CCSS Compliance Notes: Debian

Initial Setup

All the commands prefixed with sudo in this document assume that an entry like the following was added to /etc/sudoer using visudo:

wheel ALL=(ALL) ALL

Add users who should have sudo access to the wheel group, or run the commands as root without the sudo. If the initial installation was done with a CDROM, remove the CDROM entries from the APT sources list. Go to Desktop ⇒ System ⇒ Software Preferences, and remove the check marks beside each entry that begins with cdrom: in the Debian Software and Third-Party Software tabs:

Alternatively, you can comment out any lines in /etc/apt/sources.list that start with deb cdrom: by prefixing them with a #.

Whether installing from scratch or working with an already installed device, first run the following commands:

sudo apt-get clean
sudo apt-get update
sudo apt-get -y --purge dist-upgrade

This will clean the cache, resynchronize the package index files, and update the system software before moving to the CCSS specific configuration steps. If the update notification icon indicates a reboot is required, reboot the device. It may be necessary to answer some prompt with the dist-upgrade option.

It is possible that the software package installs described in the sections below won't be necessary. It won't cause a problem to run the install commands anyway, but it is possible to check if a package is already installed with the dpkg -s <package_name> command.

Sometimes software updates can cause currently running applications to behave strangely. Firefox and Thunderbird experience this quite frequently when updated. This can be sovled by restarting the applications or logging out and logging in again.

Firewall

Install the following packages:

Detailed instructions can be found here: https://wiki.ubuntu.com/UncomplicatedFirewall

sudo ufw allow ssh/tcp
sudo ufw enable

Current OS/Software

Open Desktop ⇒ System ⇒ Software Sources. Under the Updates tab, ensure that "Check for updates:" is set to Daily, and "Install security updates without confirmation" is selected.

All other settings should be left at their defaults. Click the Close button when done. Changes to any other settings should be discussed with the CSE Computing Staff to ensure that the device complies with the Current OS/Software aspect of the CCSS.

Keep in mind that you may still be prompted to install updated. When this happens, install the updates to ensure system security. If a reboot is necessary, do so as soon as possible.

Anti-Malware

Anti-Malware and SSH Brute Force Protection

Install ClamAV with theses commands:

sudo apt-get install clamav
sudo apt-get install clamav-docs

Install Fail 2 ban using these commands:

sudo apt-get install fail2ban
sudo wget -P /etc/fail2ban/ http://www.cse.ohio-state.edu/cs/security/ccss/resources/jail.local

sudo service fail2ban start
sudo service clamav-freshclam start

Authentication Controls

Install libpam-cracklib ignoring any warning messages:

sudo apt-get -y install libpam-cracklib

This should be fine by default, but do not:

  • Create an account with no password
  • Create an account with a weak password
    • Example: Username:guest/Password: guest
    • See man passwd for more information
  • Configure the graphical login screen to automatically login any account.
  • Use the root account as a regular login account. Instead, create a normal user account for general use (this is the default).

Install CCSS Software

The CSE Computing Staff are required to make CCSS compliance automated and auditable. This script meets that requirement, therefore these steps are required. Any changes or problems must be discussed with CSE Computing Staff before proceeding with CCSS certification.

First, download the necessary programs and configuration files. Save the .tar.gz file to your normal user account's home directory. If your home directory is mounted over NFS or a networked file system, do these steps in /temp instead. Once downloaded, extract the contents and change into the source directory with these commands:

tar -vxzf debian-mcss-1.1.tar.gz
cd debian-mcss-1.1

Then, run the install script:

sudo ./install.sh

If the device is a server that doesn't usually have a single user logged into it, use the -s switch. (sudo ./install.sh -s) The -s switch is only for servers. Do not use the server install switch on a desktop system.

The CCSS script does several things:

  • Creates the /root/mcss installation directory structure
  • Installs the CCSS software
  • Sets up log rotation for /var/log/mcss.log and /var/log/anti-malware.log.
  • Updates the PAM configuration to meet the CCSS appropriate authentication controls requirement.
  • Schedules an anti-malware scan to run daily at 4:30am.
  • Schedules the ccss check command to run every 6 hours.

The anti-malware configuration simply detects malware. It doesn't modify, move, or copy suspected malware files. False positive are possible. The /root/mcss/malware-exclude file contains a list of full paths to files and directories that are excluded from the anti-malware scan. There are notes in the file that explain in more detail; in particular, users should read the last two sections regarding /home and other network file system mounts. Paths to confirmed false positives may be included in this file, but blanket directory exclusions are discouraged. If you are unsure whether or not to exclude a path, contact the CSE Computing Staff.

Network file system mounts should be excluded from anti-malware scanning, as this will create unnecessary network traffic. If /home is mounted over NFS, its entry should be uncommented. The full path to any other network file system mounts, excluding the trailing slash, should be added at the bottom of /root/mcss/malware-exclude as well. See the comments in /root/mcss/malware-exclude for details. Do not forget this step!

When malware is detected or the CCSS compliance check fails, a warning message is walled to all users and added to /etc/bash.bashrc for display on login. If a CCSS compliance failure is not fixed within 7 days the system will schedule a halt every time the CCSS compliance check fails. Once the problem is resolved and the CCSS check passes, the warning will be removed and the halt countdown will be removed. The server install switch disables the notification and halt countdown, however these systems are closely monitored for compliance.

After installation, run the CCSS script interactively to ensure compliance:

sudo ./mcss -i
MCSS Check:Sun Jan 13 23:04:05 2008
Firewall:pass
Software:pass
Malware:pass
Authentication:pass

If any portion of the CCSS script fails, the system may be out of compliance. If you are unable to resolve the compliance issue yourself, contact the CSE Computing Staff for further assistance. If installation was successful and there are no error messages or failures in the output of the CCSS check script, the source files for the CCSS software may be removed. Do not remove the installed files in /root/mcss.

CSE Staff Account

All research devices are required to have a CSE staff account with full sudo access. A staff member will create this account during CCSS compliance certification.

CCSS Compliance Certification

After the steps in this document have been completed, send an e-mail to help@cse.ohio-state.edu to request a certification appointment. A staff member will coordinate with your to verify that your device meets CCSS standards.