Versions Compared

Old Version 3

changes.mady.by.user Paul McClendon

Saved on

compared with

New Version Current

changes.mady.by.user Anthony Burow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

These guides take the user through the tasks required of providing additional Linux security to NMIS9 and it's modules.

Linux Hardening Guide - VM distribution

Linux Hardening Guide - Ubuntu/RHEL

This guide will go over a few settings that will help to make your Linux environment with NMIS9 more secure and stable.

Set the OMK NMIS9 VM to run services & scripts as user with omkadmin being the owner:group of /usr/local/omk

These steps will allow omkadmin as a user and as a group able to execute OMK scripts. To do this, we will follow the steps below:

To begin, we will find files and directories in /data/omk with setUID bit set

Code Block
sudo find /data/omk -perm/+4000

Set Cronjobs

We will be sure to set all OMK cronjobs to run as the user omkadmin and not as the root user.

Code Block
# stop services while we make this change:
sudo /usr/local/omk/bin/checkomkdaemons.sh stop;

# Add approved users, such as nmis, to omkadmin group as needed:
sudo usermod -a -G omkadmin nmis;

# this directory exists on the OMK NMIS9 VM:
OMK_DIR=/data/omk

# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;

# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;

# Set scripts executable by user and group:
# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;

# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;
OMK_DIR=/usr/local/omk

# These command are exactly as for /data/omk:
# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;

# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;

# Set scripts executable by user and group:
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;

# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;

# The following commands should be executed after any of the the above commands
# to ensure PAR directory structure is re-created with PAR's own permissions set:
# Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
# This is a more secure implementation of the linux /tmp/ directory implementation which also uses
sticky bit, but with chmod 1777:
sudo chmod 1700 "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}";

# Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
structure when executing the previous commands.
# The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR
script exe by that user):
sudo rm -rf "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}"/*;

...