The Operating System Lock Down Solution for Linux

Similar documents
Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

IBM Tivoli Endpoint Manager for Security and Compliance

NetIQ FISMA Compliance & Risk Management Solutions

Best Practices for Deploying and Managing Linux with Red Hat Network

Comparative Analysis of Free IT Monitoring Platforms. Review of SolarWinds, CA Technologies, and Nagios IT monitoring platforms

Network Test Labs (NTL) Software Testing Services for igaming

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

IPLocks Vulnerability Assessment: A Database Assessment Solution

Guardium Change Auditing System (CAS)

Managing your Red Hat Enterprise Linux guests with RHN Satellite

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

HPSA Agent Characterization

IBM Tivoli Endpoint Manager for Security and Compliance

JAMF Software Server Installation Guide for Linux. Version 8.6

itop: the open-source ITSM solution

IBM Tivoli Netcool Configuration Manager

CA Configuration Automation

Organizations that are standardizing today are enjoying lower management costs, better uptime. INTRODUCTION

HP Server Automation Standard

Securing the Service Desk in the Cloud

IBM Endpoint Manager for Server Automation

VMware vcenter Update Manager Administration Guide

CA Automation Suite for Data Centers

Federal Desktop Core Configuration (FDCC)

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

Dynamic Data Center Compliance with Tripwire and Microsoft

Patch Management SoftwareTechnical Specs

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Enterprise Security Solutions

BMC BladeLogic Client Automation Installation Guide

Vistara Lifecycle Management

Fuse ESB Enterprise Installation Guide

Symantec Control Compliance Suite Standards Manager

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

How To Use Ibm Tivoli Monitoring Software

QuickStart Guide for Managing Computers. Version 9.2

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

The Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS

This document contains the following topics:

Attix5 Pro Server Edition

QuickStart Guide for Client Management. Version 8.7

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

CloudLinux is a proven solution for shared hosting providers that:

California Department of Technology, Office of Technology Services AIX/LINUX PLATFORM GUIDELINE Issued: 6/27/2013 Tech.Ref No

Qualys PC/SCAP Auditor

Red Hat Enterprise Linux and management bundle for HP BladeSystem TM

CloudPassage Halo Technical Overview

Nessus Agents. October 2015

Red Hat enterprise virtualization 3.0 feature comparison

Monitoring Windows Workstations Seven Important Events

Total Protection for Compliance: Unified IT Policy Auditing

How To Monitor Your Entire It Environment

HP Intelligent Management Center Enterprise Software. Platform. Key features. Data sheet

Qualcomm Achieves Significant Cost Savings and Improved Performance with Red Hat Enterprise Virtualization

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Red Hat Network Satellite (On System z) 18-JUNE CAVMEN Meeting

Oracle Desktop Virtualization

Oracle Database Security Myths

White Paper. SAP NetWeaver Landscape Virtualization Management on VCE Vblock System 300 Family

What s New in Centrify DirectAudit 2.0

Red Hat Network: Monitoring Module Overview

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

eeye Digital Security Product Training

Zend and IBM: Bringing the power of PHP applications to the enterprise

Making Database Security an IT Security Priority

Goals. Understanding security testing

Open Audit. The Automation of Network Inventory

identity management in Linux and UNIX environments

CSE 265: System and Network Administration. CSE 265: System and Network Administration

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Information Technology Security Review April 16, 2012

Complete Patch Management

CSE 265: System and Network Administration. CSE 265: System and Network Administration

Lesson 7 - Website Administration

Patch Management Reference

What is it? What does it do? Benefits

Unifying IT How Dell Is Using BMC

IBM InfoSphere Optim Test Data Management solution for Oracle E-Business Suite

JUNOScope IP Service Manager

Lumension Guide to Patch Management Best Practices

Parallels Virtuozzo Containers 4.7 for Linux Readme

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

CloudPassage Halo Technical Overview

Plesk 8.3 for Linux/Unix System Monitoring Module Administrator's Guide

2011 NASCIO Nomination Business Improvement and Paperless Architecture Initiative. Improving State Operations: Kentucky

Transcription:

The Operating System Lock Down Solution for Linux

The Challenge: Meeting Organizational Security Requirements Linux Operating System Security Operating system (OS) security is a priority for System Administrators and most agree that it is not an easy process. It can be a time consuming and difficult process that varies from OS to OS. Security Blanket from Trusted Computer Solutions (TCS) is an easy-to-use, flexible tool that helps System Administrators securely configure Red Hat Enterprise Linux (RHEL), CentOS, and Oracle Enterprise Linux (OEL) versions 4 and 5 operating systems a process known as system lock down or system hardening while saving time, money, and frustration. The Importance of System Lock Down Research shows that System Administrators agree; staying ahead of the OS security game comes down to three sets of practices that really work: server hygiene, server patching, and access control. Server hygiene is directly related to hardening and standardizing servers using a security policy or guidelines, such as those defined by the Center for Internet Security (CIS), the SANS (SysAdmin, Audit, Network, Security) 1 Institute, and the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). In addition to adhering to policy, the server s security configuration must provide the desired up time and stability needed for applications and users. Locking down an OS to ensure security without reducing functionality for users and applications can be time consuming and expensive. As a result, security configuration is often overlooked so that installations and implementations can stay on schedule. Many of the vulnerabilities we identify are because the operating systems are not securely configured. Usually, vendors set their operating system configurations in the least secure manner in order to facilitate installation and implementation. - Q&A: Federal Information Security Isn t Just About FISMA Compliance, Auditor Says, by Jaikumar Vijayan, ComputerWorld, June 14, 2007 The System Lock Down Dilemma According to Forrester Research, only 45% of IT organizations secure all of their systems and 26% do not secure all of their Internet-facing servers. 2 Additionally, half of the Linux servers in use today are manually locked down a process that is time consuming and prone to human error. As indicated in the table below, System Administrators are using a variety of costly, time consuming, and inadequate means to lock down their Linux servers. Server Lock Down Methods Method Cost Productivity Ease-of-Use Hire consulting Expensive Need to manage the process Yes Attend training Expensive Manual cross-reference to security policy or guidelines; prone to error; time consuming No Manual configuration Time Manual cross-reference to security policy or guidelines; prone to error; time consuming No Rely on complex lock down scripts Time Manual cross-reference to security policy or guidelines; time consuming No Open source lock down tools Free Partially meets guidelines; tracking updates required No Do nothing Inexpensive Ineffective and highly vulnerable Yes Typical server lock down methods. 1 http://www.sans.org/top20 2 Forrester Research, State of Server Operating System Security 2007: Admins Patch an Average of Eight Days Late, June 2007

The Solution: Quick, Automated Lock Down with Security Blanket An Intuitive Graphical Users Interface Makes It Faster and Easier Security Blanket is a software tool that automatically assesses and locks down your system. It also allows quick undo for actions that compromise system functionality. Security Blanket is easy to use with an intuitive graphical user interface, or a pure command line interface, enabling the System Administrator to perform security assessments and security configurations through scan, apply, and undo activities. Assessment and baseline reporting allow the System Administrator to capture a server s security state and compare an earlier baseline with the current security state, providing valuable compliancy information. Below are scan results.the failures are related to Security Blanket modules, which comprise multiple guidelines. For example, one Security Blanket module might address four STIG guidelines and two CIS guidelines. Scan Results (Complete) Profile Time (secs) Pass N/A 3 Failed Total CIS 41 31 15 62 108 DISA UNIX STIG 43 52 24 89 165 Total Available Modules to Users: 173 Severity Breakdown of Failed Modules Profile Medium High Severe Total CIS 39 15 8 62 DISA UNIX STIG 59 17 13 89 These benchmark results were run on a RHEL5 OS installed out of the box. Proving ease of installation is a trade off with security. Security Blanket supports a compliancy model that includes both assessment and remediation. The product was designed to meet the challenge of giving System Administrator s an automated tool that provides compliancy to the lock down guidelines defined by the DISA UNIX STIGs, CIS, and the SANS 4 Institute s Top 20 guidelines for ensuring certain configurations such as Linux, Apache, MySQL, and PHP (LAMP). Additionally, Security Blanket aids in providing required security controls to support Federal Information Security Management Act (FISMA) guidelines. Security Blanket workflow is flexible and easy to navigate. 3 The N/A notation refers to DISA UNIX STIG security requirements that cannot be addressed by a software solution. The Security Blanket User s Guide clearly documents the STIGs that cannot be addressed by this product and why they cannot be addressed. 4 http://www.sans.org/top20 www.trustedcs.com/securityblanket

Best-of-Breed Industry Guidelines for Security Security Blanket was designed to adhere to the industry s best-of-breed security lock down guidelines. Security Blanket has undergone evaluation and received certification by CIS for the Red Hat Enterprise Linux benchmark. Security Blanket provides full DISA UNIX STIG compliancy and contains a LAMP profile based on the SANS 5 Institute s defined risks associated with using PHP; the CIS Linux and MySQL benchmarks; and the DISA UNIX STIGs. System Assessment A System Administrator can chose a pre-defined profile that meets the security requirements of CIS, DISA UNIX STIGs, and SANS 5 guidelines, or can customize one of these profiles by selecting or deselecting modules. System Administrators can apply actions as an entire profile, a subset of a profile, or individual security modules. Administrators have a choice between a quick scan and a complete scan. The difference is that the complete scan includes file system scans. Performance for both scans is well within reasonable time expectations. The System Administrator can deselect any security module from the scan process. Very interesting product. I utilize open source for a lot of Community Bank s Credit Unions this tool will certainly help quickly harden the boxes before production use. -TCS Security Blanket Client 5 http://www.sans.org/top20

Remediation The Assessment Report provides conformance indicators that show how the system matches up against the security guidelines in the profile. The Administrator can choose to correct all conformance issues or bypass certain corrections in meeting the needs of the particular system installation or security policy. Modules address specific security requirements found in industry guidelines. Online documentation includes cross-references from a specific requirement in an industry guideline to the applicable Security Blanket module. System Administrators can easily and quickly see how this server complied with the designated security modules. Security Blanket Benefits Easy to use assessment and remediation tool. Security Blanket offers an intuitive graphical user interface (or pure command line interface) to run system scans (assessments) and then automatically apply actions to configure the OS. Easy-to-manage security profiles. Security modules make up a security profile and the intuitive interface allows for loading and managing security profiles. Predefined security profiles are provided in the standard application. If your organization requires specific security policy guidelines; enabling modules, disabling modules, or changing module parameters, profiles can be customized. Clear and concise descriptions and tips are provided for every security module. Additionally, Security Blanket provides a cross-reference between modules to the guidelines it satisfies. This cross-reference can be invaluable when a System Administrator requires data for a security audit. Easy-to-manage actions for remediation. Security modules can be selected or deselected within a profile to manage what will be configured during remediation. Automatic lock down. The System Administrator can click Apply or execute the apply command to configure the OS with the chosen profile. Additionally, an automated undo capability can be selected for specific modules, or an entire profile, to return to the previous system state. Low price point. Security Blanket is priced on a single server license model with a low price point that enables IT shops with only a few Linux servers to take advantage of the product s functionality in an affordable way. IT shops with a larger number of Linux servers can contact TCS for quantity discounts. www.trustedcs.com/securityblanket

Reporting and Logging An Assessment Report provides pass, fail, and not applicable status for every module in the selected profile. The Assessment Report also indicates the severity level of the module s impact on the security state of the system. Detailed logging of scanning and system changes include data such as each file s previous permissions and the permissions Security Blanket set when actions were applied. Baseline reporting captures the state of the system at a point in time.the baseline reporting feature includes the ability to compare current system states to past states and identify changes in hardware, networks, files, and software. The Baseline Report functionality and content was designed to meet the DISA Field Security Office recommendation for routine confirmation of a system baseline. Reports are generated in XML format allowing System Administrators to create customized reports. Baseline reporting allows for the comparison of the current system state. Security Blanket Operational Characteristics Security Blanket is designed for minimal operational and hardware intrusion, and sensitivity to an administrator s needs when deploying new Linux OS distributions: A small disk footprint (<2MB) and lightweight memory usage. The only additional software required is the Python bindings to the XSLT system library for reporting. Supports Red Hat Enterprise Linux versions 4 and 5 and the open source counterparts, CentOS 4 and 5, as well as Oracle Enterprise Linux 4 and 5. Supports both 32 bit and 64 bit architectures. No outside connectivity is required. Administrator s choice of full GUI or pure command line interface. Runs only when initiated. It is not required for Security Blanket to be running all the time. Batch jobs can be run to periodically scan, report, and apply. Security Blanket User s Guide and module documentation are integrated with the Red Hat online help system. The documentation is also available in PDF format from the Security Blanket website.

About Trusted Computer Solutions, Inc. Founded in 1994, Trusted Computer Solutions (TCS) provides commercial and government organizations with solutions for securely sharing and protecting critical information assets.tcs has deep experience in developing solutions to support the Linux community. The company s flagship commercial product, Security Blanket, provides Linux users with an automated software tool that allows users to easily lock down an installed Linux operating system and periodically check the system security. TCS has over thirteen years of experience in building security solutions that meet the most stringent security conformance requirements as mandated by the Federal government. TCS is headquartered in Herndon, VA, with offices in Urbana, IL and San Antonio, TX. For more information, visit www.trustedcs.com. Did a brief evaluation of your product and I liked what I saw. The description of the Modules, the ease of use of the tool I just thought it was very good. -TCS Security Blanket Client www.trustedcs.com/securityblanket

TCS Corporate Office 2350 Corporate Park Drive, Suite 500 Herndon, VA 20171 1-866-230-1307 TCS Trusted Operating Systems Lab 2021 S. First St, Suite 207 Champaign, IL 61820 217.384.0028 TCS Texas Office 10010 San Pedro, Suite 220 San Antonio, TX 78216 210.340.3151 Security Blanket is a trademark of Trusted Computer Solutions, Inc. Linux is a registered trademark of Linus Torvalds. All other trademarks and registered trademarks are the property of their respective owners. 100249.0308

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information