Our TEL team is working with Customer State Bank of India to operationalise one new SSS 3500 that we sold to customer to replace the existing Gen2 GLS2 SSS Storage.
As part of the internal security practices the State Bank of India runs their own scans on all their devices is asking the TEL team to help close the discovered vulnerabilities . For few of the changes sought the DEV team has requested the Tel team to help raise RFE for these so this configs can be tested in dev setup and post which the dev team can confirm if same can be implemented in customers SSS3500 storage.
There are multiple vulnerabilities noted , as per discussion with TEL & Dev team raising at high level 5 RFE where the related vulnerabilities are bunched
Control Objective - 2.6.1. Configure SELinux
Control Statement - Mandatory Access Control (MAC) provides an additional layer of access restrictions to processes on top of the base Discretionary Access Controls. By restricting how processes can access files and resources on a system the potential impact from vulnerabilities in the processes can be reduced.
Note: Apparmor is the default MAC provided with Ubuntu systems.
Risk/Impact - Mandatory Access Control limits the capabilities of applications and daemons on a system, while this can prevent unauthorized access the configuration of MAC can be complex and difficult to implement correctly preventing legitimate access from occurring.
Recommendations/ Implementation Steps -
On systems using SELinux Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/MAC-policy.rules
and add the following lines:
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
Notes: Reloading the auditd config to set active settings may require a system reboot.
Dev teams Comment - SELinux is available today. It is not the default. Please open an RFE so that we can investigate the ramifications of changing this.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.9.2. Check for Unconfined Daemons
Control Statement - Daemons that are not defined in SELinux policy will inherit the security context of their parent process.
Risk/Impact - Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t. This could cause the unintended consequence of giving the process more permission than it requires.
Recommendations/ Implementation Steps -
1. Investigate if any unconfined daemons are found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
2. If any unconfined daemons found which are not required as per business requirement then kill the daemons or disable the service.
3. If unconfined daemons are available which are required as per business requirement then confine it or assign least level privilege user to run the service.
list of deamon/servives which are not required as per security best practices:
xinetd
x windows system
rsync
avahi
SNMP Server
HTTP Proxy Server
samba
imap
pop3
http server
ftp server
dns server
nfs server
rpc
ldap server
dhcp
cups
nis server
nis client
telnet client
ldap client
Dev teams Comment - Dev to look through the list of daemons to see what is needed and which can be uninstalled
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.12.1. Network Parameters (Host and Router)
Control Statement - The following network parameters are intended for use on both host and router systems. A system acts as a router if it has at least two interfaces and is configured to perform routing functions.
Risk/Impact - Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.
Recommendations/ Implementation Steps -
Ensure the below mentioned network parameters should be configured appropriately as per good practice.
Set the following parameter in the /etc/sysctl.conf file:
/sbin/sysctl -w net.ipv4.ip_forward=0
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -w net.ipv4.conf.default.log_martians=1
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
/sbin/sysctl -w net.ipv4.conf.all.rp_filter=1
/sbin/sysctl -w net.ipv4.conf.default.rp_filter=1
/sbin/sysctl -w net.ipv4.tcp_syncookies=1
Dev teams Comment - Please open an RFE so that we can investigate the ramifications of changing this
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.13.1. Modify Network Parameters
Control Statement - The following network parameters determine if the system is to act as a host only. A system is considered host only if the system has a single interface, or has multiple interfaces but will not be configured as a router.
Risk/Impact - Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.
Recommendations/ Implementation Steps -
Ensure the below mentioned network parameters should be configured appropriately as per good practice.
Set the following parameter in the /etc/sysctl.conf file:
/sbin/sysctl -w net.ipv4.ip_forward=0
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -w net.ipv4.conf.default.log_martians=1
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
/sbin/sysctl -w net.ipv4.conf.all.rp_filter=1
/sbin/sysctl -w net.ipv4.conf.default.rp_filter=1
/sbin/sysctl -w net.ipv4.tcp_syncookies=1
Dev teams Comment - Please open an RFE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Control Objective - 2.13.2. Ensure IPv6 router advertisements are not accepted
Control Statement - This setting disables the system's ability to accept IPv6 router advertisements.
Risk/Impact - It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes
Recommendations/ Implementation Steps -
Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv6.conf.all.accept_ra=0
# sysctl -w net.ipv6.conf.default.accept_ra=0
# sysctl -w net.ipv6.route.flush=1
Dev teams Comment - Please open an RFE so that we can investigate the ramifications of changing this.
