CCSS Compliance Notes: Ubuntu
Whether installing from scratch or working with an already installed device, first run the following commands:
sudo apt-get clean sudo apt-get update sudo apt-get -y --purge dist-upgrade
This will clean the cache, resynchronize the package index files, and update the system software before moving to the CCSS specific configuration steps. If the update notification icon indicates a reboot is required, reboot the device. It may be necessary to answer some prompt with the dist-upgrade option.
It is possible that the software package installs described in the sections below won't be necessary. It won't cause a problem to run the install commands anyway, but it is possible to check if a package is already installed with the dpkg -s <package_name> command.
Sometimes software updates can cause currently running applications to behave strangely. Firefox and Thunderbird experience this quite frequently when updated. This can be sovled by restarting the applications or logging out and logging in again.
Install the following packages:
Detailed instructions can be found here: https://wiki.ubuntu.com/UncomplicatedFirewall
sudo ufw allow ssh/tcp sudo ufw enable
From the Gnome menu in the upper right-hand corner of the desktop, select System Settings. In the System Settings window, open Software Sources. Under the Updates tab, ensure that "Automatically check for updates:" is set to Daily, and "When there are security updates:" is set to "Download and install automatically".
All other settings should be left at their defaults. Click the Close button when done. Changes to any other settings should be discussed with the CSE Computing Staff to ensure that the device complies with the Current OS/Software aspect of the CCSS.
Keep in mind that you may still be prompted to install updated. When this happens, install the updates to ensure system security. If a reboot is necessary, do so as soon as possible.
Ubuntu does not by default provide a ssh server, so that the system can be accessed remotely install the openssh server with the following:
sudo apt-get -y install openssh-server
Anti-Malware and SSH Brute Force Protection
Install ClamAV with theses commands:
sudo apt-get install clamav sudo apt-get install clamav-docs
Install Fail 2 ban using these commands:
sudo apt-get install fail2ban sudo wget -P /etc/fail2ban/ http://web.cse.ohio-state.edu/cs/security/ccss/resources/jail.local sudo service fail2ban start sudo service clamav-freshclam start
Install libpam-cracklib ignoring any warning messages:
sudo apt-get -y install libpam-cracklib
This should be fine by default, but do not:
- Create an account with no password
- Create an account with a weak password
- Example: Username:guest/Password: guest
- See man passwd for more information
- Configure the graphical login screen to automatically login any account.
- Use the root account as a regular login account. Instead, create a normal user account for general use (this is the default).
Install CCSS Software
The CSE Computing Staff are required to make CCSS compliance automated and auditable. This script meets that requirement, therefore these steps are required. Any changes or problems must be discussed with CSE Computing Staff before proceeding with CCSS certification.
First, download the necessary programs and configuration files. Save the .tar.gz file to your normal user account's home directory. If your home directory is mounted over NFS or a networked file system, do these steps in /temp instead. Once downloaded, extract the contents and change into the source directory with these commands:
tar -vxzf ubuntu-mcss-1.3.tar.gz cd ubuntu-mcss-1.3
Then, run the install script:
If the device is a server that doesn't usually have a single user logged into it, use the -s switch. (sudo ./install.sh -s) The -s switch is only for servers. Do not use the server install switch on a desktop system.
The CCSS script does several things:
- Creates the /root/mcss installation directory structure
- Installs the CCSS software
- Sets up log rotation for /var/log/mcss.log and /var/log/anti-malware.log.
- Updates the PAM configuration to meet the CCSS appropriate authentication controls requirement.
- Schedules an anti-malware scan to run daily at 4:30am.
- Schedules the ccss check command to run every 6 hours.
The anti-malware configuration simply detects malware. It doesn't modify, move, or copy suspected malware files. False positive are possible. The /root/mcss/malware-exclude file contains a list of full paths to files and directories that are excluded from the anti-malware scan. There are notes in the file that explain in more detail; in particular, users should read the last two sections regarding /home and other network file system mounts. Paths to confirmed false positives may be included in this file, but blanket directory exclusions are discouraged. If you are unsure whether or not to exclude a path, contact the CSE Computing Staff.
Network file system mounts should be excluded from anti-malware scanning, as this will create unnecessary network traffic. If /home is mounted over NFS, its entry should be uncommented. The full path to any other network file system mounts, excluding the trailing slash, should be added at the bottom of /root/mcss/malware-exclude as well. See the comments in /root/mcss/malware-exclude for details. Do not forget this step!
When malware is detected or the CCSS compliance check fails, a warning message is walled to all users and added to /etc/bash.bashrc for display on login. If a CCSS compliance failure is not fixed within 7 days the system will schedule a halt every time the CCSS compliance check fails. Once the problem is resolved and the CCSS check passes, the warning will be removed and the halt countdown will be removed. The server install switch disables the notification and halt countdown, however these systems are closely monitored for compliance.
After installation, run the CCSS script interactively to ensure compliance:
sudo ./mcss -i MCSS Check:Sun Jan 13 23:04:05 2008 Firewall:pass Software:pass Malware:pass Authentication:pass
If any portion of the CCSS script fails, the system may be out of compliance. If you are unable to resolve the compliance issue yourself, contact the CSE Computing Staff for further assistance. If installation was successful and there are no error messages or failures in the output of the CCSS check script, the source files for the CCSS software may be removed. Do not remove the installed files in /root/mcss.
CSE Staff Account
All research devices are required to have a CSE staff account with full sudo access. A staff member will create this account during CCSS compliance certification.
CCSS Compliance Certification
After the steps in this document have been completed, send an e-mail to firstname.lastname@example.org to request a certification appointment. A staff member will coordinate with your to verify that your device meets CCSS standards.