CCSS Compliance Notes: Red Hat Enterprise 7 Server/Workstation
All the commands prefixed with sudo in this document assume that an entry like the following was added to /etc/sudoers using visudo:
%wheel ALL=(ALL) ALL
Add users that should have sudo access to the wheel group. Commands may also be run as root without sudo.
Install CCSS Software (REQUIRED)
Download the necessary programs and configuration files here. Save the file to your home directory. If your home directory is mounted over NFS or another networked file system, save the file in /tmp instead. Extract the necessary files and run the install script as follows:
tar -vxzf rhel7-mcss-1.3.tar.gz cd rhel7-mcss-1.3 sudo ./install.sh
If the device is a server and normal user accounts don't usually log in, use the command sudo ./install.sh -s instead. The -s command is only for servers. Do not use the server install argument on a desktop system.
The CCSS script does the following:
- Registers the RHEL7 system with the Red Hat satellite server
- Installs necessary anti-malware software
- Creates a /root/mcss installation directory structure.
- Installs the CCSS software.
- Configures log rotation for /var/log/mcss.log and /var/log/anti-malware.log.
- Updates the PAM configuration to be compliant with the CCSS appropriate authentication controls requirement.
- Schedules the anti-malware scan (ClamAV) to run at 4:30AM every day.
- Schedules the CCSS check command to run every 6 hours.
The anti-malware scan (ClamAV) only detects malware; it does not modify, move or copy suspected malware files. Files and directories may be excluded from the anti-malware scan (e.g. in the case of a false positive) by including their paths in the /root/mcss/malware-exclude file, see the notes in that file for further details. Particular attention should be paid to the last two sections concerning the /home directory any network file system mounts. Scanning network file system mounts will generate unnecessary network traffic. If /home is mounted over NFS, its entry should be uncommented. Any other network file system mounts should be added to the end of the /root/mcss/malware-exclude file. Use the full path to the mount point with no trailing slash.
In the case of false positives, the path to the specific file should be included in /root/mcss/malware-exclude, not a blanket exception for the parent directory. Blanket directory exceptions should only be made for specific reasons, such as a directory containing tar archives that are known to be clean. If you aren't sure if an exclusion is appropriate, please contact the CSE computing staff in advance.
In case of malware detection or an CCSS compliance check failure, a warning message is written to all terminals with wall and added to /etc/bashrc to be displayed to all users on login. If the failure is not corrected with in seven days, the system will schedule a halt every time the compliance check fails. Once the problem is corrected and the compliance check passes, the warning message and halt countdown will be removed. The server install option disables the notification and halt countdown; these system will be closely monitored to ensure CCSS compliance.
Once the installation is complete, run the CCSS script interactively to verify proper install and device compliance:
sudo ./mcss -i CCSS Check: Sun Jan 13 23:04:05 EST 2008 Firewall: pass Software: pass Malware: pass Authentication: pass
If the output of the CCSS script displays any failure message, verify that you have correctly followed all the steps in this document. If the script still fails, run the uninstallation script with the command sudo /root/mcss/uninstall.sh and contact the CSE computing staff for further assistance.
The source files for the CCSS software may be removed after successful installation and interactive testing. Do not remove the installed files in /root/mcss.
Register with the CSE Red Hat proxy server
An RHEL7 system installed from CSE provided media may be in any of three registration states:
- Installed, but not registered.
- Installed and registered, but with an out-of-date CSE SSL proxy certificate.
- Installed with current functioning registration.
Registration can be tested by attempting to run
sudo yum check-update
This command normally displays a (possibly empty) list of available updates. If any error messages or configuration prompts are displayed, exit any prompts with CTRL-C, reattempt the registration using the dedicated registration scripts located in rhel7-mcss-1.3/registration/
The install.sh will update the system configuration and ensure the proper SSL certificate is installed. This script may be run on an RHEL7 system in any registration state, including properly configured systems. The install.sh script prints out further instructions on completing the registration process, including:
- Contacting CSE computing staff to acquire the proper activation key.
- Activating the system with the activation key.
Activating the system is only necessary if it has not already been activated. Testing with yum check-update is suggested to confirm successful setup. If there are any questions about Red Hat Network CSE proxy server registration, please contact a CSE Computing Staff member for assistance.
Once the system has been registered and activated, install all current updates with the command
sudo yum update
If the yum process displays an error message indicating that it cannot download a required file, wait a few minutes and run the command again. Once all updates have been installed, reboot the device.
Alternatively, the software update application may be used to verify the update status of the system. The software update application is located in Applications->System Tools->Software Update
Some software updates may cause currently running applications to behave strangely, Firefox and Thunderbird in particular. Restarting the application or logging out and back in typically correct the problem.
The CCSS requires that CSE computing staff be able to verify device compliance at any time, therefore the SSH port must be open. CSE compting staff should also be able to ping the device, this is enabled by default. The settings above are the minimum required.
- Firewall is enabled.
- SSH is a trusted service.
More ports or port ranges may be opened up for research purposes as required, but the firewall should be configured to block incoming connections that aren't on the list of approved exceptions. Other requirements may be necessary for different configurations, and should be discussed with a CSE computing staff member to ensure they meet CCSS guidelines.
To ensure that the SSH port is open please run the following commands:
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent sudo firewall-cmd --reload
Current Operating System & Software
RHEL7 systems that are registered with the CSE Red Hat Network proxy server will run the update notification icon by default. Addition settings will be maintained on the Red Hat Network proxy server to automatically install security updates for most systems, with exceptions made as necessary by the CSE computing staff. Updates should be installed as soon as possible upon notification by the update icon, or as a result of the CCSS check script failure. This includes any kernel updates.
The following anti-malware packages should have been installed by the install.sh script. They are all part of the ClamAV antivirus system:
You can verify that these packages were properly installed by checking that the scan daemon is currently running:
sudo systemctl status clamd@scan
If this command lists the clamd@scan status as FAILED please contact the help desk at firstname.lastname@example.org
Red Hat's default authentication controls should be appropriate for CCSS compliance, however users are not permitted to do any of the following:
- Create an account with no password.
- Create an account with a weak password (dictionary words, account name, guest/guest, etc. See man passwd for more information.
- Configure the graphical login screen to automatically login any account.
- Use the root account as a regular login account. Normal user accounts should be used for general use.
CSE Staff Account
All research machines are required to have a CSE staff account with full sudo access. A staff member will create this account during CCSS compliance certification.
CCSS Compliance Certification
After all the steps in this document have been completed, send an e-mail to email@example.com to request a certification appointment. A staff member will arrange a time to meet with you and verify that your device meets CCSS compliance standards.