Our TEL team is working with Customer State Bank of India to operationalize one new SSS 3500 that we sold to customer to replace the existing Gen2 GLS2 SSS Storage.
As part of the internal security practices the State Bank of India runs their own scans on all their devices is asking the TEL team to help close the discovered vulnerabilities . For few of the changes sought the DEV team has requested the Tel team to help raise RFE for these so this configs can be tested in dev setup and post which the dev team can confirm if same can be implemented in customers SSS3500 storage.
There are multiple vulnerabilities noted , as per discussion with TEL & Dev team raising at high level 5 RFE where the related vulnerabilities are bunched
Filesystem Related Configuration -
Control Objective - 2.1.1. Ensure mounting of the unused filesystems is disabled and separate partitions are created.
Control Statement- Access to unwanted mounting filesystem and critical directories should be restricted on the server. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory's intended use.
Risk/Impact - Increases the chance of an unauthorized user trying to breach data by mounting unneeded filesystem.
Recommendations/ Implementation Steps
1. Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line:
install cramfs /bin/true
install vfat /bin/true
install squashfs /bin/true
install udf /bin/true
install usb-storage /bin/true
2. Edit the /etc/fstab file and add nodev, noexec and nosuid to the fourth field (mounting options):
mount -o remount,nodev /tmp
mount -o remount,nosuid /tmp
mount -o remount,noexec /tmp
mount -o remount,nodev /home
mount -o remount,nodev /dev/shm
mount -o remount,nosuid /dev/shm
mount -o remount,noexec /dev/shm
Dev teams Comment - Please open an RFE so that we can investigate the ramifications of changing this
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.1.2. Ensure sticky bit is set on all world-writable directories
Control Statement - Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.
Risk/Impact - This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.
Recommendations/ Implementation Steps
Run the following command to set the sticky bit on all world writable directories:
# df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
Dev teams Comment -Please open an RFE so that we can investigate the ramifications of changing this.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.1.3. Disable Automounting and USB Storage
Control Statement - autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.
Risk/Impact - With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.
Recommendations/ Implementation Steps
Run the following command to disable autofs :
# systemctl --now disable autofs
Run the following command to disable USB:
install usb-storage /bin/true
Dev teams Comment - USB is required by the firmware update path. For autofs...Please open an RFE so that we can investigate the ramifications of changing this.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.3.1. Ensure AIDE is installed
Control Statement - AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.
Risk/Impact - By monitoring the filesystem state, compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.
Recommendations/ Implementation Steps
Install AIDE using the appropriate package manager or manual installation:
# dnf install aide
Run the following commands to enable regular integrity check:
# cp ./config/aidecheck.service /etc/systemd/system/aidecheck.service
# cp ./config/aidecheck.timer /etc/systemd/system/aidecheck.timer
# chmod 0644 /etc/systemd/system/aidecheck.*
# systemctl reenable aidecheck.timer
# systemctl restart aidecheck.timer
# systemctl daemon-reload
OR
Run the following command:
# crontab -u root -e
Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check
Dev teams Comment - Please open an RFE so that we can investigate the ramifications of changing this.
