access Control DAC that is native to Linux Specific file permissions have been assigned based on published security guidance for Red Hat CentOS and UNIX Default permissions on files created by users are enforced with user fil
198. l s Once the admin principal has been created host principals for each host can be made The table below lists the steps to complete this action 1 On the KDC generate a principal for each host in the environment by typing usr sbin kadmin local r x x lt Your Domain gt q addprinc randkey host x lt FQDN gt Note To use much of the functionality of the host the user must first ensure that each host has a keytab SIMP uses the etc puppet keydist directory for each host to distribute keytabs securely to the clients 2 To create a keytab file for each of the above hosts type usr sbin kadmin local r k lt Your Domain gt q ktadd k lt FQDN gt keytab host x lt FQDN gt x 3 Propagate all keytabs to the Puppet server by moving all of the resulting keytab files securely to the etc puppet keydist lt FQDN gt keytabs directory on the Puppet server as appropriate for each file 4 Update the node declarations to include krb keytab Note Ensure that all keytab directories are readable by the group Puppet but not globally Table Creating Host Principals Procedure Once the Puppet Agent runs on the clients the keytabs are copied to the etc krb5_keytabs directory The keytab matching the FQDN is set in place as the default keytab etc krb5 keytab 74 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 3 13 Troubleshooting Common Issues How to troubleshoot common problem
199. l6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 python impot python ordereddict 1 1 2 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 python order python pyes 0 20 1 0 el6 noarch rpm https dl bintray com simp 4 2 X Ext python pyes 0 20 1 0 e16 nc python pyro 4 14 2 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 python pyro python redis 2 0 0 1 e16 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 python redis python six 1 9 0 2 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac python unittest2 0 5 1 3 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 python unitte python urllib3 1 10 2 1 el6 noarch rpm http mirrors tripadvisor com centos 6 7 os x86_64 Packages pytt qstat 2 11 9 20080912svn311 el6 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 qstat 2 11 9 2 radiusclient ng 0 5 6 5 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 radiusclient r razor server 0 14 1 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 razor server 0 14 razor torquebox 3 0 1 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 razor torquebox rlwrap 0 37 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rlwrap 0 37 rrdtool 1 4 4 0 20 e16 x86_64 rpm https d1 bintray com simp 4 2 X Ext
200. llow the instructions in the Client Management for additional assistance 3 14 7 Performing One shot Operations This section introduces the options provided for performing one shot commands on all Puppet managed systems without using Puppet This is useful when the user needs to perform an action one time in every location but does not want to enforce that action over time 82 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Use the PSSH Utility Parallel Secure Shell PSSH has been included in SIMP for some time but has not been installed by default The table below lists the steps to use PSSH Table Use PSSH Procedure Note There is no manual page provided with PSSH type pssh help for further explanation Other SSH Options Using the f option forces TTY for SSH which allows the user to run sudo commands via PSSH Using the OStrictHostKeyChecking no option connects the user to the target servers via SSH even if there is an issue with ssh known_hosts 3 14 8 Puppet Server Behind a NAT This section provides guidance for when the Puppet server is behind a NAT but is managing hosts outside the NAT To resolve this issue open the etc puppet manifests vars pp file and rename the puppet_servers variable to puppet_server_hosts_mod Then create a new Spuppet_servers variable and point it to template site nat_ip_switch erb The entries in vars pp should look like the following exa
201. low On the Client Enter the following changes into the etc puppet puppet conf file Code Changes on Client to Switch Puppet Masters server new puppet master fqdn ca_server new puppet master fqdn ca_port 8141 To remove all files and sub directories in the var lib puppet ssl_ directory type cd var lib puppet ssl Then type rm rf x Assuming the new Puppet Master has been set up to properly accept the client type puppet agent test to run a full Puppet run while pointing to the new server If all goes well the client will now be synchronized with the new Puppet Master If not refer to the SIMP Server Installation section of the SIMP Install Guide and ensure that the new Puppet Master was set up properly On the Old Puppet Master Remove or comment out all items for the client node in the etc puppet hieradata hosts space Torun puppet agent in noop mode to ensure that there are no inadvertent errors type puppet agent test noop 3 14 3 Building a Bootable DVD from the SIMP tarball SIMP is an overlay on top of RHEL not a complete distribution As such the user must build a bootable DVD if provided with the SIMP source code or tar file To build a bootable SIMP DVD if provided a RHEL DVD and the SIMP far file follow the steps in the sections below Build the DVD The table below lists the steps to build a SIMP DVD assuming that the user has copied the DVD to a location with enough space to
202. low demonstrates this action assuming that the keepmealive service is added to the chkconfig preventing a service from being killed by svckill rb service keepmealive 3 13 2 Why Can t I Login If you ve reached this page you re having issues logging into your system with a newly created account In almost all cases this is because either your user has not been placed in a group allowed to access the system your DNS is setup incorrectly or your PKI certificates are invalid 3 13 Troubleshooting Common Issues 75 SIMP Documentation Release 0 0 PAM Access Restrictions By default SIMP uses the pam_access so PAM module to restrict access on each individual host While this may not seem as flexible as some methods it is the most failsafe method for ensuring that you don t accidentally interrupt services due to network issues connecting to your LDAP server To allow a user to access a particular system you need to use the pam access manage define as shown below pam access manage Allow the security group into the system users gt security origins gt ALL comment gt The core security team pam access manage Allow bob into the system from the proxy only users gt bob origins gt proxy domain comment gt Bob the proxied Troubleshooting DNS If PAM is not the issue you may be having DNS issues This can evidence itself
203. management of various configurations within SIMP Baseline Configurations SIMP baselines include configuration settings and Puppet modules Currently baselines are maintained for both Red Hat CentOS 6 x and Red Hat CentOS 7 x Each configuration item that is managed by a Puppet module has an RPM installed on the Puppet Master in the form of pupmod name x x x x This process allows for one main SIMP baseline to be maintained and modules to be upgraded easily An overall SIMP RPM is also installed on the Puppet Master which denotes the version number of SIMP that is installed CM 2 CM 2 2 CM 2 3 CM 6 SIMP installs a minimal set of RPMs which can be found in RPMs services and IPtables rules all use a deny all but allow by exception module Additional RPMs must be installed by each implementation Services must be declared explicitly or they will be disabled by Puppet IPtables rules must allow a service explicitly CM 2 5 Managing Configuration Changes Configuration change approvals are managed by each implementation SIMP only provides the mechanisms to apply changes on clients A combination of Puppet rsync and YUM is used to apply those changes across all or selected Puppet clients All changes made are audited with auditd or are logged to other files via syslog CM 3 a CM 3 3 UNIX systems are made up of hundreds of configuration files that can contain dozens of settings SIMP does not make an attempt to manage all o
204. mand path to the documentation has been corrected General usability improvements e DVD A default IP is no longer provided when booting from the ISO simp config will set the network properly The default kickstart no longer attempts to chkconfig any services in the post section 3 16 8 New Features e pupmod auditd Completely overhauled the module with a focus on better acceptance testing and format compliance e pupmod augeasproviders This was updated to 2 1 3 3 16 Changelog 95 SIMP Documentation Release 0 0 The update to 2 1 3 caused the addition of all of the pupmod augeasproviders modules below augeasproviders_apache Imported 2 1 3 to support the Augeasproviders stack augeasproviders_base Imported 2 1 3 to support the Augeasproviders stack augeasproviders_core Imported 2 1 3 to support the Augeasproviders stack augeasproviders_grub Imported 2 1 3 to support the Augeasproviders stack augeasproviders_mounttab Imported 2 1 3 to support the Augeasproviders stack augeasproviders_nagios Imported 2 1 3 to support the Augeasproviders stack augeasproviders_pam Imported 2 1 3 to support the Augeasproviders stack augeasproviders_postgresql Imported 2 1 3 to support the Augeasproviders stack augeasproviders_puppet Imported 2 1 3 to support the Augeasproviders stack augeasproviders_shellvar Imported 2 1 3 to support the Augeasproviders stack
205. mes are in the list 3 Type chown root apache var www ks to ensure that all files are owned by root and in the apache group 4 Type chmod 640 var www ks to change the permissions so the owner can read and write the file and the apache group can only read Note The URLs and locations in the file are setup for a default SIMP install That means the same OS and version as the SIMP server all servers in one location on the SIMP server and in specific directories If you have installed these servers in a different location then the defaults you may need to edit URLs or directories Note If you want to PXE boot more than this operating system make a copy of these files name them appropriately and update URLS and links inside and anything else you may need You must know what you are doing before attempting this If you are booting more than one OS you must also make sure your YUM server has the OS packages for the other OSs By default the YUM server on SIMP has the packages only for the version of OS installed on the SIMP server Setting up TFTP This section describes the process of setting up static files and manifests for TFTP Static Files Verify the static files are in the correct location Type cd srv rsync tftpboot and then type ls to check for the existence of the srv rsync tftpboot linux install OSTYPE MAJORRELEASE_ARCH directory where OSTYPE and MAJORRELEASE under linux install are the OS type a
206. metized Before Hiera this was not possible Puppet will automatically retrieve class parameters from Hiera using keys Add a key with a value pair to an appropriate yaml file say default yaml as such Adding a Key Value Pair to Hiera Examples classfoo parameter_bar Woo classfoo parameter_baz Hoo You can then include classfoo on any node with parameter_bar and parameter_baz defaulting to Woo and Hoo respectively Lookup Functions You are not required to set up your hierarchy for automatic variable lookup Using three functionts you can query Hiera for any key The first is hiera This uses standard priority lookup and can retrieve values of any data type from Hiera If no key is found a default should be included Smyvar hiera parameter_bar Woo The second is hiera_array This uses an array merge lookup It retrieves all array values for a given key througout the entire hierarchy and flattens them into a single array The third is hiera_hash This uses a hash merge lookup It retrieves all hash values for a given key throughout the entire hierarchy and merges them into a single hash 2 5 2 Assigning Classes to Nodes Assigning classes to nodes is done with the hiera_include function Hiera does an array merge lookup on tags to retrieve classes which should be included on a node In SIMP we place hiera_include classes in 22 Chapier 2 SIMP Installation Guide SIMP Documentati
207. ml file called bar yam1 extdata2hiera i foo csv o bar yaml The second example shows how to convert an Extdata csv simp_def file called simp_def csv into a Hiera yaml file called simp_def yaml simpdef2hiera in simp_def csv out simp_def yaml Puppet will automatically retrieve class parameters from Hiera using lookup keys like myclass parameter_one Puppet classes can optionally include parameters in their definition This lets the class ask for data to be passed in at the time that it s declared and it can use that data as normal variables throughout its definition There are two main ways to reference Hiera data in puppet manifests The first and preferred way is to use the auto matic class variable lookup capability For each class that you create the variables will be automatically discovered in hiera should they exist This is quite powerful in that you no longer need to provide class parameters in your manifests and can finally properly separate your data from your code Note For more information on the lookup functions see Link the puppet documentation on Hiera Some class file in scope class foo Sparaml defaultl1 Sparam2 default2 Jes AS aa ap etc puppet hieradata default yaml foo paraml customi The second is similar to the old Extdata way and looks like the following Svar hiera some_hiera_variable default_value The following is f
208. mple Example Sample Entries in vars pp Spuppet_server_hosts_mod puppet dns_domain 1 2 3 4 puppet2 dns_domain 2 3 4 5 Spuppet_servers template site nat_ip_switch erb Create a etc puppet modules site templates nat_ip_switch erb file with the content shown in the next example Change the appropriate portions of the content to meet the needs of the user environment Important Ensure that the erb file is owned by root puppet and mode 640 Source Create the nat_ip_switch erb lt ae Edit this variable to provide the IP address mappings The left hand side should contain the internal addresses The right hand side should contain the external addresses t_ipmap NLs 2e3e4 S gt 102104 1 0 10 W223 4 5 gt DOs2 304 Edit this regex to match the hosts This is done with a Regexp the user can use whichever is preferred Pure IP matching would be faster using the IPAddr class t_inside_nets Regexp new 5 t_pupsrvs puppet_server_hosts_mod split s Change the ipaddress variable to the host that the regexp above is matching if not t_inside_nets match ipaddress then 3 14 SIMP FAQs 83 SIMP Documentation Release 0 0 t_pupsrvs each_index do t_i t_vals t_pupsrvs t_i split if t_ipmap include t_vals last then t_vals l1 t_ipmap t_vals last t_pupsrvs t_i t_vals join end end t_pupsrvs
209. n pem client_nets gt 1 2 3 4 16 class ldap_master inherits ldap_common include openldap slapo syncprov openldap slapo syncprov conf default 84 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 node ldapmaster include ldap_master Set up the Replicated Servers Once the master is ready LDAP slave nodes must be configured to replicate data from the master The example below shows an the code that should be added to the slave node in Puppet The actual order of which gets done first is irrelevant the replicated servers will attempt to contact the master until they are successful Source Code to Configure an LDAP Slave Node replication class ldap_repl inherits ldap_common include openldap slapd syncrepl openldap slapd syncrepl conf 111 provider gt Sldap_master syncrepl_retry gt 60 10 600 searchbase gt dc your dc domain starttls gt eritical bindmethod gt simple binddn gt cn LDAPSync ou People dc your dc domain credentials gt lt plain text password gt updateref gt ldap_master node ldaprepll include ldap_repl node ldaprepl2 include ldap_repl Promote a Slave Node Slave nodes can be promoted to act as the LDAP master node To do this change the node classifications of the relevant hosts The following example shows the promotion of the daprepl server to the master server
210. n Hiera or your ENC See Also Managing Local Service Users 3 15 SIMP RPMs This provides a comprehensive list of all SIMP RPMs and related metadata Most importantly it provides a list of which modules are installed by default and which are simply available in the repository Name Version Default pupmod acpid 0 0 1 1 true pupmod aide 4 1 0 7 true pupmod apache 4 1 0 16 true pupmod auditd 5 0 0 0 false pupmod auditd 4 1 0 13 false pupmod augeasproviders 2 1 3 0 true pupmod augeasproviders_apache 2 0 1 0 false pupmod augeasproviders_base 2 0 1 0 true pupmod augeasproviders_core 2 0 1 0 true pupmod augeasproviders_grub 2 0 1 0 true pupmod augeasproviders_mounttab 2 0 1 0 false pupmod augeasproviders_nagios 2 0 1 0 false pupmod augeasproviders_pam 2 0 1 0 false pupmod augeasproviders_postgresql 2 0 1 0 false pupmod augeasproviders_puppet 2 0 1 0 false pupmod augeasproviders_shellvar 2 0 1 0 false pupmod augeasproviders_ssh 2 5 0 0 true pupmod augeasproviders_sysctl 2 0 1 0 false pupmod autofs 4 1 0 6 false pupmod backuppc 4 1 0 5 false pupmod cgroups 1 0 0 7 false pupmod clamav 4 1 0 6 true pupmod concat 4 0 0 3 true pupmod dhcp 4 1 0 4 true pupmod freeradius 4 2 0 4 false pupmod ganglia 4 1 0 6 false pupmod gfs2 4 1 0 2 false pupmod iptables 4 1 0 13 true pupmod jenkins 4 1 0 6 false pupmod krb5 4 1 0 3 false
211. nality if this value were set lower It can be tailored to a lower value if the implementation deter mines that number will not impact functionality Continued on next page 4 5 Security Concepts Appendices 137 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 11 Session Lock Access Control Terminal sessions do not enforce a session lock so this control is technically not implemented However it s mitigated by forcing in active sessions to log out If the gnome module is ap plied SIMP locks a gnome session after 5 minutes AC 14 Permitted Actions without Identification or Authenti cation Access Control SIMP provides several ser vices that do not require authentication Most re quire some form of identi fication These are docu mented in the SIMP Secu rity Concepts and is kept current for that version In dividual modules are not yet documented AC 14 Permitted Actions without Identification or Authenti cation Control Enhance ment Access Control Justifications to those ser vices that do not require Identification and Authen tication can be found in the SIMP Security Con cepts document AC 16 Security Attributes Access Control New in SIMP 5 0 is the us age of MAC via SELinux This is optional for each implementation and can be
212. nd OS major version of the systems you will be PXE booting Under this directory your should find a directory named OSTYPE MAJORRELEASE MINORRELEASE ARCH and a link to this directory named OSTYPE MAJORRELEASE ARCH Under OSTYPE MAJORRELEASE MINORRELEASE ARCH your should find the files e initrd img e vmlinuz 18 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 If these are not there then you must create the directories as needed and copy the files from var www yum OSTYPE MAJORRELEASE ARCH images pxeboot or from the images directory on the SIMP DVD Important The link is what is used in the TFTP configuration files Note If you want to be able to PXE boot different OS then add a directory for each on and obtain the pxeboot images and copy them under the linux install directory SIMP only provides images for the OS for the SIMP server Manifest Create a site manifest for the TFTP server on the Puppet server 1 Create the file etc puppet environment simp modules site manifests tftpboot pp Use the source cc a Replace KSSERVER with the IP address of Kickstart server or the code to look up the IP Address using Hiera b Replace OSTYPE MAJORRELEASE and ARCH with the correct value for the systems you will be PXE booting c MODEL NAME is usually of the form OSTYPE MAJORRELEASE ARCH for consistency class site tftpboot include tftp
213. network_modification w etc issue p wa k audit_network_modifications w etc issue net p wa k audit_network_modifications w etc hosts p wa k audit_network_modifications w etc sysconfig network p wa k audit_network_modifications Mount options CCE 26573 6 a always exit F arch b32 S mount S umount S umount2 k mount a always exit F arch b64 S mount S umount2 k mount audit umask changes This is uselessly noisy a exit always S umask k umask CCE 26664 3 w etc group p wa k audit_account_changes w etc group p wa k audit_account_changes k audit_time_ru S lchown S setxatt S lchown S setxatt ctl S setsic ctl S setsic ofday k audit_time_rules les hS hS 4 5 Security Concepts Appendices 117 SIMP Documentation Release 0 0 CCI W CCI e e e e e e e tc passwd p wa k audit_account_changes tc passwd p wa k audit_account_changes tc gshadow p wa k audit_account_changes tc shadow p wa k audit_account_changes tc shadow p wa k audit_account_changes tc security opasswd p wa k audit_account_changes E 26657 7 tc selinux p wa k MAC policy E 26691 6 w var log faillog p wa k logins w var log lastlog p wa k logins CCI E 26610 6 w var run utmp p wa k session w var run btmp p wa k session w var run wtmp p wa k session CCI E 26662
214. new certificates for one or more of your hosts 3 13 4 Puppet Certificate Issues Puppet Client Certificate Issues Most of the time clients will have certificate issues due to the system clock not being properly set Before taking any other measures make sure that your system clock is correct on both the mmaster and the clients If you need to fix client certificate issues outside of time first make sure that you don t have a certificate already in place on your Puppet server m puppet cert list all If you do have a certificate in place and need to register a client with the same name remove that client s certificate from the system S puppet cert clean lt fqdn of the client gt Warning If you delete the Puppet server s certificate you will need to re deploy Puppet certificates to all of your nodes 3 13 Troubleshooting Common Issues 77 SIMP Documentation Release 0 0 Warning NEVER RUN puppet cert clean all Puppet Client Re Registration If for some reason you need to re register your client with a new server simply run the following on your client once the server is ready rm rf puppet config print ssldir puppet agent t S Puppet Server Certificate Issues Warning This is destructive to your Puppet communications This should only be used if you have no other options If the Puppet server has certificate issues regene
215. nfiguration data built to make Puppet better and let you set node specific data without repeating yourself Source Hiera Overview IP IP Address Internet Protocol Address A numerical label assigned to each device e g computer printer par ticipating in a computer network that uses the Internet Protocol for communication Source Wikipedia IP Address IP6Tables Internet Protocol 6 Tables A user space application that provides an interface to the IPv6 firewall rules on modern Linux systems IPTables Internet Protocol Tables A user space application that provides an interface to the IPv4 firewall rules on modern Linux systems 34 Chapter 2 SIMP Installation Guide SIMP Documentation Release 0 0 Kerberos A computer network authentication protocol that works on the basis of tickets to allow nodes communi cating over a non secure network to prove their identity to one another in a secure manner Key Distribution Center Part of a cryptosystem intended to reduce the risks inherent in exchanging keys KDCs often operate in systems within which some users may have permission to use certain services at some times and not at others LDAP Lightweight Directory Access Protocol A protocol for querying and modifying LDAP directory services including information such as names addresses email phone numbers and other information from an online directory MAC MAC Address Media Access Control Media Access Control Address A
216. ng digital information primarily computer data Hiera A key value lookup tool for configuration data built to make Puppet better and let you set node specific data without repeating yourself Source Hiera Overview IP IP Address Internet Protocol Address A numerical label assigned to each device e g computer printer par ticipating in a computer network that uses the Internet Protocol for communication Source Wikipedia IP Address IP6Tables Internet Protocol 6 Tables A user space application that provides an interface to the IPv6 firewall rules on modern Linux systems IPTables Internet Protocol Tables A user space application that provides an interface to the IPv4 firewall rules on modern Linux systems Kerberos A computer network authentication protocol that works on the basis of tickets to allow nodes communi cating over a non secure network to prove their identity to one another in a secure manner Key Distribution Center Part of a cryptosystem intended to reduce the risks inherent in exchanging keys KDCs often operate in systems within which some users may have permission to use certain services at some times and not at others LDAP Lightweight Directory Access Protocol A protocol for querying and modifying LDAP directory services including information such as names addresses email phone numbers and other information from an online directory MAC MAC Address Media Access Control Media Access Control Addr
217. ng the yumrepo Puppet type Any common packages can be symlinked or hard linked between repositories for maximum space utilization 3 6 2 Sudosh By default a SIMP system uses Sudosh to enable logging of sudo sessions to Rsyslog To open a sudo session as root or any other user type su as simp or sudo _sudosh as anyone else instead of sudo su The logs are stored in var log sudosh 1og Sessions can be replayed by typing sudosh syslog replay 3 6 3 User Accounts By default users can add local users to a system or use LDAP to administer users It is recommended that LDAP is used for adding all regular users so that there is no conflict with multiple system updates and synchronization For more information on managing LDAP users refer to the User Management chapter It is also possible that there will be users that are local to the system To have these users follow the normal password expiration conventions set on the system use the native Puppet user and group types To have a user that does not expire look at the etc puppet localusers file to enable these users across the systems The comments in the file provide instructions on generating entries for the desired systems It is hoped that future versions of Puppet will support the modification of password expiration values via the native types and that the localusers file will be retired 3 6 4 Certificate Management This section describes the two different types of certificat
218. not empty If it is enter text into the file then save and close the file 3 4 Apply Certificates 55 SIMP Documentation Release 0 0 5 Type gencerts_nopass sh auto Note To avoid using the default Fake CA values remove the auto statement from the gencerts_nopass sh command Table Generating Fake CAs Procedure Warning If the clean sh command is run after the certificates have been generated the running system will break To troubleshoot certificate problems see the section at the end of this chapter If issues arise while generating keys type cd etc puppet Config FakeCA to navigate to the etc puppet Config FakeCA directory then type clean sh to start over After running the clean sh script type gencerts_nopass sh to run the script again using the previous proce dure table 3 5 Maximum Number of Nodes The maximum number of clients reasonable per each system is dependent on many variables including number of processors and size of memory Although it is impossible to predict exactly how many clients a specific server may be able to handle a simple algorithm can give the user an estimate Servers with different hardware have been tested at worst case scenario This means that all of the server s clients will run Puppet at the exact same time The most important information collected during these runs was the compile time which shows the increase in seconds that it takes for each node to com
219. ns security TLS and SSL encrypt the segments of network connections above the Transport Layer using asymmetric cryptography for privacy and a keyed message authentication codes for message reliability See also SSL TTY A Unix command that prints to standard output the name of the terminal connected to standard input The name of the program comes from teletypewriter abbreviated TTY VM Virtual Machine An isolated guest operating system installation running within a host operating system VNC Virtual Network Computing A graphical desktop sharing system that uses the remote framebuffer RFB protocol to control another computer remotely It transmits the keyboard and mouse events from one computer to another relaying the graphical screen updates back in the other direction over a network WAN Wide Area Network A computer networking technology used to transmit ata over long distances and be tween different Local Area Networks LANs Metropolitan Area Networks MANs and other localized com puter networking architectures X 509 An ITU T standard for a public key infrastructure PKI and Privilege Management Infrastructure PMI X 509 specifies amongst other things standard formats for public key certificates certificate revocation lists attribute certificates and a certification path validation algorithm Source Wikipedia X 509 36 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 YUM Yellow
220. nt ponent Inventory Control Enhancement CM 8 4 Information System Com Configuration Management ponent Inventory Control Enhancement CM 8 5 Information System Com Configuration Management ponent Inventory Control Enhancement CM 8 6 Information System Com Configuration Management ponent Inventory Control Enhancement CM 9 Configuration Management Configuration Management Plan Continued on next page 188 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 9 1 Configuration Management Configuration Management Plan Control Enhance ment CP 1 Contingency Planning Pol Contingency Planning icy and Procedures CP 2 Contingency Plan Contingency Planning CP 2 1 Contingency Plan Control Contingency Planning Enhancement CP 2 2 Contingency Plan Control Contingency Planning Enhancement CP 2 3 Contingency Plan Control Contingency Planning Enhancement CP 2 4 Contingency Plan Control Contingency Planning Enhancement CP 2 5 Contingency Plan Control Contingency Planning Enhancement CP 2 6 Contingency Plan Control Contingency Planning Enhancement CP 3 Contingency Training Contingency Planning CP 3 1 Contingency Training Contingency Planning Control Enhancement CP
221. nt_group localgroup _local_account_id P1778 2 You ll probably want this in home unless you re using NFS S _local_account_homedir home _local_account_user You ll need to get this from the user as it is their public key _ local_account_ssh_public_key AAA group _local_account_group gid gt allowdupe gt _local_account_id false user S_local_account_user uid gt _local_account_id allowdupe gt false gid gt _local_account_group home gt _local_account_homedir managehome gt true shell gt bin bash file etc ssh local_keys _local_account_user owner gt root group gt _local_account_group mode gt 0644 source gt puppet site ssh_autokeys _local_account_user pub sudo user_specification _local_account_user user_list gt S _local_account_group host_list gt fqdn runas gt root cmnd gt bin cat var log app log passwd gt false Allow this account from everywhere pam access manage Allow _local_account_user users gt _local_account_user origins gt ALL Testing The table below lists the steps to test that the configuration was applied correctly 1 Log on to a server that has the template code configuration applied 2 Type su lt USERNAME gt xxx 3 2 User Management 49 SIMP Documentation Release 0 0
222. ntray com simp 4 2 X Ext mcollective common 2 2 3 mcollective filemgr agent 1 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective filen mcollective filemgr client 1 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective filen mcollective filemgr common 1 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective filen mcollective iptables agent 3 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective iptal mcollective iptables client 3 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective iptal mcollective iptables common 3 0 1 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective iptal mcollective logstash audit 2 0 0 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective logs mcollective nrpe agent 3 0 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective nrpe mcollective nrpe client 3 0 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective nrpe mcollective nrpe common 3 0 2 1 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective nrpe mcollective package agent 4 3 0 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pack mcollective package client 4 3 0 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 mcollective pack mcollective
223. o etc sysconfig iptables is rewritten with the rules from the manifest The rules can and should be tai lored per implementation AC 4 2 Information Flow Enforce Access Control ment Control Enhance ment AC 4 3 Information Flow Enforce Access Control ment Control Enhance ment AC 4 4 Information Flow Enforce Access Control ment Control Enhance ment AC 4 5 Information Flow Enforce Access Control ment Control Enhance ment AC 4 6 Information Flow Enforce Access Control ment Control Enhance ment AC 4 7 Information Flow Enforce Access Control ment Control Enhance ment AC 4 8 Information Flow Enforce Access Control ment Control Enhance ment AC 4 9 Information Flow Enforce Access Control ment Control Enhance ment AC 4 10 Information Flow Enforce Access Control ment Control Enhance ment AC 4 11 Information Flow Enforce Access Control ment Control Enhance ment AC 4 12 Information Flow Enforce Access Control ment Control Enhance ment Continued on next page 134 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 4 13 Information Flow Enforce ment Control Enhance ment Access Control AC 4 14 Information Flow Enforce ment Control Enhance ment Access Control AC 4 15 Information
224. of resources in SIMP Account access operating system DAC settings and the use of PKI collectively prevent resources from being shared in ways that were not intended SC 4 4 2 19 Denial of Service Protection SIMP has limited ability to prevent or limit the effects of Denial of Service DoS attacks The primary measures in place are to drop improperly formatted packets using Ptables and Kernel configurations such as syncookies SC 5 4 2 20 Boundary Protection SIMP does not provide boundary protection SC 7 108 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 4 2 21 Transmission Security SIMP traffic is protected with protocols that provide confidentiality and integrity of data while in transit The tables in Information Flow Enforcement describe the protocols used to encrypt traffic and explain the protocols that cannot be protected at the transmission layer SSH SSL and TLS all provide data transmission integrity and confidentiality The software that controls them on Red Hat and CentOS are OpenSSH and OpenSSL The SIMP team takes industry guidance into consideration when configuring these services For example the list the cryptographic ciphers available is limited to the highest ciphers that SIMP needs All others are removed SC 8 SC 9 SC 23 SC 7 4 2 22 Single User Mode SIMP systems have a password requirement for single user mode In the event maintenance needs to be performed at a system cons
225. of security settings of a host against SSG rec ommendations SI 6 3 Security Functionality Ver ification Control Enhance ment System and Information In tegrity SIMP comes with an op tional module to install and perform regular runs of the SCAP Security Guide Do ing so will report for a user defined frequency OVAL results of security settings of a host against SSG rec ommendations SI 7 Software and Information Integrity System and Information In tegrity SIMP comes with AIDE in stalled Puppet also serves the purpose of checking the integrity of files During each client run a change in file integrity means the file needs to be restored to it s original state Continued on next page 4 5 Security Concepts Appendices 181 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 7 1 Software and Information System and Information In AIDE baselines are not Integrity Control Enhance tegrity performed beyond initial ment install unless otherwise configured Implementa tions can re baseline the database SI 7 2 Software and Information System and Information In Integrity Control Enhance tegrity ment SI 7 3 Software and Information System and Information In AIDE is managed by pup Integr
226. of your running applications that use encryption If you are upgrading do NOT enable FIPS mode without extensive testing as it may cause various appli cations to not function properly any longer e The rsyslog module has been completely rewritten to support rsyslog 7 4 This is a breaking change from previous releases and will require active updates to existing systems Critical Variable Changes The global rsyslog log_server_list variable is now set to send to all of the servers in the Array by default This variable defaults to the global Jog_servers Array in Hiera There is a new variable rsyslog failover_log_servers which is an Array of failover log servers to be used for your system These will be tried in order until successful messages can be sent Updated Modules aide apache auditd x dhcp logstash openldap rsync simp sudosh e In RHEL6 we updated the OpenLDAP password policy overlay to not conflict with the 6 7 update This requires a manual update on existing systems using the following LDIF dn cn default ou pwpolicies dc your dc domain changetype modify replace pwdCheckModule pwd CheckModule simp_check_password so dn cn noExpire_noLockout ou pwpolicies dc your dc domain changetype modify replace pwdCheckModule pwdCheckModule simp_check_password so The Electrical and SIMP modules for elasticsearch have been combined 3 16 4 Upgrade Guidance Fully d
227. og traffic over Stunnel This remains the case with Logstash Unencrypted traffic is also supported for network devices Limiting Web Actions The Kibana module restricts what HTTP commands a user can perform on the Elastic search data store Full POST action must be given to the Logstash nodes and some nodes may require DELETE capabilities Logstash hosts should be tightly controlled so that administrative users cannot modify data inside of Elasticsearch with carefully crafted commands This is one reason that we use syslog on the local hosts Important The Puppet modules for Logstash Kibana and Elasticsearch contain dozens of variables that may be manipulated You should read each product s documentation and ensure you understand any setting that is changed from the default SIMP values Changes can affect both security and functionality of the system 70 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 3 11 5 Logstash Setup 3 11 6 Logstash System Requirements The storage requirements for Logstash and Elasticsearch vary depending on how long you plan on keeping logs If you use the settings in then your logs are not being filtered and are being sent to Elasticsearch When using Elasticsearch the logs are formatted for Elasticsearch and stored in var elasticsearch You can also configure how many days of data you wish to keep in Elasticsearch keep_days gt 99 Therefore you should ensure you have enough
228. oint for further work It will work as is for most systems as long as your disk device names are in the list 3 Type chown root apache var www ks to ensure that all files are owned by root and in the apache group 4 Type chmod 640 var www ks x to change the permissions so the owner can read and write the file and the apache group can only read Note The URLs and locations in the file are setup for a default SIMP install That means the same OS and version as the SIMP server all servers in one location on the SIMP server and in specific directories If you have installed these servers in a different location then the defaults you may need to edit URLs or directories Note If you want to PXE boot more than this operating system make a copy of these files name them appropriately and update URLS and links inside and anything else you may need You must know what you are doing before attempting this If you are booting more than one OS you must also make sure your YUM server has the OS packages for the other OSs By default the YUM server on SIMP has the packages only for the version of OS installed on the SIMP server Setting up TFTP This section describes the process of setting up static files and manifests for TFTP Static Files Verify the static files are in the correct location Type cd srv rsync tftpboot and then type ls to check for the existence of the srv rsync tftpboot linux install OSTYPE MAJORRELEA
229. ol Family SIMP Implementation Method SA 12 5 Supply Chain Protection System and Service Acqui Control Enhancement sition SA 12 6 Supply Chain Protection System and Service Acqui Control Enhancement sition SA 12 7 Supply Chain Protection System and Service Acqui Control Enhancement sition SA 13 Trustworthiness System and Service Acqui sition SA 14 Critical Information System System and Service Acqui Components sition SA 14 1 Critical Information System System and Service Acqui Table Management Controls 4 6 Indices and tables e genindex e search 4 6 Indices and tables 207 SIMP Documentation Release 0 0 208 Chapter 4 SIMP Security Concepts CHAPTER 5 License 5 1 Legal Notice Per Section 105 of the Copyright Act of 1976 these works are not entitled to domestic copyright protection under US Federal law The US Government retains the right to pursue copyright protections outside of the United States The United States Government has unlimited rights in this documentation and all derivatives thereof pursuant to the contracts under which it was developed and the License under which it falls Material submitted by entities outside the United States Government may pursue copyright enforcement on those portions to which they hold copyright These portions are explicitly marked within the source of this documentation This material may only be distributed subject to the terms and
230. ole users must be in possession of the root password before they can be authenticated Grub passwords are also set to prevent unauthorized modifications to boot parameters SC 24 4 2 23 PKI and Cryptography SIMP has two native certificate authorities The first is known as Fake CA A local certificate authority is used to create properly formed server certificates if an implementation does not have other means of obtaining them Many SIMP services require certificates therefore SIMP provides this tool for testing or for situations where other certificates are not available The second certificate authority Puppet CA is built into Puppet Puppet creates distributes and manages certificates that are specifically for Puppet More information on the Puppet CA can be found in the Puppet Labs security documentation SC 17 SC 13 Warning Fake CA certificates should not be used in an operational setting 4 2 24 Mobile Code SIMP does not use mobile code however there are not any particular tools that will prevent its use SC 18 4 2 25 Protection of Information at Rest There are no additional protections for information at rest beyond operating system capabilities in SIMP There are also no measures in place to encrypt or sign data before transmission Each implementation should determine how to further protect information at rest SC 28 4 2 26 Audit and Accountability This section discusses the content storage and protection of au
231. ompile time of the clients when there are Max_Num_Worstcase clients 56 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Compile Time Given Number of Clients 2 cores 2GBram 2 cores 4GB ram 3 cores 2GBram 3 cores 4GB ram 4 cores 2GB ram i H 7 i i i I Compile Time 0 2 4 6 8 10 12 14 Number of Clients 3 6 SIMP Administration This chapter provides basic guidance on how to administer a SIMP environment Warning While working with the system keep in mind that Puppet does not work well with capital letters in host names Therefore they should not be used 3 6 1 Nightly Updates All SIMP systems are configured by default to do a YUM update of the entire system on a nightly basis The configuration pulls updates from all repositories that the system is aware of To change this behavior refer to the Excluding Repositories FAQ section This configuration is also helpful because it is easier to manage symlinks in YUM repositories than it is to manage individual package minutia for every single package on every system The general technique is to put packages that all systems will receive into the Updates repository provided with SIMP Any packages that will only go to specific system sets will then be placed into adjunct repositories under 3 6 SIMP Administration 57 SIMP Documentation Release 0 0 var www yum and the user will point specific systems at those repositories usi
232. on Release 0 0 etc puppet manifests site pp Since site pp is outside of any node definition and below all top scope variables every node controlled by puppet will get every class tagged with classes in its hierarchy Additionally simp_def yaml in is the hierarchy of every node so every node will receive those classes by default 2 5 3 Assigning Defined Types to Nodes Defined types do not have the ability to receive parameters via Hiera in the traditional sense To include a defined type on a node one could use create_resources but this is messy and discouraged Instead make a site class etc puppet modules site manifests my_site pp For example to include tftpboot linux_model and assign_host on your puppet server puppet your domain Adding a Site Manifest Examples in etc puppet modules site manifests tftpboot pp Set KSSERVER statically or use Hiera for lookup class site tftpboot include tftpboot tftpboot linux_model CentOS_RHEL_MAJOR_VERSION kernel gt centosRHEL_MAJOR_VERSION_x86_64 vmlinuz initrd gt centosRHEL_MAJOR_VERSION_x86_64 initrd img ks gt http KSSERVER ks pupclient_x86_64 cfg extra gt ipappend 2 tftpboot assign_host default model gt CentOS_RHEL_MAJOR_VERSION Then in etc puppet hieradata hosts puppet your domain yaml Adding TFTP Site to Hiera Examples classes sites sc itpbhoot 2 5 4 SIM
233. on SIMP using SSH or direct console ac cess SSH sessions are tracked and logged using the security features built into SIMP Console access requires someone to have access to the physical or virtual console along with the root password Audit ing of those actions also oc curs in accordance with the configured audit policy It s up to the implementation to decide how to distribute au thentication information for remote maintenance Continued on next page 192 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page hancement Control ID Control Name Control Family SIMP Implementation Method MA 4 1 Non Local Maintenance Maintenance Remote maintenance can be Control Enhancement performed on SIMP using SSH or direct console ac cess SSH sessions are tracked and logged using the security features built into SIMP Console access requires someone to have access to the physical or virtual console along with the root password Audt ing of those actions also oc curs in accordance with the configured audit policy It s up to the implementation to decide how to distribute au thentication information for remote maintenance MA 4 2 Non Local Maintenance Maintenance Control Enhancement MA 4 3 Non Local Maintenance Maintenance Control Enhancement MA 4 4 Non Local Maintenance Maintenance
234. ons Protection SC 7 9 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 10 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 11 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 12 Boundary Protection Con System and Communica IPTables is the host based trol Enhancement tions Protection firewall implementation on RedHat CentOS SC 7 13 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 14 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 15 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 16 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 17 Boundary Protection Con System and Communica trol Enhancement tions Protection SC 7 18 Boundary Protection Con System and Communica Continued on next page 4 5 Security Concepts Appendices 155 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 8 Transmission Integrity System and Communica tions Protection With the exception of the services needed for kick start most communications within SIMP are protected by SSH or SSL Imple mentations can add addi tion
235. opment team subscribes to message boards for the main prod ucts puppet that are part of the packaging Red Hat Centos advisories are also tracked out of necessity but since ALL the OS files are not part of SIMP deliv ery patches are not our di rect responsibility SI 5 1 System Alerts Advisories System and Information In and Directives Control En tegrity hancement SI 6 Security Functionality Veri System and Information In SIMP comes with an op fication tegrity tional module to install and perform regular runs of the SCAP Security Guide the checks for RHEL 7 are not yet complete finalized Doing so will report for a user defined frequency OVAL results of security settings of a host against SSG recommendations Continued on next page 200 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 6 1 Security Functionality Ver ification Control Enhance ment System and Information In tegrity SIMP comes with an op tional module to install and perform regular runs of the SCAP Security Guide Do ing so will report for a user defined frequency OVAL results of security settings of a host against SSG rec ommendations SI 6 2 Security Functionality Ver ification Control Enhance ment System and Information In tegrity SIMP comes w
236. ory glibc static 2 12 1 166 e16_7 1 x86_64 rpm Red Hat Updates Repository glibc static 2 12 1 166 e16_7 1 1686 rpm Red Hat Updates Repository glibc utils 2 12 1 166 el16_7 1 x86_64 rpm Red Hat Updates Repository glibe 2 12 1 166 e16_7 1 1686 rpm Red Hat Update Repository globus callout 3 13 2 el16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus common 15 30 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus gsi callback 5 8 1 el6 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus gsi cert utils 9 11 1 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus gsi credential 7 9 1 el16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus gsi openssl error 3 5 2 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus gsi proxy core 7 7 2 el6 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob globus gsi proxy ssl 5 7 2 e16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 glob 4 5 Security Concepts Appendices 123 SIMP Documentation Release 0 0 Table 4 1 continued from previous page Name Source globus gsi sysconfig 6 8 2 e16 x86_64 rpm http mirror symnds com distributions fedora
237. ot function properly any longer e The rsyslog module has been completely rewritten to support rsyslog 7 4 This is a breaking change from previous releases and will require active updates to existing systems Critical Variable Changes x The global rsyslog log_server_list variable is now set to send to all of the servers in the Array by default This variable defaults to the global og_servers Array in Hiera There is a new variable rsyslog failover_log_servers which is an Array of failover log servers to be used for your system These will be tried in order until successful messages can be sent 2 6 Changelog 25 SIMP Documentation Release 0 0 Updated Modules aide apache auditd x dhcp logstash openldap rsync simp sudosh e In RHEL6 we updated the OpenLDAP password policy overlay to not conflict with the 6 7 update This requires a manual update on existing systems using the following LDIF dn cn default ou pwpolicies dc your dc domain changetype modify replace pwdCheckModule pwd CheckModule simp_check_password so dn cn noExpire_noLockout ou pwpolicies dc your dc domain changetype modify replace pwdCheckModule pwdCheckModule simp_check_password so The Electrical and SIMP modules for elasticsearch have been combined 2 6 4 Upgrade Guidance Fully detailed upgrade guidance can be found in the Upgrading SIMP portion of the User s Guide Warning You mu
238. ot part of SIMP deliv ery patches are not our di rect responsibility SI 5 1 System Alerts Advisories and Directives Control En hancement System and Information In tegrity Continued on next page 180 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 6 Security Functionality Veri fication System and Information In tegrity SIMP comes with an op tional module to install and perform regular runs of the SCAP Security Guide the checks for RHEL 7 are not yet complete finalized Doing so will report for a user defined frequency OVAL results of security settings of a host against SSG recommendations SI 6 1 Security Functionality Ver ification Control Enhance ment System and Information In tegrity SIMP comes with an op tional module to install and perform regular runs of the SCAP Security Guide Do ing so will report for a user defined frequency OVAL results of security settings of a host against SSG rec ommendations SI 6 2 Security Functionality Ver ification Control Enhance ment System and Information In tegrity SIMP comes with an op tional module to install and perform regular runs of the SCAP Security Guide Do ing so will report for a user defined frequency OVAL results
239. our environment running prior to obtaining proper certificates from an official CA Warning The Fake CA is not hardware backed by default and should not be used for sensitive cryptographic operations unless there is no other alternative Each Puppet environment contains its own Fake CA and therefore you must know which environment is serving the systems that are having issues prior to proceeding For this section we will assume that it is the simp environment located at the active environment path Note Just as with Puppet certificates the time on your system must be correct and your DNS must be fully functional Check that these are correct before proceeding For the remainder of this section we will assume that the ODN of the system with issues is system my domain and the LDAP server to which it is attempting to connect is Idap my domain Navigate to the environment keydist directory and validate the system certificates When validating certificates you want to make sure that there are no errors regarding your certificate or CA Ideally the command will simply return the string OK cd puppet config print environmentpath simp keydist Validate the client system openssl verify CApath cacerts system my domain W Validate the LDAP system openssl verify CApath cacerts ldap my domain i If there are any issues you may need to follow the Fake CA README to generate
240. pace has been deprecated in favor of the new simplib namespace This removes a com monly conflicting module name from the SIMP ecosystem You will need to run the migrate_to_simplib script to update all of the relevant files This script will only migrate items in the existing SIMP environment You may also set the environment variable UPGRADE_PATHS to run the script on multiple external paths All code was migrated pupmod simp functions The functions namespace has been deprecated in favor of the new simplib namespace This removes a commonly conflicting module name from the SIMP ecosystem You will need to run the migrate_to_simplib script to update all of the relevant files This script will only migrate items in the existing SIMP environment You may also set the environment variable UPGRADE_PATHS to run the script on multiple external paths The following items were not migrated append_if_no_such_line gt Use simp_file_line delete_lines gt Use augeas init_mod_nice gt Use init_ulimit init_mod_open_files gt Use init_ulimit line gt Use augeas 90 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 prepend_if_no_such_line gt Use simp_file_line renice gt No replacement was not correct replace_line gt Use augeas 3 16 3 Significant Updates e FIPS Mode is now enabled by default This is a SIGNIFICANT change and may impact many
241. parse index and visualize logs There are also SIMP provided dashboards for the Kibana web interface Implementations can build their own dashboards to meet local security or functional needs for log reduction and management AU 6 110 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 4 2 31 Protection of Audit Information The primary means of protecting the audit logs is through the use of file permissions Audit records are stored in the var log directory and can only be accessed by root Audit logs are rotated off daily if the implementation has not developed a way of offloading the logs to another location where they can be backed up Lastly if the rsyslog stock log_server module is implemented logs are transmitted to the log server over a TLS protected link 4 2 32 Time Synchronization Each SIMP client including the Puppet Master has NTPD enabled by default Part of the installation directs the clients to a time server If no servers are available the SIMP clients can use the Puppet Master as the central time source Audit logs receive their time stamp from the local server s system clock therefore the SIMP client must be connected to a central time source for time stamps in audit logs to be accurate 4 3 Operational Security This chapter contains SIMP security concepts that are related to the operational security controls in NIST 800 53 4 3 1 Configuration Management This section describes the
242. pile when another node is added After a certain number of nodes nodes begin to drop to compile times lower than 30 seconds These nodes are not actually completing their Puppet runs This data can be seen in the following graph 3 5 1 Number of Nodes vs Compile Time The queue size can be found by looking at the maximum number of clients running Puppet at once before any are dropped According to the SIMP team s data a server with two cores has a queue size of four a server with three cores has a queue size of six however a server with four cores has a queue size of six Although it may appear that the queue size is plateauing as cores are increased the SIMP team predicts that this is due to the limited memory However the team is confident that a system with four cores and 4GB of ram will indeed have a queue size of eight clients From this it can be concluded that given enough memory Queue_Size 2 Cores Also using this data the compile times for other systems can be predicted given the amount of processors memory and nodes This is done using ordinary least squares in Octave In addition the maximum number of clients can also be predicted with the use of the following equation Max_Num_Of_Total_Clients Run_Time_In_Sec Comp_Time Queue_Size Where Run_Time_In_Sec is the number of seconds per half an hour 1800 Queue_Size is the maximum number of clients in the worst case scenario queue size and Comp_Time is the average c
243. pm http yum puppetlabs com el 6 dependencies x86_64 rubygem js rubygem json doc 1 5 5 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem js rubygem mustache 0 99 4 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem m rubygem net ldap 0 2 2 4 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem net Idap doc 0 2 2 4 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne 130 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 2 continued from previous page Name Source rubygem net ping 1 6 2 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem net ping doc 1 5 3 4 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem puppet lint 1 1 0 1 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 rubygem pup rubygem rack 1 0 1 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ra rubygem rake 0 8 7 2 1 el6 noarch rpm http mirror netdepot com centos 6 7 os x86_64 Packages rubyge rubygem rake compiler 0 9 3 2 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 ruby gem rak rubygem rake compiler doc 0 9 3 2 el6 noarch rpm http mirror cogentco com pub linux epel 6 x86_64 ruby gem rak rubygem rd
244. pmod simplib 1 0 0 0 true pupmod site 2 0 0 3 true pupmod snmpd 4 1 0 3 false pupmod ssh 4 1 0 10 true pupmod ssh augeas lenses 4 1 0 10 true pupmod sssd 4 1 0 6 false pupmod stunnel 4 2 0 9 true pupmod sudo 4 1 0 2 true pupmod sudosh 4 1 0 3 true pupmod svckill 1 0 0 4 true pupmod sysctl 4 1 0 5 true pupmod tcpwrappers 3 0 0 2 true Continued on next page 88 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Table 3 1 continued from previous page Name Version Default pupmod tftpboot 4 1 0 7 true pupmod tpm 0 0 1 8 true pupmod upstart 4 1 0 3 true pupmod vne 4 1 0 3 false pupmod vsftpd 5 0 0 0 false pupmod windowmanager 4 1 0 2 false pupmod xinetd 2 1 0 3 false pupmod xwindows 4 1 0 3 false puppetlabs postgresql 4 1 0 1 SIMP true puppetlabs puppetdb 5 0 0 0 true puppetlabs stdlib 4 9 0 0 SIMP false rubygem simp cli 1 0 8 0 e16 true rubygem simp cli doc 1 0 8 0 e16 true simp 4 2 0 RC1 false simp bootstrap 4 2 0 2 true simp doc 4 2 0 RC1 1446214631 true simp doc 4 2 0 RC1 true simp gpgkeys 2 0 0 2 e16 true simp gpgkeys 2 0 0 3 e16 true simp rsync 4 2 0 1 e16 true simp rsync clamav 4 2 0 1 e16 true simp utils 4 1 0 12 true SIMP 4 2 0 1 3 16 Changelog Contents e Changelog Manual Changes Requred Deprecations Significant Updates Upgrade Guidance x Expectations Security Announc
245. previous page Control ID Control Name Control Family SIMP Implementation Method SC 24 Fail in Known State System and Communica The forms of cryptography tions Protection used are applied through SSH SSL and TLS There are several unencrypted protocols used on the pup pet server Apache YUM DHCPD TFTP and DNS that are documented in the Security Concepts document SC 25 Thin Nodes System and Communica tions Protection SC 26 Honeypots System and Communica tions Protection SC 26 1 Honeypots Control En System and Communica hancement tions Protection SC 27 Operating System System and Communica Independent Applications tions Protection SC 28 Protection of Information at System and Communica Confidentiality of data Rest tions Protection at rest is achieved using the operating system ac cess control Integrity is only checked for critical operating system files Implementations have the ability to extend the in tegrity checking of AIDE to include additional files that are not frequently changed SC 28 Protection of Information System and Communica at Rest Control Enhance tions Protection ment SC 29 Heterogeneity System and Communica tions Protection SC 30 Virtualization Techniques System and Communica tions Protection SC 30 1 Virtualization Techniques System and Communica Control Enhancement tions Protection SC 30 2 Virtualization
246. providers_mounttab Imported 2 1 3 to support the Augeasproviders stack augeasproviders_nagios Imported 2 1 3 to support the Augeasproviders stack augeasproviders_pam Imported 2 1 3 to support the Augeasproviders stack augeasproviders_postgresql Imported 2 1 3 to support the Augeasproviders stack augeasproviders_puppet Imported 2 1 3 to support the Augeasproviders stack augeasproviders_shellvar Imported 2 1 3 to support the Augeasproviders stack augeasproviders_ssh Imported 2 1 3 to support the Augeasproviders stack augeasproviders_sysctl Imported 2 1 3 to support the Augeasproviders stack pupmod augeasproviders This was updated to 2 1 3 The update to 2 1 3 caused the addition of all of the pupmod augeasproviders modules below pupmod cgroups Added acceptance tests pupmod common gt Deprecated Replaced by pupmod simplib pupmod simplib Created parse_hosts function Added full tests for evaluating the ability to toggle FIPS mode pupmod kibana Add Kibana dashboards to the Kibana module Allows users to apply default SIMP Kibana Dashboards pupmod logstash Integrated SIMP and Electrical Logstash modules Changes the existing Logstash module to allow users to apply default SIMP filters pupmod richardc datacat Incorporated the richardc datacat module into the core for user convenience pupmod freeradius
247. quipment and Physical and Environmental Power Cabling Protection PE 9 1 Power Equipment and Physical and Environmental Power Cabling Control Protection Enhancement PE 9 2 Power Equipment and Physical and Environmental Power Cabling Control Protection Enhancement PE 10 Emergency Shutoff Physical and Environmental Protection PE 10 1 Emergency Shutoff Con Physical and Environmental trol Enhancement Protection PE 11 Emergence Power Physical and Environmental Protection PE 11 1 Emergence Power Control Physical and Environmental Enhancement Protection PE 11 2 Emergence Power Control Physical and Environmental Enhancement Protection PE 12 Emergency Lighting Physical and Environmental Continued on next page 4 5 Security Concepts Appendices 195 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method PE 12 1 Emergency Lighting Con Physical and Environmental trol Enhancement Protection PE 13 Fire Protection Physical and Environmental Protection PE 13 1 Fire Protection Control En Physical and Environmental hancement Protection PE 13 2 Fire Protection Control En Physical and Environmental hancement Protection PE 13 3 Fire Protection Control En Physical and Environmental hancement Protection PE 13 4 Fire Protection Con
248. r LSB compliance pupmod openscap Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 Changed default ssg base path to usr share xml scap ssg content pupmod pam Moved pam_mkhomedir to a higher position in the stack than pam_systemd This resolves some issues that were occurring due to a missing home directory on initial login pupmod pam Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod pki 28 Chapter 2 SIMP Installation Guide SIMP Documentation Release 0 0 Now allow directories in the cacerts directories This previously caused failures that needed to be manually addressed on each node e pupmod rsync Fixed provider to run with dry run when puppet is run with a noop e pupmod simp Ensure that SSSD is used by default on EL7 systems since nscd and nslcd have functionality issues Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance e pupmod ssh Modernized the Ciphers MACs and Kex Added explicit cases for FIPS and non FIPS mode as well as reasonable default cases for RHEL7 and below Updated to use the new augeasproviders module dependencies Added a function ssh_format_host_entry_for_sorting that will properly sort SSH Host entries
249. ranslates a computer s fully qualified domain name into an IP address and the reverse ENC External Node Classifier An arbitrary script or application which can tell Puppet which classes a node should have It can replace or work in concert with the node definitions in the main site manifest site pp The Puppet Enterprise Console and The Foreman are two examples of External Node Classifiers Source External Node Classifiers FIPS Federal Information Processing Standard Federal Information Processing Standards FIPS Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Informa tion Security Management Act FISMA 3 17 Glossary of Terms 99 SIMP Documentation Release 0 0 The particular standard of note in SIMP is FIPS 140 2 Source FIPS Publications FQDN Fully Qualified Domain Name A domain name that specifies its exact location in the tree hierarchy of the DNS It specifies all domain levels including the top level domain and the root zone An FQDN is distinguished by its unambiguity it can only be interpreted one way GUI Graphical User Interface A type of interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation as opposed to text based interfaces typed command labels or text navigation Source Wikipedia Graphical User Interface HDD Hard Disk Drive A device for storing and retrievi
250. ransport Layer Security A cryptographic protocol that provides network communications security TLS and SSL encrypt the segments of network connections above the Transport Layer using asymmetric cryptography for privacy and a keyed message authentication codes for message reliability See also SSL TTY A Unix command that prints to standard output the name of the terminal connected to standard input The name of the program comes from teletypewriter abbreviated TTY VM Virtual Machine An isolated guest operating system installation running within a host operating system VNC Virtual Network Computing A graphical desktop sharing system that uses the remote framebuffer RFB protocol to control another computer remotely It transmits the keyboard and mouse events from one computer to another relaying the graphical screen updates back in the other direction over a network WAN Wide Area Network A computer networking technology used to transmit ata over long distances and be tween different Local Area Networks LANs Metropolitan Area Networks MANs and other localized com puter networking architectures X 509 An ITU T standard for a public key infrastructure PKI and Privilege Management Infrastructure PMI X 509 specifies amongst other things standard formats for public key certificates certificate revocation lists attribute certificates and a certification path validation algorithm Source Wikipedia X 509 YUM Yello
251. rate the server CAs To do this remove the contents of the ssl folder and regenerate those pem files The following table lists the steps to regenerate the server CAs W service puppetserver stop rm rf var lib puppet ssl puppet cert list all puppet cert generate lt fqdn gt x x service puppetserver start puppet agent test 4 u U U 3 14 SIMP FAQs This chapter answers some of the frequently asked questions FAQs about SIMP 3 14 1 Centralized Logging SIMP provides a pre built set of classes within the rsyslog module for enabling centralized logging within the infras tructure After completing these steps run Puppet on the server and clients or wait until after the next run to see logs start to flow Enable the Server To enable the pre built log server add the following example code to the designated logging node Code to Enable the Server Logging Examples classes samp irsysloghsstock 78 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Enable the Clients To have clients send data to the server make the following changes to the etc puppet hieradata simp_def yaml file Code to Enable the Client Logging Examples log_server fqdn of your log server 3 14 2 Changing Puppet Masters It may be necessary to change the Puppet Master To point a particular client to a new Puppet Master follow the steps in the sections be
252. re added and in some cases removed as information becomes avail able AU 2 4 Auditable Events Control Enhancement Audit and Accountability Privileged user commands are logged using sudosh and auditd sudo actions By default users in the admin istrators group can run su dosh All of the key strokes except things that are not echoed back to the screen like passwords are logged to var log sudosh log and can be sent to syslog If an implementation sets up spe cific sudo actions for other groups or users those ac tions are logged with au ditd AU 3 Content of Audit Records Audit and Accountability The linux audit dae mon contains event type date time host and out come of events by default AU 3 1 Content of Audit Records Control Enhancement Audit and Accountability There are a number of events that are captured be yond the auditd The SIMP syslog module captures ad ditional log events from apache Idap puppet mes sages log and secure log AU 3 2 Content of Audit Records Control Enhancement Audit and Accountability By default the SIMP syslog module logs locally There is an option to send the sys log events to a central loca tion Instructions for imple menting a syslog server are provided in the User Guide Lastly a combination of elasticsearch logstash and kibana ELK can be ap plied to filter index and search logs Puppet mo
253. rently broken and will allow logins via SSH even if your password has expired This has been noted by Red Hat and is in the pipeline 98 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 e If you are running libvirtd when svckill runs it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service This does not actually kill the service but is instead an error of the startup script and causes no damage to your system 3 17 Glossary of Terms Note Many terms here have been reproduced from various locations across the Internet and are governed by the licenses surrounding the source material Please see the reference links for specifics on usage and reproducability ACL Access Control List A list of permissions attached to an object An ACL specifies which users or system processes are granted access to objects as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation AIDE Advanced Intrusion Detection Environment An intrusion detection system for checking the integrity of files under Linux AIDE can be used to help track file integrity by comparing a snapshot of the system s files prior to and after a suspected incident It is maintained by Rami Lehti and Pablo Virolainen Auditd The userspace component to the Linux Auditing System It is responsible for writing audit records to the disk Viewing the logs is done wit
254. rior to attempting to install a client Open the srv rsync dhcpd dhcpd conf file and edit it to suit the necessary environment Make sure the following is done in the dhcpd conf e The next server setting in the pxeclients class block points to the IP Address of the TFTP server e Create a Subnet block and edit the following Make sure the router and netmask are correct for your environment Enter the hardware ethernet and fixed address for each client that will be kickstarted SIMP environments should not allow clients to pick random IP Address in a subnet The MAC address must be associated with and IP Address here You can add additional ones as needed Enter the domain name for option domain name Enter the IP Address of the DNS server for option domain name servers Save and close the file Run puppet agent t on the Puppet Master to apply the changes 3 3 5 Configure PXE Boot Sample kickstart templates have been provided in the var www ks directory on the SIMP server and on the SIMP DVD under ks Pre boot images are locate in the DVD under images pxeboot If you have an existing Preboot Execution Environment PXE setup you can use these to PXE a SIMP client Follow your own sites procedures for this In this section we describe how to configure the Kickstart and TFTP servers to PXE boot a SIMP client The DHCP server setup also required for PXE booting is discussed in and earlier chapter Note This example sets
255. rix SCTM When possible the security control identifier will be found at the end of a concept to provide the reader with a reference to the specific control that is being discussed The identifier is written as AB X Y where A is the control family X is the control section and Y is the control enhancement 4 2 Technical Security This chapter contains SIMP security concepts that are related to the technical security controls described in NIST 800 53 4 2 1 Identification and Authentication This section addresses the identification and authentication of users and devices 103 SIMP Documentation Release 0 0 4 2 2 User Identification and Authentication Identification and authentication of system and service users can occur at the system level or globally in the SIMP architecture While local accounts and groups can be created manually the SIMP team suggests adding users via the etc puppet localusers file or by using the native Puppet user and group types System users can authenticate their access using Secure Shell SSH keys or passwords For more centralized control identify and authenticate users by using the Lightweight Directory Access Protocol LDAP IA 2 The SIMP team recommends using LDAP as the primary source for user management and provides a functional default OpenLDAP configuration for this purpose LDAP and Pluggable Authentication Modules PAM work together closely and with the default SIMP configuration
256. rofiles available from the SCAP Security Guide project that check security configuration settings SI 6 Malicious Code Protection For most environments SIMP will use ClamAV to protect against malicious code Rsync is used to push out new def initions which should be updated by the local administrator regularly SIMP also comes with a mcafee uvscan module that manages an installation of uvscan if it is preferred The module can configure dat file updates to occur over rsync Both the ClamAV and McAfee modules provide a method to run a scan via cron on a customer scheduled basis SI 3 SIMP also comes with the chkrootkit tool to check for rootkits The tool runs as a cron job and places its output into syslog SI 3 Software and Information Integrity Unauthorized changes to a local client can be detected by Puppet or AIDE for any file managed by Puppet In the event that a managed file is changed locally Puppet will revert the file back to its original state It is important to note that this is a function of Puppet and is intended to be more of a configuration management feature rather than a security feature If a Puppet client has been compromised the Puppet Master may not have the ability to retake control over that client However the Puppet Master can configure all other nodes to deny traffic from the compromised node if they are configured by the administrator to do so There are additional configuration files that are checked by
257. rom the Puppet Labs documentation and explains the reason for switching to Hiera Automatic parameter lookup is good for writing reusable code because it is regular and predictable Anyone down loading your module can look at the first line of each manifest and easily see which keys they need to set in their own Hiera data If you use the Hiera functions in the body of a class instead you will need to clearly document which keys the user needs to set 68 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Note For more information on hiera and puppet in general see http docs puppetlabs com hiera 1 complete_example html 3 10 6 Scope Functions All scope functions must take arguments in array form For example in etc puppet modules apache templates ssl conf erb lt t scope function_bracketize l gt becomes lt t scope function_bracketize 1l gt 3 10 7 Commands Deprecated commands mentioned in Puppet 2 7 upgrade are now completely removed 3 10 8 Lock File Puppet agent now uses the two lock files instead of one These are the run in progress lockfile agent_catalog_run_lockfile and the disabled lockfille agent_disabled_lockfile The puppetagent_cron file made by the pupmod module must be edited to suit this change 3 11 Logstash This chapter gives instruction for getting a basic configuration of Logstash working in a SIMP environment 3 11 1 Logstash Logstash is
258. rrdtool 1 4 4 0 20 e16 x86_ ruby augeas 0 4 1 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 ruby augeas ruby json 1 5 5 3 el16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 ruby json ruby Idap 0 9 7 10 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ruby Idap 0 9 ruby mysql 2 8 2 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 ruby mysql 2 ruby rgen 0 6 5 2 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 ruby rgen 0 ruby shadow 2 2 0 2 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 ruby shado rubygem activerecord 2 3 16 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ac rubygem activesupport 2 3 16 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ac rubygem deep_merge 1 0 0 2 e16 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem de rubygem fastthread 1 0 7 1 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem fa rubygem ffi 1 4 0 2 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ffi rubygem highline 1 6 11 1 noarch rpm https dl bintray com simp 4 2 X Ext rubygem highline 1 6 11 1 rubygem hpricot 0 8 6 1 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem hr rubygem json 1 5 5 3 e16 x86_64 r
259. rror cogentco com pub linux epel 6 x86_64 clamav unoff clamd 0 98 7 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 clamd 0 98 7 clamsmtp 1 10 6 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 clamsmtp 1 1 dejavu lgc sans fonts 2 33 1 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac dejavu lgc serif fonts 2 33 1 el6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac dracut 004 388 e1l6 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac dracut fips 004 388 e16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac dracut kernel 004 388 el16 noarch rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac elasticsearch 1 3 2 noarch rpm https download elastic co elasticsearch elasticsearch elasticsearc elasticsearch curator 1 1 1 0 el6 noarch rpm https d1 bintray com simp 4 2 X Ext elasticsearch curator 1 1 es2unix 1 6 1 0 el6 noarch rpm https dl bintray com simp 4 2 X Ext es2unix 1 6 1 0 el6 noarch 1 facter 2 4 1 1 e16 x86_64 rpm http yum puppetlabs com el 6 products x86_64 facter 2 4 1 1 el fping 2 4b2 10 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 fping 2 4b2 1 freeradius ldap 2 2 6 4 e16 x86_64 rpm http mirror ash fastserv com pub linux centos 6 7 os x86_64 Pac
260. ry GID gt homeDirectory home lt User UID gt Type ldapadd Z x W D cn LDAPAdmin ou People dc your dc domain f root ldifs adduser 1ldif Remove Users To remove a user create a root ldifs removeuser ldif file Add the information below to the file and replace the text within lt gt with the installed system s information Example Idif to remove a user dn cn lt User UID gt ou Group dc example dc domain changeType delete dn uid lt User UID gt ou People dc example dc domain changeType delete Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f root ldifs removeuser 1ldif Additional ldif File Commands Other useful commands for ldif files can be found below Before using these commands ensure that the root ldifs directory has been created Changing a Password To change a password add the following information to the root ldifs lt 1ldif File gt file Replace the information below within lt gt with the installed system s information Example Idif to change password dn uid lt User UID gt o0u People dc your dc domain changetype modify replace userPassword userPassword lt Hash from slappasswd gt Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f lt ldif_file gt Adding a Group To add a group add the following information to the root ld
261. s that occur when installing and using SIMP 3 13 1 My Services Are Dying The following section describes how to mitigate issues relating to destructive reasoning and avoiding destruction of the SIMP system Destructive Reasoning with svckill rb Most security guides that have been published on the Internet strongly suggest disabling all services that are not necessary for system operation However to list every possible service that may be controlled by the chkconfig type on a given system in a manifest would not be useful and would bloat the memory space of the running Puppet process As an alternative solution the SIMP Team implemented the svckill rb script that runs with every Puppet run The svckill rb script e Collects a list of all services on the system These are the same services that the user sees after typing chkconfig list e Ignores certain critical services including Puppet IPtables and the network e Collects a list of all services that are defined in the manifests and modules e Ensures that every service that is defined in the manifests and modules is excluded from the list of services to kill e Kills and disables everything else Avoiding Destruction If certain services should not be killed declare them in the node manifest space Note The key is to declare the services and not set them to any other option By adding them to the manifest the svekill rb script will ignore them The example be
262. s ual provides instructions for the installation of the prod uct in a manner that is com pliant with a multitude of security controls PL 2 System Security Plan Planning Security Plans are provided for specific implementa tions The SIMP team will continue to develop security documentation that can be used as s resource for implementation specific System Security Plans PL 2 1 System Security Plan Con Planning TODO Develop SIMP spe trol Enhancement cific SSP PL 2 2 System Security Plan Con Planning trol Enhancement PL 4 Rules of Behavior Planning PL 4 1 Rules of Behavior Control Planning Enhancement PL 5 Privacy Impact Assessment Planning PL 6 Security Related Activity Planning Planning PS 1 Personnel Security Policy Planning and Procedures PS 2 Position Categorization Planning PS 3 2 Personnel Screening Con Planning trol Enhancement RA 1 Risk Assessment Policy and Risk Assessment Procedures RA 2 Security Categorization Risk Assessment RA 3 Risk Assessment Risk Assessment Continued on next page 4 5 Security Concepts Appendices 203 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method RA 5 Vulnerability Scanning Risk Assessment The SIMP team performs a variety of security test ing as part of the develop ment process Compliance and configuration checking is done using SSG
263. s x86_64 Packages kernel 2 6 32 573 3 1 e16 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel abi whitelists 2 6 32 573 3 1 el6 noarch rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel debug 2 6 32 573 3 1 e16 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel debug devel 2 6 32 573 3 1 e16 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel devel 2 6 32 573 3 1 e16 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel doc 2 6 32 573 3 1 el6 noarch rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel firmware 2 6 32 573 3 1 el6 noarch rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kernel headers 2 6 32 573 3 1 e16 x86_64 rpm http mirror cs vt edu pub CentOS 6 7 updates x86_64 Packages kibana 3 1 0 SIMP 0 noarch rpm https dl bintray com simp 4 2 X Ext kibana 3 1 0 SIMP 0 noarct Icgdm libs 1 8 10 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 lcgdm libs 1 leiningen 2 0 0 0 2preview 10 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 leiningen lfc libs 1 8 10 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 lfc libs 1 8 1 lfc python 1 8 10 1 e16 x86_64 rpm http mirror cogentco com pub linux epel 6 x86_64 lf
264. scripts that both upgrade your Puppet Server and migrate your existing data into the new simp environment Warning You must have at least 2 2G of free memory to run the new Puppet Server 66 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 3 10 3 Migration Script Features The migration script will perform the following actions on your system Remove the puppet server package from your system Install the puppet server package onto your system Update all packages from your repositories Create a backup folder at etc puppet environments pre_migration simp Create a Git repository in the backup folder under a timestamped directory Commit all current materials from etc puppet into the backup Git repository Checkout the backup Git repository under the timestamped directory as backup_data for ease of use Migrate all existing data into the new simp environment under etc puppet environments simp Note All future upgrades will only affect the new simp environment You may create new environments and or modify the contents of etc puppet modules without fear of the SIMP packages overwriting your work 3 10 4 Migration Script Execution 1 Copy the new SIMP ISO onto your system For the purposes of these instructions we will refer to this is SIMP_Update iso Please ensure that you are in the directory with the ISO prior to proceeding Extract the new simp utils package using the following command
265. se locations on the newly built SIMP server Note These steps assume that the SIMP DVD material is copied in its unpacked form to the srv SIMP directory and that the version unpacked is RHEL 5 8 Adjust the paths appropriately if the CentOS or 5 7 version is being used Copy the entire SIMP DVD material to the SIMP server 2 Type cd srv 3 Typemkdir p www yum RedHat 5 8 x86_64 4 Type mv srv SIMP SIMP www yum 5 Typemv srv SIMP ks www 6 Type cd www yum RedHat 7 Typeln s 5 8 6 and then cd 5 8 x86_64 tobe able to move to newer versions more easily 8 Type mkdir Updates 9 Type cd Updates 10 Type find type f name rpm exec 1n s 11 Type createrepo p jami N Type cda var www yum SIMP j W Type updaterepos ji P Type chown R root apache var www jai n Type chmod R u rwX gtrX o rwx var www ja eN Enter the following commands into the command line to adjust the file cat lt lt EOF gt gt etc yum repos d filesystem repo flocal x86_64 name Local within the filesystem baseurl file var www yum SIMP x86_64 enabled 1 gpgcheck 0 EOF 17 Enter the following commands into the command line to adjust the file cat lt lt EOF gt gt etc yum repos d filesystem repo frhbase name Sostype S rhversion base repo baseurl file var www yum RedHat 6 x86_64 Server enabled 1 gpgcheck 0 EOF Fo
266. signed around the concept that individuals and organizations should not need to repeat the work of automating the basic components of their operating system infrastructure Expanding upon this philosophy SIMP also aims to take care of routine policy compliance to include NIST 800 53 FIPS 140 2 the DISA STIG and the SCAP Security Guides By using the Puppet automation stack SIMP is working toward the concept of a self healing infrastructure that when used with a consistent configuration management process will allow users to have confidence that their systems not only start in compliance but remain in compliance over time Finally SIMP has a goal of remaining flexible enough to properly maintain your operational infrastructure To this end where possible the SIMP components are written to allow all security related capabilities to be easily adjusted to meet the needs of individual applications 3 2 User Management This chapter explains how to manage users in the default SIMP environment 3 2 1 Managing Users with Lightweight Directory Access Protocol LDAP SIMP natively uses OpenLDAP for user and group management Actionable copies of the LDAP Data Interchange Format ldif files can be found on the system in the usr share doc simp doc lt Version gt ldifs direc tory Users cannot have any extraneous spaces in ldif files Use set list in vim to see hidden spaces at the end of lines Use the followin
267. sit Continued on next page 4 5 Security Concepts Appendices 173 SIMP Documentation Release 0 0 Table 4 4 continued from previous page Control ID Control Name Control Family SIMP Implementation Method MA 4 7 Non Local Maintenance Maintenance Control Enhancement MA 5 Maintenance Personnel Maintenance MA 5 1 Maintenance Personnel Maintenance Control Enhancement MA 5 2 Maintenance Personnel Maintenance Control Enhancement MA 5 3 Maintenance Personnel Maintenance Control Enhancement MA 5 4 Maintenance Personnel Maintenance Control Enhancement MA 6 Timely Maintenance Maintenance MP 1 Media Protection Policy Media Protection and Procedures MP 2 Media Access Media Protection MP 2 1 Media Access Control En Media Protection hancement MP 2 2 Media Access Control En Media Protection hancement MP 4 Media Storage Media Protection MP 5 Media Transport Media Protection MP 5 1 Media Transport Control Media Protection Enhancement MP 5 2 Media Transport Control Media Protection Enhancement MP 5 3 Media Transport Control Media Protection Enhancement MP 5 4 Media Transport Control Media Protection Enhancement MP 6 Media Sanitization Media Protection MP 6 1 Media Sanitization Control Media Protection Enhancement MP 6 2 Media Sanitization Control
268. sitory perl XML RSS 1 45 2 el6 noarch rpm Red Hat Base Repository pssh 2 3 1 5 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pssh puppet 3 7 4 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppet 3 7 4 1 e puppet dashboard 1 2 23 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppet dashboar puppet server 3 7 4 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppet server 3 puppetdb 2 3 8 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppetdb 2 3 8 puppetdb terminus 2 3 8 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppetdb termin puppetlabs stdlib 4 5 1 2 20150121 git7a9 1f20 e16 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pupr puppetserver 1 1 1 1 el6 noarch rpm http yum puppetlabs com el 6 products x86_64 puppetserver 1 1 python argparse 1 2 1 2 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth 4 5 Security Concepts Appendices 125 SIMP Documentation Release 0 0 Table 4 1 continued from previous page Name Source python backports 1 0 3 el16 x86_64 rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python backports ssl_match_hostname 3 4 0 2 4 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 pyth python
269. sponse to Audit Process ing Failures Control En hancement Audit and Accountability AU 5 4 Response to Audit Process ing Failures Control En hancement Audit and Accountability SIMP will not shut down a system by default Im plementation can configure this option at the own risk in the auditd conf file Continued on next page 4 5 Security Concepts Appendices 143 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AU 6 Audit Review Analysis and Reporting Audit and Accountability AU 6 1 Audit Review Analysis and Reporting Control En hancement Audit and Accountability AU 6 3 Audit Review Analysis and Reporting Control En hancement Audit and Accountability The ELK modules provide implementations with one means to centralize re view and recognize trends in SIMP logs AU 6 4 Audit Review Analysis and Reporting Control En hancement Audit and Accountability The ELK modules provide implementations with one means to centralize re view and recognize trends in SIMP logs AU 6 5 Audit Review Analysis and Reporting Control En hancement Audit and Accountability The ELK modules provide implementations with one means to centralize re view and recognize trends in SIMP logs The logs sent to syslo
270. ss CM A 1 Security Impact Analysis Control Enhancement Configuration Management CM 4 2 Security Impact Analysis Control Enhancement Configuration Management CM 5 Access Restrictions for Change Configuration Management SIMP can only meet the en forcement part of this con trol The remainder must be met by the environment that SIMP is implemented in Changes to a SIMP based systems are enforced with built in Unix LDAP groups Only someone with sudo or sudosh access usu ally an admin group can apply changes to the envi ronment Continued on next page 4 5 Security Concepts Appendices 185 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 5 1 Access Restrictions for Change Control Enhance ment Configuration Management SIMP can only meet the en forcement part of this con trol The remainder must be met by the environment that SIMP is implemented in Changes to a SIMP based systems are enforced with built in Unix LDAP groups Only someone with sudo or sudosh access usu ally an admin group can apply changes to the envi ronment CM 5 2 Access Restrictions for Change Control Enhance ment Configuration Management CM 5 3 Access Restrictions for Change Control Enhance ment Configuration Management Redha
271. ssume their role first defined in LDAP or lo cally There is a lo cal simp user on the pup pet master that has a pass word assigned That al lows for emergency main tenance via SSH Single user mode is password pro tected but will allow di rect access before escala tion Protection of the sin gle user mode and simp user s password is up to the implementation Privilege escalation is performed us ing sudosh or sudo Most implementations will use sudosh for global admins and sudo for roles that need minimal admin ability Lastly serial port access is does allow direct root login etc securetty Implemen tations may further restrict this at the risk AC 6 3 Least Privilege Control Enhancement Access Control AC 6 4 Least Privilege Control Enhancement Access Control AC 6 5 Least Privilege Control Enhancement Access Control AC 6 6 Least Privilege Control Enhancement Access Control AC 7 Unsuccessful Login At tempts Access Control SIMP locks accounts after 5 invalid attempts over 15 minutes span It then keeps the account locked for 15 minutes After that the ac count is unlocked automati cally Continued on next page 136 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method
272. st have at least 2 2GB of free RAM on your system to upgrade to this release due to the migration to the Clojure based Puppet Server Note Upgrading from releases older than 4 0 is not supported Expectations Before you begin please be aware that the following actions will take place as a result of the migration script as referenced in the SIMP Upgrade section of the User Guide e The puppet server RPM will be removed e The puppet server RPM will be installed no that s not a typo e ALL SIMP Puppet code will be migrated into a new simp environment This will be located at etc puppet environments simp eA backup of your running environment will be made available at etc puppet environments pre_migration simp You will find timestamped directories under the pre_migration simp directory that correspond to runs of the migration script Your old files will be ina backup_data directory and will be linked to a local bare Git repository in the same space 26 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 2 6 5 Security Announcements CVEs Addressed 2 6 6 RPM Updates Numerous RPMs were updated in the creation of this release Several were included due to our use of repoclosure to ensure that RPM dependencies are met when releasing a DVD e This version include the latest RedHat 7 1 and CentOS 7 0 1503 RPMs e Facter upgraded to 2 4 e PuppetDB upgraded to 2 3 8 1 2 6 7 Fixed Bugs
273. t 3 Backup srv rsync and or var simp rsync 4 Optional Backup var www Table SIMP Upgrade Process 3 8 Managing Workstation Infrastructures This chapter describes how to manage client workstations with a SIMP system including GUIs repositories virtual ization Network File System NFS printing and Virtual Network Computing VNC 3 8 1 Infrastructure Setup The following sections provide examples for setting up a SIMP workstation environment 3 8 2 User Workstation Setup Below is an example class etc puppet modules site manifests workstation pp that could be used to set up a user workstation class site workstation include site gui include site repos include site virt include site automount include site print client Make sur veryone can log into all nodes If you want to change this simply remove this line and add individual entries to your nodes as appropriate pam access manage Allow Users comment gt Allow all users in the users group to access the system from anywhere users gt users origins gt ALL General Use Packages package pidgin 60 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 git control center extra gconf editor evince libreoffice writer libreoffice xsltfilter libreoffice calc libreoffice impress libreoffice emailmerge libreoffice base
274. t PKI enables users of a basically insecure public networks such as the Internet to securely authenticate to systems and exchange data The exchange of data is done by using a combination of cryptographically bound public and private keys PSSH Parallel Secure Shell A tool that provides parallel versions of OpenSSH and other related tools Puppet An Open Source configuration management tool written and maintained by Puppet Labs Written as a Ruby DSL Puppet provides a declarative language that allows system administrators to provide a consistently applied management infrastructure Users describes system resource and resource state in the Puppet language Puppet discovers system specific information via facter and compiles Puppet manifests into a system specific catalog containing resources and resource dependencies which are applied to each client system PXE Preboot Execution Environment An environment to boot computers using a network interface independently of data storage devices like hard disks or installed operating systems RAM Random Access Memory A form of computer data storage A random access device allows stored data to be accessed in nearly the same amount of time for any storage location so data can be accessed quickly in any random order Red Hat Red Hat Red Hat Inc A collection of many different software programs developed by Red Hat Inc and other members of the Open Source community All software programs incl
275. t Master Kickstart file contains default RPMs ruby r digest sha2 e puts grub2 mkpasswd pbkdf2 Replace the following strings in this file BOOTPASS Your hashed bootloader password ROOTPASS Your hashed root password Current CASE SENSITIVE options authconfig enableshadow passalgo sha512 bootloader location mbr rootpw iscrypted ROOTPASS zerombr firewall nabled ssh firstboot disable logging level info network bootproto dhcp reboot selinux permissive timezone utc GMT install skipx Sinclude tmp repo include text keyboard us lang en_US url url http KSSERVER yum LINUXDIST 7 x86_64 Sinclude tmp part include Spackages nobase sendmail sysklogd acl aide anacron audit bzip2 coolkey crontabs cryptsetup luks dhclient Use the following Ruby code to generate your password hashes password crypt S6S rand 36xx8 to_s 36 Use the following command to generate your grub password hash KSSERVER The IP address of your YUM server YUMSERVER The IP address of your YUM server LINUXDIST The LINUX Distribution you are kickstarting RedHat CentOS append console ttyS1 57600 console ttyl iscrypted pass 120 Chapier 4 SIMP Security Concepts word BOOTPAS SIMP Documentation Release 0 0 git gnupg iptables iptables
276. t SSH Host entries for inclusion with concat e pupmod stunnel Had a variable options in st unnel erb that should have been scoped as options e pupmod sudo 94 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod sudosh Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 pupmod sysctl Removed support for the old parsed file provider and moved to using the new Augeas based provider pupmod tftpboot Purging of non Puppet managed items in pxelinux cfg is now optional pupmod simp tpm IMA is disabled by default simp gpgkeys Ensure that the keys are set in the correct locations for the target SIMP distribution simp rsync Removed spurious install messages simp util Fixed the targets of unpack_dvd pupmod xinetd Fixed The default log_type should be SYSLOG authpriv instead of SYSLOG daemon info pupmod vne Removed banners that broke some VNC clients simp cli simp config a ANSWERFILE fails when an item has no answer simp config A ANSWERFILE prompts when an an item has no answer The misleading help documentation for ff has been removed The Config Item use_fips now echoes its command unless silent The simp doc com
277. t and Centos pack ages are signed with gpg keys Those keys are ven dor specific Package in stallation occurs only when those gpgkeys are validate using the installed gpg pub lic keys for the operat ing system SIMP specific RPMS that were developed are signed using keys gen erate by the development team CM 5 4 Access Restrictions for Change Control Enhance ment Configuration Management CM 5 5 Access Restrictions for Change Control Enhance ment Configuration Management CM 5 6 Access Restrictions for Change Control Enhance ment Configuration Management CM 5 7 Access Restrictions for Change Control Enhance ment Configuration Management Most of the critical files that are managed by puppet can not be permanently changed on a puppet client without disabling puppet and rsync If they are changed pup pet will revert them back to their original state Continued on next page 186 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 6 Configuration Settings Configuration Management Part d of this control is met my SIMP The oth ers are not SIMP uses puppet to monitor changes to configuration settings If changes to puppet con trolled settings are manu ally made they revert ba
278. t to the service command to seamlessly support both RHEL6 and RHEL7 pupmod iptables Fixed a bug that would cause issues with Ruby 1 8 7 Fixed DNS resolution in IPv6 Prevent IPv6 1 spoofed addresses by default pupmod simp elasticsearch Ensured that Elasticsearch works properly with the new version of Apache Removed our default ES tuning since the default works better for LogStash Ensure that Puppet manages the Elasticsearch logging file pupmod functions Fixed sysv rb to explicitly require puppet util selinux which caused puppet describe to have errors pupmod simp logstash Fix issues with both TCPWrappers and IPTables when used with LogStash pupmod nfs Updated the mountd port to be 20048 by default for SELinux issues in RHEL7 pupmod ntp Updated against NTP Security Vulnerabilities Red Hat Article 1305723 Ensure that restrict entries use DDQ format pupmod openldap 3 16 Changelog 93 SIMP Documentation Release 0 0 The Password Policy overlay was getting loaded into the default ldif even if you didn t want to use it This has been fixed Made the password policy overlay align with the latest SIMP build of the plugin This means that you must have version simp ppolicy check password 2 4 39 0 or later available to the system being configured Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7
279. tant The screen displays lt Host Name gt lt Your Domain gt lt Host Name gt lt Your Domain gt pub OK If anything other than OK appears for each host analyze the error and ensure that the CA certificates are correct If the TXT_DB error number 2 appears revoke the certificate that is being regenerated The table below lists the steps to revoke the certificate 1 Navigate to etc puppet environments simp keydist 2 Run OPENSSL_CONF default cnf openssl ca revoke keydist x lt Host to Revoke gt x lt Host to Revoke gt pubx 2 4 Apply Certificates This section provides guidance on obtaining official certificates and generating a Fake CA 20 Chapier 2 SIMP Installation Guide SIMP Documentation Release 0 0 2 4 1 Obtaining Official Certificates All SIMP systems must have Public Key Infrastructure PKI keypairs generated for the server These keys reside in the etc puppet keydist directory and are served to the clients over the Puppet protocol Note These keypairs are not the keys that the Puppet server uses for its operation Do not get the two confused The table below lists the steps to add any keys for the server that were received from a proper CA to etc puppet keydist 1 Type mkdir etc puppet keydist lt Client System FODN gt x x 2 Type mv x lt Certificate Directory gt lt FQDN gt x pem pub etc puppet keydist lt FQDN gt x 3 Type chown R root
280. ted testing that is constantly being extended to test more features There are times that patches to the base operating system Centos or RedHat are needed to resolve issues in SIMP Those are also tested at build time but re quire additional testing by implementations as patches are released from vendors It s also important to note that SIMP is packaged and delivered decoupled with the operating system source files It s up to the im plementation to test ven dor specific patches that are not part of the SIMP code base Flaws are tracked using the software project management tool Redmine SI 2 2 Flaw Remediation Control Enhancement System and Information In tegrity SI 2 3 Flaw Remediation Control Enhancement System and Information In tegrity SI 2 4 Flaw Remediation Control Enhancement System and Information In tegrity SIMP uses the yellowdog update manager YUM to deliver software patches to clients Each installation usually has at least one YUM repository There is also a cronjob running that runs once per day It s the responsibility of the imple mentation to get patches to the yum server Once they are there the cron job will perform a yum update and the patches will be applied Continued on next page 4 5 Security Concepts Appendices 197 SIMP Documentation Release 0 0 Table 4 5 continued from previous page
281. tem s information Example ldif to reset user s shadowLastChange dn uid lt User UID gt o0u People dc your dc domain changetype modify replace pwdReset pwdReset TRUE replace shadowLastChange shadowLastChange 10000 Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f lt ldif_file gt Note The ldapmodify command is only effective when using the ppolicy overlay In addition the user s shad owLastChange must be changed to a value prior to the expiration date to force a PAM reset 46 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Unlocking an LDAP Account To unlock an LDAP account add the following information to the root ldifs lt 1ldif File gt file Replace the information below within lt gt with the installed system s information Example Idif to Unlock LDAP Account dn uid lt User UID gt ou People dc your dc domain changetype modify delete pwdAccountLockedTime Type ldapmodify Z x W D cn LDAPAdmin ou People dc your dc domain f lt ldif_file gt Note The ldapmodify command is only effective when using the ppolicy overlay Troubleshooting Issues If a user s password is changed in LDAP or the user changes it shortly after its initial setup the Password too young to change error may appear In this situation apply the pwdReset TRUE comman
282. ter s fully qualified domain name into an IP address and the reverse ENC External Node Classifier An arbitrary script or application which can tell Puppet which classes a node should have It can replace or work in concert with the node definitions in the main site manifest site pp The Puppet Enterprise Console and The Foreman are two examples of External Node Classifiers Source External Node Classifiers FIPS Federal Information Processing Standard Federal Information Processing Standards FIPS Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Informa tion Security Management Act FISMA The particular standard of note in SIMP is FIPS 140 2 Source FIPS Publications FQDN Fully Qualified Domain Name A domain name that specifies its exact location in the tree hierarchy of the DNS It specifies all domain levels including the top level domain and the root zone An FQDN is distinguished by its unambiguity it can only be interpreted one way GUI Graphical User Interface A type of interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation as opposed to text based interfaces typed command labels or text navigation Source Wikipedia Graphical User Interface HDD Hard Disk Drive A device for storing and retrieving digital information primarily computer data Hiera A key value lookup tool for co
283. ternal Information Access Control Systems Control Enhance ment AC 21 User Based Collaboration Access Control and Information Sharing AC 21 1 User Based Collaboration Access Control and Information Sharing Control Enhancement AC 22 Publicly Accessible Con Access Control tent AU 1 Audit and Accountability Audit and Accountability Policy and Procedures AU 2 Auditable Events Audit and Accountability 1 SIMP audit rules were built by using idustry best practices gathered over the years The heaviest reliance has been on the SCAP Security Guide SSG SIMP aims for a balance between performance and operational needs so the settings are rarely an exact match from these guides The list of events that audited are by auditd can be found in appendix of the Security Concepts document b Imple mentation Specific c Rational is for audit setting is provided in SSG d Threat infor mation is specific to the implementation Auditd and syslog facility can always be fine tuned for each implementation Continued on next page 4 5 Security Concepts Appendices 141 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AU 2 3 Auditable Events Control Enhancement Audit and Accountability SIMP is constantly review ing the audit rules for accu racy relevance and perfor mance Rules a
284. that correspond to runs of the migration script Your old files will be ina backup_data directory and will be linked to a local bare Git repository in the same space 1 5 Security Announcements 1 5 1 CVEs Addressed 1 6 RPM Updates Numerous RPMs were updated in the creation of this release Several were included due to our use of repoclosure to ensure that RPM dependencies are met when releasing a DVD e This version include the latest RedHat 7 1 and CentOS 7 0 1503 RPMs e Facter upgraded to 2 4 e PuppetDB upgraded to 2 3 8 1 1 7 Fixed Bugs e pupmod aide Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 e pupmod apache Remove the apache_version fact and simply use the version controls built into the Apache configuration language Update all custom functions to properly scope definitions Ensure that mod_ldap is installed in SIMP gt 5 0 e pupmod simp apache Prevent apache from restarting after downloading a CRL e pupmod clamav Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 e pupmod common gt Deprecated Replaced by pupmod simplib e pupmod simplib Updated to fix regression with CCE 4241 6 Single user mode is now properly password protected 6 Chapter 1 Changelog SIMP Documentation Release 0 0 Fixed the secure_mountpoints code so that it
285. tinued on next page 204 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method RA 5 7 Vulnerability Scanning Risk Assessment Only part of this require Control Enhancement ment is met SIMP can de tect when any software is installed via auditd and sys log Services that are not registered with puppet will not operate without user in tervention Those changes are also audited SIMP does not provide the abil ity to alert on those actions however Logstash filters or Elasticsearch queries can be applied if needed RA 5 8 Vulnerability Scanning Risk Assessment Control Enhancement RA 5 9 Vulnerability Scanning Risk Assessment Control Enhancement SA 1 System and Services Ac System and Service Acqui quisition Policy and Proce sition dures SA 2 Allocation of Resources System and Service Acqui sition SA 3 Life Cycle Support System and Service Acqui sition SA 4 Acquisitions System and Service Acqui sition SA 4 1 Acquisitions Control En System and Service Acqui hancement sition SA 4 2 Acquisitions Control En System and Service Acqui hancement sition SA 4 3 Acquisitions Control En System and Service Acqui hancement sition SA 4 4 Acquisitions Control En System and Service Acqui hancement si
286. tion SA 4 5 Acquisitions Control En System and Service Acqui hancement sition SA 4 6 Acquisitions Control En System and Service Acqui hancement sition SA 4 7 Acquisitions Control En System and Service Acqui hancement sition SA 5 Information System Docu System and Service Acqui mentation sition SA 5 1 Information System Doc System and Service Acqui umentation Control En sition hancement SA 5 2 Information System Doc System and Service Acqui umentation Control En sition hancement Continued on next page 4 5 Security Concepts Appendices 205 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SA 5 3 Information System Doc System and Service Acqui umentation Control En sition hancement SA 5 4 Information System Doc System and Service Acqui umentation Control En sition hancement SA 5 5 Information System Doc System and Service Acqui umentation Control En sition hancement SA 6 Software Usage Restric System and Service Acqui tions sition SA 6 1 Software Usage Restric System and Service Acqui tions sition SA 7 User Installed Software System and Service Acqui sition SA 8 Security Engineering Prin System and Service Acqui ciples sition SA 9 External Information Sys
287. tp yum puppetlabs com el 6 dependencies x86_64 rubygem hr rubygem json 1 5 5 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem js rubygem json doc 1 5 5 3 e16 x86_64 rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem js rubygem mustache 0 99 4 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem m rubygem net ldap 0 2 2 4 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem net ldap doc 0 2 2 4 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem net ping 1 6 2 1 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem net ping doc 1 5 3 4 el6 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ne rubygem puppet lint 1 1 0 1 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 ruby rubygem rack 1 0 1 2 e16 noarch rpm http yum puppetlabs com el 6 dependencies x86_64 rubygem ra rubygem rake 0 8 7 2 1 el6 noarch rpm http mirror netdepot com centos 6 7 os x86_64 Packages rubyge rubygem rake compiler 0 9 3 2 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 ruby rubygem rake compiler doc 0 9 3 2 el6 noarch rpm http mirror symnds com distributions fedora epel 6 x86_64 ruby rubygem rdiscount 1 6 8 1 e16 x86_64 rpm http yum puppetlabs com el
288. trol Media Protection Enhancement MP 5 4 Media Transport Control Media Protection Enhancement MP 6 Media Sanitization Media Protection MP 6 1 Media Sanitization Control Media Protection Enhancement MP 6 2 Media Sanitization Control Media Protection Enhancement MP 6 3 Media Sanitization Control Media Protection Enhancement MP 6 4 Media Sanitization Control Media Protection Enhancement MP 6 5 Media Sanitization Control Media Protection Enhancement MP 6 6 Media Sanitization Control Media Protection Enhancement PE 1 Physical and Environmental Physical and Environmental Protection Policy and Pro Protection cedures PE 2 Physical Access Authoriza Physical and Environmental tions Protection PE 2 1 Physical Access Au Physical and Environmental thorizations Control Protection Enhancement PE 2 2 Physical Access Au Physical and Environmental thorizations Control Protection Enhancement PE 2 3 Physical Access Au Physical and Environmental thorizations Control Protection Enhancement PE 3 Physical Access Control Physical and Environmental Protection PE 3 1 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 2 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 3 Physical Access Control Physical and Environmental Control Enhancement Protection PE 3 4 Physical Access Control Physic
289. trol En Physical and Environmental hancement Protection PE 14 Temperature and Humidity Physical and Environmental Controls Protection PE 14 1 Temperature and Humidity Physical and Environmental Controls Control Enhance Protection ment PE 14 2 Temperature and Humidity Physical and Environmental Controls Control Enhance Protection ment PE 15 Water Damage Protection Physical and Environmental Protection PE 15 1 Water Damage Protection Physical and Environmental Control Enhancement Protection PE 16 Delivery and Removal Physical and Environmental Protection PE 17 Alternate Work Site Physical and Environmental Protection PE 18 Location of Information Physical and Environmental System Components Protection PE 18 1 Location of Informa Physical and Environmental tion System Components Protection Control Enhancement PE 19 Information Leakage Physical and Environmental Protection SI 1 System and Information In System and Information In tegrity Policy and Proce tegrity dures Continued on next page 196 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SI 2 1 Flaw Remediation Control Enhancement System and Information In tegrity Patches that are part of the software base for SIMP are tested within the develop ment environment There is automa
290. trol Name Control Family SIMP Implementation Method CM 5 Access Restrictions for Change Configuration Management SIMP can only meet the en forcement part of this con trol The remainder must be met by the environment that SIMP is implemented in Changes to a SIMP based systems are enforced with built in Unix LDAP groups Only someone with sudo or sudosh access usu ally an admin group can apply changes to the envi ronment CM 5 1 Access Restrictions for Change Control Enhance ment Configuration Management SIMP can only meet the en forcement part of this con trol The remainder must be met by the environment that SIMP is implemented in Changes to a SIMP based systems are enforced with built in Unix LDAP groups Only someone with sudo or sudosh access usu ally an admin group can apply changes to the envi ronment CM 5 2 Access Restrictions for Change Control Enhance ment Configuration Management CM 5 3 Access Restrictions for Change Control Enhance ment Configuration Management Redhat and Centos pack ages are signed with gpg keys Those keys are ven dor specific Package in stallation occurs only when those gpgkeys are validate using the installed gpg pub lic keys for the operat ing system SIMP specific RPMS that were developed are signed using keys gen erate by the development team CM 5 4 Access Restrictions for Change Control Enh
291. ts AC 6 4 2 12 Session Controls SIMP provides a number of security features for sessions These features include e Accounts are locked after five invalid log on attempts over a 15 minute period The account is then locked for 15 minutes No administrator action is required to unlock an account AC 7 System banners are presented to a user both before and after logging on The default banner should be cus tomized for each implementation AC 8 After a successful log on the date time and source of the last log on is presented to the user The number of failed log on attempts since the last log on is also provided AC 9 and AC 9 1 A limit of 10 concurrent SSH sessions are allowed per user This can be further limited if an implementation decides it is set too high Given the way SSH is used in operational settings this default value is reasonable AC 10 Session lock only applies if the windowmanager gnome module is used Sessions lock automatically after 15 minutes of inactivity Users must authenticate their access with valid credentials to reestablish a session AC 11 4 2 13 Permitted Actions without Identification and Authentication SIMP has a number of applications that do not require both identification and authentication These services are listed below along with an explanation of why these aspects are not required Implementations should include any additional services that do require identification and or authenti
292. ts of the remote ses sion is not logged The keystrokes of users with su dosh shells are all logged AC 17 2 Remote Access Control Access Control Remote access is limited to Enhancement SSH SSH openssh on cen tos rhel provides both con fidentiality and integrity of the remote session AC 17 3 Remote Access Control Access Control Enhancement AC 17 4 Remote Access Control Access Control This control is enforced via Enhancement other access control mech anisms already covered in 800 53 Namely AC 6 By default SSH in SIMP will allow anyone to con nect Once identification and authentication is per formed access control to privileged commands is en forced as usual Continued on next page 4 5 Security Concepts Appendices 139 SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 17 5 Remote Access Control Access Control Auditd provides logging of Enhancement failed access attempts It s up to the implementation to perform a level of inspec tion of these unauthorized events Auditd does this by default Other checks will ensure auditd is running and registered with puppet AC 17 6 Remote Access Control Access Control Enhancement AC 17 7 Remote Access Control Access Control Enhancement AC 17 8 Remote Access
293. turned off at any time All of the stock SIMP modules work with SELinux enabled and have the least restric tive MAC policies enforced These policies assign each object a SELinux user role type and level These char acteristics are used to define a context for each object AC 16 1 Security Attributes Control Enhancement Access Control AC 16 2 Security Attributes Control Enhancement Access Control AC 16 3 Security Attributes Control Enhancement Access Control Continued on next page 138 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method AC 16 4 Security Attributes Control Access Control SeLinux user role type Enhancement and level are the security attributes that are associ ated with each object with SELinux enabled in SIMP AC 16 5 Security Attributes Control Access Control Enhancement AC 17 Remote Access By default external con nections are not allowed with the exception of SSH This is documented in the SIMP user manual Im plementations have the abil ity to override this with the understanding that puppet controls Iptables AC 17 1 Remote Access Control Access Control The extent of monitoring re Enhancement mote connections is done by auditd and syslog The conten
294. uded in Red Hat Enterprise Linux are GPG signed by Red Hat Inc to indicate that they were supplied by Red Hat Inc See also RHEL RHEL Red Hat Enterprise Linux A commercial Linux operating system produced by Red Hat Inc RHEL is designed to provide an Enterprise ready Linux distribution suitable to multiple target applications RPM RPM Package Manager A package management system The name RPM is associated with the rpm file format files in this format software packaged in such files and the package manager itself RPM was developed primarily for GNU Linux distributions the file format is the baseline package format of the Linux Standard Base RSA An algorithm for public key cryptography that is based on the presumed difficulty of factoring large integers the factoring problem RSA stands for Ron Rivest Adi Shamir and Leonard Adleman who first publicly described itin 1977 Ruby A dynamic reflective general purpose object oriented programming language that combines syntax inspired by Perl with Smalltalk like features Ruby originated in Japan during the mid 1990s and was first developed and designed by Yukihiro Matz Matsumoto It was influenced primarily by Perl Smalltalk Eiffel and Lisp Ruby supports multiple programming paradigms including functional object oriented imperative and reflective It also has a dynamic type system and automatic memory management it is therefore similar in varying respects to Smalltal
295. ult password again when prompted for the current UNIX password nH nr A W N Type anew password when prompted for the New Password Retype the password when prompted 2 2 5 Installing the SIMP Server Warning Keep in mind as the installation process begins that Puppet does not work well with capital letters in host names Therefore they should not be used 1 Log on as simp and run su to gain root access 2 Type simp config 1 Type simp config a lt Config File gt to load a previously generated configuration instead of generat ing the configuration from the script This is the option to run for systems that will be rebuilt often 2 For a list of additional commands type simp help Type simp help x lt Command gt xxx for more information on a specific command 3 A list of the variables that are set and more details are contained in List of Installation Variables Note Once simp config has been run a simp config file with all your settings is saved in root simp simp_conf yaml 3 Configure the system as prompted 4 Type simp bootstrap Note If progress bars are of equal length and the bootstrap finishes quickly a problem has occurred This is most likely due to an error in SIMP configuration Refer to the previous step and make sure that all configuration options are correct 5 Type reboot 2 2 6 Performing Post installation Setup on the SIMP Server 1 Log onas root 2 Run puppet for th
296. unique identifier assigned to net work interfaces for communications on the physical network segment Source lt Wikipedia MAC address NAT Network Address Translation The process of modifying IP address information in IP packet headers while in transit across a traffic routing device NFS Network File System A distributed file system protocol that allows a user on a client computer to access files over a network in a manner similar to how local storage is accessed PAM Pluggable Authentication Modules A mechanism to integrate multiple low level authentication schemes into a high level application programming interface API It allows programs that rely on authentication to be written independent of the underlying authentication scheme PEM Privacy Enhanced Mail An early standard for securing electronic mail This is the public key of a specific certificate This is also the format used for Certificate Authority certificates PERL Practical Extraction and Report Language A high level general purpose interpreted dynamic program ming language PERL was originally developed by Larry Wall in 1987 as a general purpose Unix scripting language to make report processing easier PKI Public Key Infrastructure A security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet PKI enables users of a basically insecure public networks such as the Intern
297. up you now have the ability to search logs There are several resources available to help with searching The Kibana Overview Page and Elasticsearch Guide are a good place to start You should also visit the main Logstash page to see demonstrations and read their tips for searching logs 72 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 Client TCP 5140 TLS TCP 514 UDP 514 IPTables TCP 51400 UDP 51400 LogStash ElasticSearch Node 1 3 12 Using Kerberos 5 in SIMP The Kerberos module helps an administrator obtain a working Key Distribution Center KDC setup and configure clients to use the KDC Important Given the highly sensitive nature of Kerberos passwords and tokens this module does not store or use any passwords related to the Kerberos KDC Remember the passwords chosen for the Kerberos KDC Puppet does not have the ability to retrieve forgotten pass words As a result of the nature of Kerberos an administrator must run usr sbin kdb5_util create s on the KDC to set the principal administrator password and initialize the database The following sections provide instruction on how to get started with Kerberos 5 For more detailed information review the official Red Hat documentation 3 12 1 Creating Principals Once all of the systems using Kerberos are properly configured either via the krb stock classes or otherwise the administr
298. uppetserver The puppet master service has been replaced by the puppetserver service This is a major rewrite by Puppetlabs Puppetserver scales better for larger agent deployments with a single puppet master Uses Environments by default this allows for tools such as r10K Production environment is a link to simp by default 1 9 Known Bugs e There is a symlink that is created at etc puppet environments simp simp which should not be in place This is being tracked as SIMP 661 e SSSD is currently broken and will allow logins via SSH even if your password has expired This has been noted by Red Hat and is in the pipeline e If you are running libvirtd when svckill runs it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service This does not actually kill the service but is instead an error of the startup script and causes no damage to your system 12 Chapter 1 Changelog CHAPTER 2 SIMP Installation Guide Contents 2 1 Introduction This guide will walk a user through the process of managing a SIMP system This system includes at a minimum a SIMP server with properly configured networking information and a working Puppet server Additionally this document outlines the process of managing clients and users associated with the SIMP system 2 1 1 Level of Knowledge SIMP is designed for use by system administrators or users with a strong background using Linux operatin
299. ure DHCP for more info Restart the system Once the client installs reboots and begins to bootstrap it will check in for the first time oh ae Te hg Puppet will not autosign puppet certificates by default and waitforcert is enabled The client will check in every 30 seconds for a signed cert Log on to the puppet server and run puppet cert sign lt puppet client fqdn gt Upon successful deployment of a new client it is highly recommended that LDAP administrative accounts be created 2 3 7 Troubleshooting Issues If the client has been kickstarted but is not communicating with the Puppet server try the following options e Check the forward and reverse DNS entries on the client and server both must be correct e Check the time on the systems More than an hour s difference will cause serious issues with certificates e Remove var lib puppet ss1 on the client system run puppet cert clean lt Client Host Name gt x on the Puppet server and try again 2 3 8 Troubleshoot Certificate Issues If host certificates do not appear to be working and the banner is not getting rsync d to the clients ensure that all certificates verify against the installed CA certificates The table below lists the steps to determine which certificates are working and which are not 1 Navigate to etc puppet environments simp keydist 2 Run find name lt Your Domain gt x pub exec openssl verify CApath cacerts Impor
300. valuate the status and any relevant set tings that need to be applied as aresult of this evaluation IA 8 Identification and Authenti cation Non Organizational Users Identification and Authenti cation System and Communica tions Protection Policy and Procedures System and Communica tions Protection Application Partitioning System and Communica tions Protection The spirit of this control is providing logical separation so that users are not able to access administrative func tions There is no no tion of partitioning within SIMP There are access con trol enforcement that can be proven through tests on those controls If this con trol is allocated to SIMP alone it s unlikely it can be met Since SIMP is the infrastructure that applica tions would use showing that application users can not access the SIMP envi ronment is a better way to prove this control is met Continued on next page 152 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method SC 2 1 Application Partitioning Control Enhancement System and Communica tions Protection The spirit of this control is providing logical separation so that users are not able to access administrative func tions There is no no tion of partitioning within SIMP
301. vided by SIMP might be used to support an implementation s contingency plan 4 3 5 System Backup SIMP comes with a module called backuppc This module provides a base configuration of the BackupPC software and allows Puppet servers and clients to perform backups 4 4 Information System Management This chapter contains SIMP security concepts that are related to the management security controls in NIST 800 53 4 4 1 Risk Assessment This section describes the process of identifying risks within a system 4 4 2 SIMP Self Risk Assessment Risk can be found in any system The SIMP team is constantly evaluating the system and the settings to minimize inherit risk Most risks can be mitigated by processes and procedures at the implementation level The following table describes the known areas in SIMP RA 1 Risk Possible Mitigations Disabling Puppet This can cause the clients to be out of sync with the Puppet Master SIMP attempts to force a break on any locks and restart Puppet on all clients after a time of 4 runinterval 30 minutes by default Implementations should ensure that further steps have not been taken to disable Puppet and should monitor their logs Administrators can use the puppetlast command on the Puppet Master to detect servers that have not checked in within a reasonable time period Out of Date Patches SIMP can be built with the RPMs from CentOS or Red Hat Those RPMs should be assumed out of
302. vserver your domain a VNC client vclnt your domain and a proxy proxy your domain A vuser account must also be set up as the account being used for the VNC The vuser is a common user that has access to the server client and proxy Modify Puppet If definitions for the machines involved in the VNC do not already exist in Hiera create an etc puppet hieradata hosts vserv your domain yaml file In the client hosts file modify or create the entries shown in the examples below These additional modules will allow vserv to act as a VNC server and velnt to act as a client VNC Server node 64 Chapter 3 SIMP User Guide SIMP Documentation Release 0 0 vserv your domain yaml classes windowmanager gnome nNozillassf irerox vne server VNC client node velnt your domain yaml classes windowmanager gnome mozillart iretox vne client Run the Server AS vuser on vserv your domain type vncserver The output should mirror the following New vserv your domain lt Port Number gt vuser desktop is vserv your domain lt Port Number gt Starting applications specified in home vuser vnc xstartup Log file is home vuser vnc vserv your domain lt Port Number gt log Note Remember the port number it will be needed to set up an SSH tunnel Set up an SSH Tunnel Set up a tunnel from the client vclnt through the proxy server proxy to the
303. w e w e w e w e w e w e w e w e w e tc security tc security tc security tc security tc security tc security tc security tc grub conf tc xinted co access conf p wa k CFG_security console perms p wa k CFG_security chroot conf p wa k CFG_security limits conf p wa k CFG_security group conf p wa k CFG_security time conf p wa k CFG_security pam_env conf p wa k CFG_security p wa k CFG_grub nf p wa k CFG_xinted w w e w e w e w e w e w e tc services tc default n tc xinetd d tc xinetd d tc xinetd d tc xinetd d tc xinetd d p wa k CFG_services ss p wa k CFG_defaults chargen p wa k CFG_xinted d chargen udp p wa k CFG_xinted d cups lpd p wa k CFG_xinted d daytime p wa k CFG_xinted d daytime udp p wa k CFG_xinted d w tc xinetd d cho p wa k CFG_xinted d w w e w e w e tc xinetd d tc xinetd d tc xinetd d tc xinetd d cho udp p wa k CFG_xinted d rsync p wa k CFG_xinted d time p wa k CFG_xinted d time udp p wa k CFG_xinted d w usr share gdm defaults conf p wa k CFG_sys w e CCE tc init p wa k CFG_upstart 26612 2 del iberiately ignored so that audit rules may be manipulated by 4 5 Security Concepts Appendices 119 SIMP Documentation Release 0 0 Puppet 4 5 3 Default Kickstart Files Default Puppe
304. was getting loaded into the default ldif even if you didn t want to use it This has been fixed Made the password policy overlay align with the latest SIMP build of the plugin This means that you must have version simp ppolicy check password 2 4 39 0 or later available to the system being configured Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 Fixed reported bugs in syncrepl pp Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance 1 7 Fixed Bugs 7 SIMP Documentation Release 0 0 pupmod openscap Change the call to the rsyslog init script to the service command to seamlessly support both RHEL6 and RHEL7 Changed default ssg base path to usr share xml scap ssg content pupmod pam Moved pam_mkhomedir to a higher position in the stack than pam_systemd This resolves some issues that were occurring due to a missing home directory on initial login pupmod pam Removed all reliance on the Isb facts since some users do not wish to install the prerequisite RPMs for LSB compliance pupmod pki Now allow directories in the cacerts directories This previously caused failures that needed to be manually addressed on each node pupmod rsync Fixed provider to run with dry run when puppet is run with a noop pupmod simp Ensure that S
305. wdog Updater Modified A software installation tool for Linux It is a complete software management system that works with RPM files YUM is designed to be used over a network or the Internet See also RPM 3 18 Indices and tables e genindex e search 102 Chapter 3 SIMP User Guide CHAPTER 4 SIMP Security Concepts This is the 4 2 0 0 release of SIMP compatible with the 6 7 release of CentOS and Red Hat Enterprise Linux RHEL This document provides a foundational Security Concept of Operations for the SIMP framework Contents 4 1 Introduction This manual describes the security concepts of the SIMP system The system was originally designed to meet a specific set of technical security controls using industry best practices and has been modified recently to meet as many of the security controls provided by the National Institute of Standards and Technology s NIST special publication 800 53 as possible This manual outlines three categories of security e Technical Architecture discusses the technical approaches to securing the system e Operational Security discusses the security of SIMP in an operational setting e Information System Management discusses how SIMP helps achieve security in terms of system management A brief discussion of how the SIMP system helps achieve categories of controls is provided additional technical details regarding each control can be found in the SIMP Security Controls Traceability Mat
306. wledge SIMP is designed for use by system administrators or users with a strong background using Linux operating systems The core applications that make up SIMP and require prerequisite knowledge are Puppet 3 7 or later Domain Name System DNS BIND 9 Dynamic Host Configuration Protocol DHCP Internet Systems Consortium ISC DHCP Lightweight Directory Access Protocol LDAP OpenLDAP RedHat Kickstart including all tools behind it Trivial File Transfer Protocol TFTP PXELinux etc Apache Yellowdog Updater Modified YUM Rsyslog Version 3 Internet Protocol Tables IPtables Basic knowledge of the rules Auditd Basic knowledge of how the daemon works Advanced Intrusion Detection Environment AIDE Basic knowledge of the rules Basic X 509 based PKI Key Management SIMP does as much initial setup and configuration of these tools as possible However without at least some under standing you will be unable to tailor a SIMP system to fit the desired environment A general understanding of how to control and manipulate these tools from the command line interface CLI will be necessary as SIMP does not come stock with a graphical user interface GUI Knowledge of scripting and Ruby programming will also help to further customize a SIMP install but is not required for routine use 41 SIMP Documentation Release 0 0 3 1 2 SIMP Defined The System Integrity Management Platform SIMP is a framework de
307. y b Not enforced c Hashed passwords are built into linux etc shadow and etc pam d system auth pam_unix so LDAP password changed by users are done through pam before getting placed in LDAP Manual LDAP pass word are created using the slapasswd command d Pass word minimum and maximum lifetimes are enforced through etc login defs and Idap e By default the previous 24 passwords can not be reused Continued on next page 150 Chapter 4 SIMP Security Concepts SIMP Documentation Release 0 0 Table 4 3 continued from previous page Control ID Control Name Control Family SIMP Implementation Method TA 5 2 Authenticator Management Control Enhancement Identification and Authenti cation Puppet comes with a self contained public key infras tructure Though just used for puppet it operates as a full PKI So the certifi cate path is validated SSL certificates that are used for SSL and TLS also have cer tificate path validation built into the protocol Note SSH Keys are not considered PKI TA 5 3 Authenticator Management Control Enhancement Identification and Authenti cation TA 5 4 Authenticator Management Control Enhancement Identification and Authenti cation Pam cracklib enforces pass word complexity rules on Redhat and CentOS Addi tional tools to check authen ticator strength can be used in operational settings TA 5 5
308. y Files are packaged and a series of auto tests are per formed on the release Once released there is a version number associated for dis tribution All documenta tion is also built with source code CM 2 3 Baseline Configuration Configuration Management All old versions of SIMP re Control Enhancement main in the code repository CM 2 4 Baseline Configuration Configuration Management Continued on next page 4 5 Security Concepts Appendices 183 SIMP Documentation Release 0 0 Table 4 5 continued from previous page Control ID Control Name Control Family SIMP Implementation Method CM 2 5 Baseline Configuration Control Enhancement Configuration Management 1 SIMP provides a minimal list of pack ages and services installed The mini mal list of packages can be found in kickstart files and the appendix of this document Addi tional packages are installed by each implementation or as SIMP modules are applied b It s not feasible to techni cally deny additional applications from be ing installed There is nothing in SIMP that can stop and RPM from being applied Applications that re quire network access to service activation must be registered with puppet CM 2 6 Baseline Configuration Control Enhancement Configuration Management As a project SIMP is de velopmental only The envi ronments where it is tested is up to the implementation
309. y conflicting module name from the SIMP ecosystem You will need to run the migrate_to_simplib script to update all of the relevant files This script will only migrate items in the existing SIMP environment You may also set the environment variable UPGRADE_PATHS to run the script on multiple external paths All code was migrated pupmod simp functions The functions namespace has been deprecated in favor of the new simplib namespace This removes a commonly conflicting module name from the SIMP ecosystem You will need to run the migrate_to_simplib script to update all of the relevant files This script will only migrate items in the existing SIMP environment You may also set the environment variable UPGRADE_PATHS to run the script on multiple external paths The following items were not migrated append_if_no_such_line gt Use simp_file_line delete_lines gt Use augeas init_mod_nice gt Use init_ulimit init_mod_open_files gt Use init_ulimit line gt Use augeas prepend_if_no_such_line gt Use simp_file_line renice gt No replacement was not correct replace_line gt Use augeas 2 6 3 Significant Updates e FIPS Mode is now enabled by default This is a SIGNIFICANT change and may impact many of your running applications that use encryption If you are upgrading do NOT enable FIPS mode without extensive testing as it may cause various appli cations to n
Download Pdf Manuals
Related Search