Information Security is an entire universe in itself and there is always new to learn every day. As I have made a promise with myself to document my learning, this article is a continuous effort towards that. In today’s article, I will go through the basics of server hardening and will try to establish a basic understanding of the core components of this concept.In the later part of this article,we will discuss about how you can automate the process of Server Hardening and create a pipeline which automatically scan,audit new operating system images,patch them , install necessarry logging systems and bake Golden AMIs.
Let’s start with the term “Hardening”, what exactly we mean by it, in generic terms, Hardening is something where we take the soft material/components and then made few changes in it in such a way that the end product of material/component is more stronger and more resistant to the damages. That’s exactly what server hardening is! In simple technical terms, we take a base/vanilla operating system/software/configuration component then make changes to its configurations in such a way that the end product is more resistant to the attacks and has better detection/mitigation capabilities in it.
Now equip the definition of hardening, let’s establish what exactly we are going to harden when we say server hardening. Server hardening in itself is a vague term, right?
A typical server hardening consists of below core components:
1. Patch Management.
2. Turning off unnecessary services.
3. Disabling unnecessary user accounts and setting password policies.
4. Configuring and installing the detection components.
5. Setting up pipelines to send logs generated by the system, IDS, AVs to a centralized location.
6. Defining the roles and responsibilities for security maintenance of servers.
Now as we have established the “What” part of the article,lets move to the second part which is “Why” it is necessary and why companies,governments pay close attention to Server Hardening?
As the “Why” part is pretty self-evident,to keep your interest in the article, let cut it to the short. The main idea of server hardening is to reduce the attack surface and fix the blind spots. Another reason why server hardening is important is that default is usually bad when we talk in terms of security, be it passwords, policies or accounts. Although with time, companies are improving it but let’s face it, a company will keep things in default as it defines their product’s features and reduces the usefulness. In short, a company’s primary focus is its product usability and features. Additionally, your requirement could be different from the other company due to the difference in the nature of business. For example,an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information.
But there is one thing common in every requirement i.e. the end goal. The end goal of any company to keep its applications and machines secure. All end goals boil down to the CIA in security.
Now, you might be wondering as my company requirements will be different from your company so I have to manually search, learn, test and develop basic hardening as per my needs. The answer to this is YES to some extent, but the good news is that there are a lot of NON-Profit organizations whose mission is to prepare, validate and promote best practice solutions for cyber defense.
Few of these NON-Profit organizations,we will discuss here in brief:
Center for Internet Security (CIS)
It is a Non-Profit organization that leverages the vast global community of IT professionals to develop, promote security best practices to safeguard the public and private establishments. They research the various operating system settings and then prepare a security baseline/standard for that piece of software which is known as CIS Benchmarks. There are two levels of CIS benchmarks i.e. Level 1 and Level 2. Level 1 is the set of essential security guidelines and Level 2 is for information systems that require a great level of security and are classified as sensitive.
DoD Cyber Exchange
The DoD Cyber Exchange is a US government initiative to offer tools, resources for government establishments as well as for the general public. The DoD Cyber Exchange is mainly known for Security Technical Implementation Guides commonly known as STIGS. The STIGs are similar to CIS benchmarks, where they recommend the security best practices in the XML format which can be consumed by many Open Source tools such as OpenSCAP and INSPEC.
We will use both of these later in this article to audit Windows Server 2016.
The mind map above will help you to navigate through this article in a more clear way.
Now, in this, we will work on the “How” part of the equation which is divided into 2 parts. Part one is where we will audit/scan a machine using OpenScap Tool or Chef’s Inspec using DoD STIG for Windows Server 2016. In the 2nd part, we will remediate the issues found. As manual remediation is tedious, we will be using some automation with the help of Powershell DSC for windows machine and OpenSCAP for Linux.
Auditing Systems/Machines using Open Source Tools:
OpenSCAP:
The OpenSCAP tool is based on the DoD Security Content Automation Protocol which in simple words automates the vulnerability, compliance requirements in an organization. It can also be used for risk management. SCAP Compliance Checker is available for the US Government and its related agencies only, it is not available for the general audience. OpenScap tool is an open-source extension to the SCAP compliance checker. OpenSCAP tools can be used for both scanning(checking for compliance ) as well as for fixing the gaps.
I will not be covering the OpenSCAP in detail as it is a huge topic in itself. I will try to provide the links at the end of this article for further reading and deep dive.
The OpenSCAP has three main tools under its umbrella i.e. OpenSCAP Base, SCAP Workbench and SSG(SCAP Security Guides). Think of OpenSCAP base as the scanner which scans a particular machine using SSGs. Don’t like the CLI version?? OpenSCAP has a GUI version of it which is known as SCAP Workbench. SCAP workbench combines the OpenSCAP and SSGs and provides a nice interface to scan the machines.
The key terms that you need to look for are:
XCCDF which are like checklists (think of a human having a CSV sheet, marking tick every time the test is passed). They are truly a set of document checklist. In technical terms, these are security guides in XML language which has a series of rules against which a machine/operating system is evaluated.
OVAL This is the next important term in OpenSCAP ecosystem which is declarative a query language, as we have mentioned earlier , an XCCDF formatted file consists of the checklists, a single line(instruction) in a checklist can be queried using OVAL. In simple words it is a medium using which a line in checklist queries the system and gets the response. An oval file is also provided as input to the OpenSCAP for scanning a machine.
CPE is a standard using which OpenSCAP comes to know about the packages related to a specific system. For example, there will be different CPE for RHEL, Ubuntu, Fedora and so on.
SSG is a SCAP Security Guide. Think of SSG as a system that takes input from various sources and then generates the output in many formats such as OVAL, XCCDF. SSG also generates the Bash Scripts and Ansible Playbooks for remediation purposes.
Data Stream is a collection of different types of documents and these documents are nothing but CPE, XCCDF, OVAL files which are interlinked with remediation bash scripts and ansible playbooks. As per the Ubuntu man page, there are 2 types of data streams, SDS(source data stream) and RDS(Result Data Stream) which is commonly known as ARF. The nomenclature around DS is pretty messy.
OpenSCAP walkthrough
We will be using auditing Microsoft Windows Server 2016 to explain the working of OpenSCAP. The first step is to install the OpenSCAP, I would recommend starting with scanning the localhost first,i.e. install OpenSCAP on the machine which you want to audit and then progress towards the remote auditing. However, if your setup doesn’t allow such an environment, then you can use the SCAP workbench to connect with the machine remotely.
While auditing a Linux system,I faced a problem where I need to login to Linux remotely but AWS Linux was not allowing setting up the password for high privilege account. After reading a few articles, I came to know that it is possible to add the SSH key in the ssh_config file for your hostname as below:
Host <hostname>
IdentityFile ~/Downloads/<key>.pemThe binary for windows can be found here. For other operating systems it is quite straight forward except Ubuntu. Assuming you have successfully installed OpenSCAP, follow the below steps:
-
Download the STIG for Microsoft Windows Server 2016 from DoD website using link
-
Run the following command:
oscap xccdf eval --results res.xml --oval-results --report C:\<path>\rep.html C:\<path where you have downloaded stig file>\U_MS_Windows_Server_2016_V1R12_STIG_SCAP_1-2_Benchmark.xml
- Running this command will generate the auditing results in xml as well as html format which can be easily viewed.
As you can see,running the OpenSCAP is not a big deal ,it is pretty simple and straightforward.
Inspec:
Inspec is another open source tool which can be used to scan a machine against the desired standards such as STIG,CIS benchmarks. Since it has pretty decent documentation,I will provide extra links to in the end to grasp it fully. The underlying idea remains the same,we provide STIG file as input to the tool and it will generate the output this time in JSON format. The installation part of Inspec is very easy. Continuing our previous example,we will run the inspec against the DoD Stig baseline. Run the below command and it will generate the results in JSON format.
inspec exec https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/archive/master.tar.gz --reporter cli json:win.json
I hope you might have got the fair idea about the Server Hardening by now.We will remediate the same Server using PowerShell DSC and we will also discuss how you can automate the entire process in next article. In the later part of that,I will provide some idea which you can adopt to your DevOps environment and bake the Golden AMIs.
I have tried my best to provide the correct information,please feel free to reach me in case you feel something is not right. Obviously all of the knowledge I presented here is over simplified versions of various blogs,official documents and videos present over the internet.All the credit goes to the original writers. My aim was to help a person who is just starting with Server Hardening or trying to create Golden AMIs. Think of this article as the starting point for the same.