For hardening you should use the best practice in form of the Center for Internet Security (CIS) benchmarks. Each benchmark contains a number of single atomar tests that are well described and discussed in the CIS expert community. Before a benchmark is finally published it runs through a defined quality assurance process which is kind of a guarantee, that no essential aspects are overseen. In practice CIS benchmarks are often seen as to challenging, to expensive in terms of the amount of work for the system engineers. But exactly this effort makes environments more sustainable against new attack methods, new vulnerabilities and zero days which you can’t avoid if your business is visible in public. To access the CIS Assessor you need a CIS membership which is around 3.630$/year for a consultant.
You start in a management network. The CIS Assessor is the test driver. It needs access in some way to the test objects – your network components, your servers, your containers, your clients. You can and probably should have multiple Assessors for different purposes in large environments.
The Assessor is placed in the managment subnet, see figure 1. The management subnet is owned by the engineering department whereas the machine itself is owned by the security staff. The tests on linux images are done via ssh (port 22), the tests of windows is done via winrm over https (port 5986). The CIS Assessor is an independent java application and CIS provides the “dashboard” which is a separate Tomcat WebApp with a database. It is recommended to split the dashboard up in WebApp and database layer for security reasons. Here we have the WebServer (called cisdb as apache) -see figure 1 in 10.0.21.228- and the jump server -10.0.21.64- in the shared WebApp subnet and the Assessor with tomcat _and_ MySQL database on a single node. The reasoning for this design is that we do not expose the WebServer (cisdb) to the public and we can secure both standard components by themselves, by subnet ACLs and security groups, so this is “ok” for short. The Assessor is based on a t2.medium instance, which means 2 vCPUs, 8GB RAM. This is sufficient for doing the tests, one after the other. Nevertheless 8 GB RAM is a lower limit, as sometimes you will get OutOfMemory Exceptions when the Assessor pushes the test result to the dashboard (Tomcat WebApp).
The installation starts with java. Generally you should not try to use newer versions than mentioned in the docs -it will simply not work- for now you should use MySQL 5.7, java 1.8, Tomcat 8.
First update the image to the current patch level with
$ sudo yum update
next you install java:
$ sudo yum install java-1.8.0-openjdk.x86_64
which should give you:
Next step is to download the Assessor from the CIS Workbench. As the Assessor image has no public IP address you download it on the jump server and use your favorite scp to put it into /home/ec2-user on the Assessor image.
figure 5: downloaded CIS modules
This creates all the infrastructure, missing is still the license which you download from your CIS Workbench profile. Via the jump server you put it in the license folder.
Unzip the license there and then test it from the Assessor folder:
Now you can use it interactively, just to try out the set of options
$ /home/ec2-user/Assessor-CLI/Assessor-CLI.sh -i
which shows the huge amount of benchmarks (currently 88) which are available for automatic testing. But good to know, not all benchmarks are available.
The usual way is now to create configuration files to specify the tests. There is a friendly sample configuration file:
which we can adopt to a first Level 1 test of the local linux2 image and start with:
This takes a little time and should come to
As we see, the fresh Linux2 earned 57,89% of the possible points, there is room for improvement 🙂
Whenever there is a problem with tests we can use the log levels (Error) option -v up to (All) with -vvvvv. The log is as expected in the logs folder.
Part of the CIS offering is the dashboard. Installation requires the Tomcat and…
$ sudo amazon-linux-extras install epel -y
$ sudo wget https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
$ sudo yum localinstall mysql57-community-release-el7-11.noarch.rpm
$ sudo yum install mysql-community-server
Now we secure the MySQL installation
$ sudo mysql_secure_installation
This requires setting a new password and answering the questions below:
Then we create the tomcat database user for later usage:
$ mysql -h localhost -u root -p
mysql> create user 'tomcat'@'localhost' identified by 'ComplexPassword';
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE DATABASE ccpd CHARACTER SET utf8 COLLATE utf8_general_ci;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON 'CCPD.*' TO 'tomcat'@'localhost' identified by 'AnotherComplexPassword';
The typical tomcat installation:
$ sudo groupadd tomcat
$ sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
and install the latest tomcat 8 available..
$ wget https://mirror.ibcp.fr/pub/apache/tomcat/tomcat-8/v8.5.61/bin/apache- tomcat-8.5.61.tar.gz
$ sudo chmod -R g+r conf
$ sudo chmod g+x conf
$ sudo chown -R tomcat webapps/ work/ temp/ logs/
$ sudo systemctl daemon-reload
Create the service file
$ sudo vi /etc/systemd/system/tomcat.service
Description=Apache Tomcat Web Application Container
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
ExecStop=/bin/kill -15 $MAINPID
and start the service:
To secure the access to the manager web app we edit the
$ sudo vi /opt/tomcat/conf/tomcat-users.xml
restrict access to the manager app further to the jump host
$ sudo vi /opt/tomcat/webapps/manager/META-INF/context.xml
sudo vi /opt/tomcat/webapps/host-manager/META-INF/context.xml
figure 15: limit access to the host manager
add some specific variables to the catalina startup file
$ sudo vi /opt/tomcat/bin/catalina.sh
and remove the sample webapps from tomcat standard installation
$ sudo rm -r /opt/tomcat/webapps/docs
$ sudo rm -r /opt/tomcat/webapps/examples
$ sudo mv CIS-CAT_Pro_Dashboard_v1.1.13-unix.zip /opt/tomcat/
finally we configure the tomcat connector in
to accept uploads with a bigger size as default to allow the Assessor to push the results to the dashboard.
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" maxPostSize="35728640"/>
$ cd /opt/tomcat
$ sudo unzip CIS-CAT_Pro_Dashboard_v1.1.13-unix.zip
$ cd CIS-CAT_Pro_Dashboard_v1.1.13-unix/
$ sudo chmod 744 CIS-CAT_Pro_Dashboard_Installer.sh
and answer the questions of the installer:
$ sudo ./CIS-CAT_Pro_Dashboard_Installer.sh
After the installer is completed you may test the deployment of the CCPD WebApp
As we have the apache webserver in the shared subnet bound to the name cisdb (not shown here) we can direct the browser to https://cisdb.uneedsecurity.com to see the new blank Dashboard. We restrict this dashboard to the security department.
This is the base for all subsequent test efforts. The Assessor is installed in the management subnet. It performs the tests via ssh for linux systems and winrm for Windows systems. It will publish its benchmark-results to the Dashboard.