How to Harden Airwave
How to Harden Airwave using Stigs script?
The 'stig.pl' script was defined as a function to harden the AirWave server. Script essentially implements the following:
- Disables the ability to SSH into the Airwave as 'root', requiring either direct-console access to shell only, or via a created linux local user account (if this is run over SSH, that access will be lost upon reboot, so make sure to create a local user before running. Otherwise, you will have to gain local console access to log in as root to create a local user). From 8.2.4 code default we have shell local user appadmin and root access is blocked.
- Creates a GRUB password that prevents the usual GRUB-based password recovery process, as well as makes it much more difficult to access via LiveCDs to make system changes (this means if you lose the GRUB password, recovery is MUCH more difficult and a complete rebuild will be likely)
- Disables FTP and TFTP (this means if you run the stig.pl, you will not be able to upgrade controllers or hardware using FTP or TFTP)
- Disables some preloaded troubleshooting tools (if these are required later, they will have to be added manually)
- File and folder permissions changes are made
- Password settings and requirements are changed
- Some non-essential services are disabled and/or removed
- Changes to some of the /etc hosts files that may need to be modified to enable more open access (if required)
To run the 'stig.pl' script, one should:
- Run stig.pl from the AirWave CLI as ampadmin (default username, if name is changed during upgrade/installation use that user)
AirWave Management Platform 126.96.36.199 on airwave.airwave-lab.com
1 Upload File
2 Download File
3 Delete File
10 Custom Commands
11 Enter Commands
q >> Quit
1 Reset Web admin Password
2 Change OS User Password
3 Add SSL Certificate
4 Add DTLS Certificates
5 Enable FIPS (requires reboot)
6 Show EngineID
7 Module Key
8 Apply STIGs
9 Set MaxAuthTries value for sshd
10 Make OCSP Optional
b >> Back
Your choice: 8
Running Apply STIGs
Only three consecutive invalid logon attempts by a user during a 15 minute time period. (APSCDV000530)...completed.
When a password is changed, the characters are changed in at least eight of the positions within the password (APSCDV001730)...completed.
Remove unneeded suid programs, and disable shells of application accounts (AW00001)...completed.
Do not use persistent cookies. (AW00002)...completed.
Remove amprecovery user. (AW00003)...completed.
Disabling tftpd service (AW00004)...Reloading configuration[ OK ]
Remove nullok from /etc/pam.d/system-auth (AW00005)...completed.
Setting MaxAuthTries to 3 in sshd_config (AW00006)... already applied.
Password requirements (AW00007)...
Please enter password for ampadmin:
Password must satisfy following criteria :-
1. Must have at least 15 characters.
2. Must have at least one upper case character.
3. Must have at least one lower case character.
4. Must have at least one digit.
5. Must have at least one special character.
6. Must not contain spaces.
Please Enter a new password:
Please verify password:
Password changed successfully..
Configure audit system to audit all attempts to alter system time through adjtimex. (AW00008)...sh: /bin/uname -i: No such file or directory
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Preventing a DOS by removing mod_proxy_ajp (CVE20100408)...completed.
Setting FAIL_DELAY to 4 in /etc/login.defs (GEN000480)...completed.
Password Changes No More Than Once A Day (GEN000540)...completed.
Password strength and length requirements (GEN000580, GEN000600, GEN000620, GEN000640)...completed.
Accounts will be Disabled After 35 Days of Inactivity (GEN000760)...completed.
Passwords Reuse Within Five Changes (GEN000800)...completed.
60-day password limit (GEN000820)...completed.
Root account home directory permissions (GEN000920)...completed.
Fix missing home directories (GEN001460)...mkdir /var/empty/visualrf
usermod: user visualrf is currently used by process 25818
Fixing permissions on home directories (GEN001480)...completed.
Fixing group permissions on home directories (GEN001520)...mkdir /var/empty/radiusd
Setting permissions on local init files (GEN001880)...completed.
Remove .rhost support from PAM (GEN002100)... already applied.
Changing default umasks (GEN002560)...completed.
Populate /etc/cron.allow and /etc/cron.deny (GEN002960)...completed.
Setting crontab permissions (GEN003080)...completed.
Set permissions on /etc/cron.allow and /etc/cron.deny (GEN003200)...completed.
Adding system users to at.deny (GEN003320)...completed.
Disabling core dumps (GEN003500)...completed.
xinetd permissions (GEN003740)...completed.
Removing tcpdump (GEN003865)...completed.
traceroute permissions (GEN004000)...completed.
Disable sendmail decode command (GEN004640)...completed.
Setting MIB file permissions (GEN005340)...completed.
syslog.conf permissions (GEN005400)...completed.
Remove unnecessary users shutdown/halt/sync (LNX00320)...completed.
Disable unnecessary accounts (operator news games gopher nfsnobody) (LNX00340)...completed.
/etc/security/access.conf permissions (LNX00440)...completed.
sysctl.conf permissions (LNX00520)...completed.
Disable ctrl-alt-del handling (LNX00580)...completed.
Securing Apache's PID file (WA00530)...completed.
Disable TRACE and TRACK for Apache (WA00550)...completed.
Remove symlinks in the DocRoot (WG360)...completed.
Hit enter to continue, 's' to show output, 'r' to show return code.
From next login to ampadmin CLI need to login using new password created during applying stig script
- This effectively makes any kind of OS-based troubleshooting impossible (MIB walks, tcpdumps, etc)
- After you apply STIGs you will no longer be able to use the amprecovery user account. so do not forget password.
- It cannot be converted back. If a customer wishes to go back, they will have to pull a nightly backup from the AMP's GUI, and re-build the server from scratch as if the server had failed completely. The standard restore processes apply here.
- Once the appliance is converted, the installation or update of the VMWare tools is not possible. As such, the use of external NTP is required to maintain time synchronization of the AMP with the rest of the network.