Versions Compared

Old Version 4

changes.mady.by.user Paul McClendon

Saved on

compared with

New Version Current

changes.mady.by.user Anthony Burow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

These guides take the user through the tasks required of providing additional Linux security to NMIS9 and it's modules.

Linux Hardening Guide - VM distribution

Linux Hardening Guide - Ubuntu/RHEL

This guide will go over a few settings that will help to make your Linux environment with NMIS9 more secure and stable.

Set the OMK NMIS9 VM to run services & scripts as user with omkadmin being the owner:group of /usr/local/omk

These steps will allow omkadmin as a user and as a group able to execute OMK scripts. To do this, we will follow the steps below:

To begin, we will find files and directories in /data/omk with setUID bit set

Code Block
sudo find /data/omk -perm/+4000

Set Cronjobs to run as omkadmin

Be sure to set all OMK cronjobs to run as the user omkadmin and not as the root user.

General settings to ensure omkdadmin is the user running commands:

Code Block
# stop services while we make this change:
sudo /usr/local/omk/bin/checkomkdaemons.sh stop;

# Add approved users, such as nmis, to omkadmin group as needed:
sudo usermod -a -G omkadmin nmis;

# this directory exists on the OMK NMIS9 VM:
OMK_DIR=/data/omk

# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;

# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;

# Set scripts executable by user and group:
# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;

# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;
OMK_DIR=/usr/local/omk

# These command are exactly as for /data/omk:
# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;

# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;

# Set scripts executable by user and group:
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;

# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;

# The following commands should be executed after any of the the above commands
# to ensure PAR directory structure is re-created with PAR's own permissions set:
# Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
# This is a more secure implementation of the linux /tmp/ directory implementation which also uses
sticky bit, but with chmod 1777:
sudo chmod 1700 "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}";

# Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
structure when executing the previous commands.
# The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR
script exe by that user):
sudo rm -rf "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}"/*;

...