Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
# Setup User Logins and Groups
useradd -m -U omkadmin
passwd -l omkadmin
usermod -a -G omkadmin nmis
usermod -a -G nmis omkadmin

# NOTE - uncomment the below if also using Open-AudIT
# usermod -a -G omkadmin www-data

# Showdown all impacting/impacted services
/usr/local/omk/bin/checkomkdaemons.sh stop
systemctl stop nmis9d
systemctl stop cron
sleep 10
systemctl stop nmis9d

# START of standard installer changes
OMK_DIR=/usr/local/omk

# 
echo Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR}";
sudo find "${OMK_DIR}" -type d -exec chmod 0770 '{}' \;;

# 
echo Set user and group able to write files:
sudo find "${OMK_DIR}" -type f -exec chmod 0660 '{}' \;;

# 
echo Set scripts executable by user and group:
sudo find "${OMK_DIR}/script" -type f -exec chmod 0770 '{}' \;;

# 
echo Set scripts executable by user and group:
sudo find "${OMK_DIR}/bin" -type f -exec chmod 0770 '{}' \;;
 
# END of standard installer changes

#
echo Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
sudo rm -Rf ${PAR_GLOBAL_TMPDIR}/par-*
sudo rm -Rf /tmp/par-*

#
echo Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
sudo chmod 1700 ${PAR_GLOBAL_TMPDIR}

#
echo Recreate $PAR_GLOBAL_TMPDIR/par- directories for root,nmis and omkadmin
sudo ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
sudo -u nmis ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
sudo -u omkadmin ${OMK_DIR}/bin/patch_config.exe 2> /dev/null

#
echo Update opCommon.json config with new PID directories
sed -i 's/var\/run/var\/run\/omk/g' /usr/local/omk/conf/opCommon.json

#
echo Update SYSTEMCTL Server Files
#
echo omkd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/omkd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/omkd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/omkd.service

#
echo opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opchartsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opchartsd.service

#
echo opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opconfigd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opconfigd.service

#
echo opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opeventsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opeventsd.service

#
echo Update logrotate config
sed -i 's/create 0660 nmis nmis/create 0660 omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf
sed -i 's/endscript/endscript\n\tsu omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf

#
echo Update all crontab job owners
sed -i 's/   root\t/\tomkadmin\t/g' /etc/cron.d/opaddress
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opconfig
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opevents
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opha
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/oplicense
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opreports

#
echo Add an Hourly Rights Check to CRONTAB
touch /etc/cron.d/omk_check_omkadmin_user_group
echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "# m h dom mon dow user command" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "40 * * * * root find /usr/local/omk ! -group omkadmin ! -group nmis ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "42 * * * * omkadmin find /usr/local/omk ! -writable -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "44 * * * * root find /usr/local/omk -perm /+2000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "46 * * * * root find /usr/local/omk -perm /+4000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group

Hardening NMIS

...

The above guide can also be applied to the nmis user and change the nmid9d service to execute and own all of it's process's rather than having the root process own the nmis workers.

This can be done concurrently, independantly or after following the above guide to harden the omk modules and rest of the NMIS suite.

This has been tested on a Ubuntu 20.04/RHEL 8.8 installation installations running default service files and directory settings for nmis and omk modules from their respective installers. You will need to modify some commands into their respective RHEL/Centos counterparts in the above script and steps.

...

SYSTEMCTL Service File changes for NMIS

Code Block
sudo sed -i 's/\/var\/run/\/var\/run\/nmis9/' /etc/systemd/system/nmis9d.service
sudo sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/nmis9\/\"\nExecStartPre\=\/bin\/sh \-c \"chown nmis\.nmis \/var\/run\/nmis9\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/nmis9\/\"/g' /etc/systemd/system/nmis9d.service
sudo sed -i 's/PIDFile=\/usr\/local\/nmis9\/var\/nmis_system\/nmisd.pid/PIDFile=\/var\/run\/nmis9\/nmis9d.pid/' /etc/systemd/system/nmis9d.service
sudo sed -i '/\[Service\]/a User=nmis\nGroup=nmis' /etc/systemd/system/nmis9d.service

...