CCSS Compliance Notes: Fedora
All the commands prefixed with sudo in this document assume that an entry like the following was added to /etc/sudoers using visudo:
wheel ALL=(ALL) ALL
Add users that should have sudo access to the wheel group, or run the commands as root without the sudo.
Whether install from scratch or working with an already installed device, first run:
sudo yum update
This will updated the system software before moving to the CCSS specific configuration steps. Answer yes to any prompt if required (there should be one to import the Fedora GPG key if updates haven't been run before, and there are prompt to download and install the packages). If yum complains that it cannot download a required file, wait a few minutes and run the command again. If the update process indicates a reboot is required, reboot the device. If there are a lot of updates, it is advisable to reboot the device regardless of whether or not you are prompted. Alternatively, use the update notification icon at the top right of the screen, which is a brown box:
If the update process in Fedora is particularly slow, edit these files:
Uncomment the baseurl= lines and comment out the mirrorlist= lines directly below them.
Sometimes software updates can cause currently running applications to behave strangely. Firefox and Thunderbird experience this quite frequently when updated. This can be solved by restarting the application or logging out and back in.
Fedora systems come with a firewall already installed. The firewall settings can be verified by clicking Activities and typing firewall:
CCSS policy requires CSE Computing Staff be able to check device compliance at any time. Therefore, the SSH port must be open, which can be verified in the window shown above by simply scrolling down. Ping should also be enabled. Do not enable any Masquerading settings.
Specific ports or port ranges may be opened as necessary for research, but the firewall should be operated in such a way that all incoming connections other than those specified as an exception are blocked. In cases where research requires an alternate configuration, contact the CSE Computing Staff for further assistance.
The update notification icon mentioned in the Initial Setup section will indicate anytime updates are required. If prompted to install updates or notified by the CCSS check script, install the updates to ensure system security. If a reboot is required, reboot the device as soon as possible.
It may be necessary to remove the install media repository before the update notification icon can be used to update the system. If any errors are displayed when using the update notification icon, there will be an option to edit the repository settings. Click the option and remove the install media from the repository list. It is typically the first entry. Any example with the install media repository removed:
Install ClamAV with these commands:
sudo yum install clamav sudo yum install clamav-update
- Edit /etc/sysconfig/freshclam and remove or comment out the last line.
- Edit /etc/freshclam.conf and remove or comment out the bare "Example" line near the beginning of the file.
- Run sudo freshclam one time by hand to get the initial definitions update.
This should be fine by default, but do not:
- Create an account with no password
- Create an account with a weak password
- Example: Username:guest/Password: guest
- See man passwd for more information
- Configure the graphical login screen to automatically login any account.
- Use the root account as a regular login account. Instead, create a normal user account for general use (this is the default).
Install CCSS Software
The CSE Computing Staff are required to make CCSS compliance automated and auditable. This script meets that requirement, therefore these steps are required. Any changes or problems must be discussed with CSE Computing Staff before proceeding with CCSS certification.
First, download the necessary programs and configuration files. Save the .tar.gz file to your normal user account's home directory. If your home directory is mounted over NFS or a networked file system, do these steps in /temp instead. Once downloaded, extract the contents and change into the source directory with these commands:
tar -vxzf fedora-mcss-1.1.tar.gz cd fedora-mcss-1.1
Then, run the install script:
If the device is a server that doesn't usually have a single user logged into it, use the -s switch. (sudo ./install.sh -s) The -s switch is only for servers. Do not use the server install switch on a desktop system.
The CCSS script does several things:
- Creates the /root/mcss installation directory structure
- Installs the CCSS software
- Sets up log rotation for /var/log/mcss.log and /var/log/anti-malware.log.
- Updates the PAM configuration to meet the CCSS appropriate authentication controls requirement.
- Schedules an anti-malware scan to run daily at 4:30am.
- Schedules the ccss check command to run every 6 hours.
The anti-malware configuration simply detects malware. It doesn't modify, move, or copy suspected malware files. False positive are possible. The /root/mcss/malware-exclude file contains a list of full paths to files and directories that are excluded from the anti-malware scan. There are notes in the file that explain in more detail; in particular, users should read the last two sections regarding /home and other network file system mounts. Paths to confirmed false positives may be included in this file, but blanket directory exclusions are discouraged. If you are unsure whether or not to exclude a path, contact the CSE Computing Staff.
Network file system mounts should be excluded from anti-malware scanning, as this will create unnecessary network traffic. If /home is mounted over NFS, its entry should be uncommented. The full path to any other network file system mounts, excluding the trailing slash, should be added at the bottom of /root/mcss/malware-exclude as well. See the comments in /root/mcss/malware-exclude for details. Do not forget this step!
When malware is detected or the CCSS compliance check fails, a warning message is walled to all users and added to /etc/bash.bashrc for display on login. If a CCSS compliance failure is not fixed within 7 days the system will schedule a halt every time the CCSS compliance check fails. Once the problem is resolved and the CCSS check passes, the warning will be removed and the halt countdown will be removed. The server install switch disables the notification and halt countdown, however these systems are closely monitored for compliance.
After installation, run the CCSS script interactively to ensure compliance:
sudo ./mcss -i MCSS Check:Sun Jan 13 23:04:05 2008 Firewall:pass Software:pass Malware:pass Authentication:pass
If any portion of the CCSS script fails, the system may be out of compliance. If you are unable to resolve the compliance issue yourself, contact the CSE Computing Staff for further assistance. If installation was successful and there are no error messages or failures in the output of the CCSS check script, the source files for the CCSS software may be removed. Do not remove the installed files in /root/mcss.
CSE Staff Account
All research devices are required to have a CSE staff account with full sudo access. A staff member will create this account during CCSS compliance certification.
CCSS Compliance Certification
After the steps in this document have been completed, send an e-mail to firstname.lastname@example.org to request a certification appointment. A staff member will coordinate with your to verify that your device meets CCSS standards.