CCSS Compliance Notes: Debian
All the commands prefixed with sudo in this document assume that an entry like the following was added to /etc/sudoer using visudo:
wheel ALL=(ALL) ALL
Add users who should have sudo access to the wheel group, or run the commands as root without the sudo. If the initial installation was done with a CDROM, remove the CDROM entries from the APT sources list. Go to Desktop ⇒ System ⇒ Software Preferences, and remove the check marks beside each entry that begins with cdrom: in the Debian Software and Third-Party Software tabs:
Alternatively, you can comment out any lines in /etc/apt/sources.list that start with deb cdrom: by prefixing them with a #.
Whether installing from scratch or working with an already installed device, first run the following commands:
sudo apt-get clean sudo apt-get update sudo apt-get -y --purge dist-upgrade
This will clean the cache, resynchronize the package index files, and update the system software before moving to the CCSS specific configuration steps. If the update notification icon indicates a reboot is required, reboot the device. It may be necessary to answer some prompt with the dist-upgrade option.
It is possible that the software package installs described in the sections below won't be necessary. It won't cause a problem to run the install commands anyway, but it is possible to check if a package is already installed with the dpkg -s <package_name> command.
Sometimes software updates can cause currently running applications to behave strangely. Firefox and Thunderbird experience this quite frequently when updated. This can be sovled by restarting the applications or logging out and logging in again.
Install the following packages:
sudo apt-get -y install firestarter sudo apt-get -y install openssh-server
If you have already configured firewall rules, Firestarter is not strictly required, but read this section for informational purposes. The openssh-server packages, opening up the SSH port, and enabling ping (which is enabled by default with Firestarter) are required.
Next, configure the firewall:
Running Firestarter for the first time brings up the firewall configuration wizard:
Click the Forward; button to move to the "Network device setup" screen, and choose the network device you use to connect to the Internet. Make sure to choose the Ethernet device that is connected to the CSE network, and leave the other options unchecked:
Click the Forward button. Leave the "Internet connection sharing setup" screen exactly as shown below. Do not enable Internet connection sharing.
Click the Forward button. On the "Ready to start your firewall" screen, ensure that "Start firewall now" is checked, and click Save.
After the settings are saved, a normal Firestarter GUI will open. The Firestarter GUI can be used to check firewall status and events, and set policy. By default, the firewall will be restrictive with inbound traffic, but outbound traffic will be unrestricted. Some policy exceptions may be made without prior approval; it is, for example, acceptable to open individual ports or port ranges for specific applications. More complicated requirements must be discussed with the CSE Computing Staff to ensure CCSS guidelines are met. The main GUI interface is shown below:
This example will show how to add a port exception for SSH. Per CCSS policy, CSE Computing Staff must be able to access devices and check their compliance, so a port exception for SSH access is required. Policy exceptions are managed under the Policy tab in the main GUI interface:
Select "Inbound traffic policy" from the Editing drop-down. Next, click in the white box at the bottom under "Allow service | Port | For". With the white box highlighted, click the Add Rule button at the top of the window. This opens the "Add new inbound rule" dialog:
Common services listed in /etc/services are available in the Name drop-down box. Select SSH, which auto-fills Port with the appropriate port number – 22 in this case. Click Add. The new rule is now displayed in the main GUI:
Once all necessary exceptions are added, click Apply Policy. Once the firewall is configured, click Firewall ⇒ Quit;. Firestarter can be run from the command line, as in this example, or from System ⇒ Administration ⇒ Firestarter Gnome menu.
Open Desktop ⇒ System ⇒ Software Sources. Under the Updates tab, ensure that "Check for updates:" is set to Daily, and "Install security updates without confirmation" is selected.
All other settings should be left at their defaults. Click the Close button when done. Changes to any other settings should be discussed with the CSE Computing Staff to ensure that the device complies with the Current OS/Software aspect of the CCSS.
Keep in mind that you may still be prompted to install updated. When this happens, install the updates to ensure system security. If a reboot is necessary, do so as soon as possible.
Install ClamAV with theses commands:
sudo apt-get install clamav sudo apt-get install clamav-docs
Install libpam-cracklib ignoring any warning messages:
sudo apt-get -y install libpam-cracklib
This should be fine by default, but do not:
- Create an account with no password
- Create an account with a weak password
- Example: Username:guest/Password: guest
- See man passwd for more information
- Configure the graphical login screen to automatically login any account.
- Use the root account as a regular login account. Instead, create a normal user account for general use (this is the default).
Install CCSS Software
The CSE Computing Staff are required to make CCSS compliance automated and auditable. This script meets that requirement, therefore these steps are required. Any changes or problems must be discussed with CSE Computing Staff before proceeding with CCSS certification.
First, download the necessary programs and configuration files. Save the .tar.gz file to your normal user account's home directory. If your home directory is mounted over NFS or a networked file system, do these steps in /temp instead. Once downloaded, extract the contents and change into the source directory with these commands:
tar -vxzf debian-mcss-1.1.tar.gz cd debian-mcss-1.1
Then, run the install script:
If the device is a server that doesn't usually have a single user logged into it, use the -s switch. (sudo ./install.sh -s) The -s switch is only for servers. Do not use the server install switch on a desktop system.
The CCSS script does several things:
- Creates the /root/mcss installation directory structure
- Installs the CCSS software
- Sets up log rotation for /var/log/mcss.log and /var/log/anti-malware.log.
- Updates the PAM configuration to meet the CCSS appropriate authentication controls requirement.
- Schedules an anti-malware scan to run daily at 4:30am.
- Schedules the ccss check command to run every 6 hours.
The anti-malware configuration simply detects malware. It doesn't modify, move, or copy suspected malware files. False positive are possible. The /root/mcss/malware-exclude file contains a list of full paths to files and directories that are excluded from the anti-malware scan. There are notes in the file that explain in more detail; in particular, users should read the last two sections regarding /home and other network file system mounts. Paths to confirmed false positives may be included in this file, but blanket directory exclusions are discouraged. If you are unsure whether or not to exclude a path, contact the CSE Computing Staff.
Network file system mounts should be excluded from anti-malware scanning, as this will create unnecessary network traffic. If /home is mounted over NFS, its entry should be uncommented. The full path to any other network file system mounts, excluding the trailing slash, should be added at the bottom of /root/mcss/malware-exclude as well. See the comments in /root/mcss/malware-exclude for details. Do not forget this step!
When malware is detected or the CCSS compliance check fails, a warning message is walled to all users and added to /etc/bash.bashrc for display on login. If a CCSS compliance failure is not fixed within 7 days the system will schedule a halt every time the CCSS compliance check fails. Once the problem is resolved and the CCSS check passes, the warning will be removed and the halt countdown will be removed. The server install switch disables the notification and halt countdown, however these systems are closely monitored for compliance.
After installation, run the CCSS script interactively to ensure compliance:
sudo ./mcss -i MCSS Check:Sun Jan 13 23:04:05 2008 Firewall:pass Software:pass Malware:pass Authentication:pass
If any portion of the CCSS script fails, the system may be out of compliance. If you are unable to resolve the compliance issue yourself, contact the CSE Computing Staff for further assistance. If installation was successful and there are no error messages or failures in the output of the CCSS check script, the source files for the CCSS software may be removed. Do not remove the installed files in /root/mcss.
CSE Staff Account
All research devices are required to have a CSE staff account with full sudo access. A staff member will create this account during CCSS compliance certification.
CCSS Compliance Certification
After the steps in this document have been completed, send an e-mail to firstname.lastname@example.org to request a certification appointment. A staff member will coordinate with your to verify that your device meets CCSS standards.