CCSS Compliance Notes: Red Hat Enterprise Linux 5 Server/Workstation
All the commands prefixed with sudo in this document assume that an entry like the following was added to /etc/sudoers using visudo:
wheel ALL=(ALL) ALL
Add users that should have sudo access to the wheel group. Commands may also be run as root without sudo.
Register with the CSE Red Hat proxy server
An RHEL5 system installed from CSE provided media may be in any of three registration states:
- Installed, but not registered.
- Installed and registered, but with an out-of-date CSE SSL proxy certificate.
- Installed with current functioning registration.
Registration can be tested by attempting to run
sudo yum check-update
This command normally displays a (possibly empty) list of available updates. If any error messages or configuration prompts are displayed, exit any prompts with CTRL-C, download the current activation setup files and use the following commands to set up the system:
tar -vxzf activation-rhel5.tar.gz cd activation-rhel5 sudo ./install.sh
The install.sh will update the system configuration and ensure the proper SSL certificate is installed. This script may be run on an RHEL5 system in any registration state, including properly configured systems. The install.sh script prints out further instructions on completing the registration process, including:
- Contacting CSE computing staff to acquire the proper activation key.
- Activating the system with the activation key.
Activating the system is only necessary if it has not already been activated. Testing with yum check-update is suggested to confirm successful setup. If there are any questions about Red Hat Network CSE proxy server registration, please contact a CSE Computing Staff member for assistance.
Once the system has been registered and activated, install all current updates with the command
sudo yum update
If the yum process displays an error message indicating that it cannot download a required file, wait a few minutes and run the command again. Once all updates have been installed, reboot the device.
Alternatively, the update notification icon may be used to verify the update status of the system. The update notification icon is a brown box that is displayed in the upper right hand corner of the screen when updates are available:
Clicking on this icon will bring up a dialog box that will prompt you to download and install updates.
Some software updates may cause currently running applications to behave strangely, Firefox and Thunderbird in particular. Restarting the application or logging out and back in typically correct the problem.
RHEL5 systems come with a firewall already installed. The firewall settings can be verified by navigating to System ⇒ Administration ⇒ Security Level, which will open the following dialog:
The CCSS requires that CSE computing staff be able to verify device compliance at any time, therefore the SSH port must be open. CSE compting staff should also be able to ping the device, this is enabled by default. The settings above are the minimum required.
- Firewall is enabled.
- SSH is a trusted service.
More ports or port ranges may be opened up for research purposes as required, but the firewall should be configured to block incoming connections that aren't on the list of approved exceptions. Other requirements may be necessary for different configurations, and should be discussed with a CSE computing staff member to ensure they meet CCSS guidelines.
Current Operating System & Software
RHEL5 systems that are registered with the CSE Red Hat Network proxy server will run the update notification icon by default. Addition settings will be maintained on the Red Hat Network proxy server to automatically install security updates for most systems, with exceptions made as necessary by the CSE computing staff. Updates should be installed as soon as possible upon notification by the update icon, or as a result of the CCSS check script failure. This includes any kernel updates.
First, determine your device's architecture by running uname -m. 64-bit systems will have x86_64 in the output of uname -m, 32-bit systems will not. Then download the most recent version of the appropriate set of RPMs from http://pkgs.repoforge.org/clamav. You will need three RPMs to install ClamAV; the filenames use the following format:
If there are no other RPMs in the same directory, install all 3 RPMs with the command sudo rpm -ivh *.rpm. Otherwise, all three filenames will need to be speicified on the command line. Other RPMs may be required; if there is an error to this effect during installation, the necessary packages may be installed with the command sudo yum install <package needed>
Once ClamAV is installed, the test files that come with the RPM will need to be manually deleted with the command sudo rm -r /usr/share/doc/clamav-<version>/test.
In the future, it may be necessary to use a CSE created package to keep the anti-malware software up-to-date. For now, the third party anti-malware software will be used for CCSS compliance.
Red Hat's default authentication controls should be appropriate for CCSS compliance, however users are not permitted to do any of the following:
- Create an account with no password.
- Create an account with a weak password (dictionary words, account name, guest/guest, etc. See man passwd for more information.
- Configure the graphical login screen to automatically login any account.
- Use the root account as a regular login account. Normal user accounts should be used for general use.
Install CCSS Software (REQUIRED)
Download the necessary programs and configuration files here. Save the file to your home directory. If your home directory is mounted ofver NFS or another networked file system, save the file in /tmp instead. Extract the necessary files and run the install script as follows:
tar -vxzf rhel5-mcss-1.1.tar.gz cd rhel5-mcss-1.1 sudo ./install.sh
If the device is a server and normal user accounts don't usually log in, use the command sudo ./install.sh -s instead. The -s command is only for servers. Do not use the server install argument on a desktop system.
The CCSS script does the following:
- Creates a /root/mcss installation directory structure.
- Installs the CCSS software.
- Configures log rotation for /var/log/mcss.log and /var/log/anti-malware.log.
- Updates the PAM configuration to be compliant with the CCSS appropriate authentication controls requirement.
- Schedules the anti-malware scan (ClamAV) to run at 4:30AM every day.
- Schedules the CCSS check command to run every 6 hours.
The anti-malware scan (ClamAV) only detects malware; it does not modify, move or copy suspected malware files. Files and directories may be excluded from the anti-malware scan (e.g. in the case of a false positive) by including their paths in the /root/mcss/malware-exclude file, see the notes in that file for further details. Particular attention should be paid to the last two sections concerning the /home directory any network file system mounts. Scanning network file system mounts will generate unnecessary network traffic. If /home is mounted over NFS, its entry should be uncommented. Any other network file system mounts should be added to the end of the /root/mcss/malware-exclude file. Use the full path to the mount point with no trailing slash.
In the case of false positives, the path to the specific file should be included in /root/mcss/malware-exclude, not a blanket exception for the parent directory. Blanket directory exceptions should only be made for specific reasons, such as a directory containing tar archives that are known to be clean. If you aren't sure if an exclusion is appropriate, please contact the CSE computing staff in advance.
In case of malware detection or an CCSS compliance check failure, a warning message is written to all terminals with wall and added to /etc/bashrc to be displayed to all users on login. If the failure is not corrected with in seven days, the system will schedule a halt every time the compliance check fails. Once the problem is corrected and the compliance check passes, the warning message and halt countdown will be removed. The server install option disables the notification and halt countdown; these system will be closely monitored to ensure CCSS compliance.
Once the installation is complete, run the CCSS script interactively to verify proper install and device compliance:
sudo ./mcss -i CCSS Check: Sun Jan 13 23:04:05 EST 2008 Firewall: pass Software: pass Malware: pass Authentication: pass
If the output of the CCSS script displays any failure message, verify that you have correctly followed all the steps in this document. If the script still fails, run the uninstallation script with the command sudo /root/mcss/uninstall.sh and contact the CSE computing staff for further assistance.
The source files for the CCSS software may be removed after successful installation and interactive testing. Do not remove the installed files in /root/mcss.
CSE Staff Account
All research machines are required to have a CSE staff account with full sudo access. A staff member will create this account during CCSS compliance certification.
CCSS Compliance Certification
After all the steps in this document have been completed, send an e-mail to firstname.lastname@example.org to request a certification appointment. A staff member will arrange a time to meet with you and verify that your device meets CCSS compliance standards.