The Ohio State University requires all devices connecting to university network resources to be compliant with the Minimum Computer Security Standard (MCSS) document, which can be found at:

http://buckeyesecure.osu.edu/Policy/MCSS

The MCSS consists of four components:

1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.

2. Current operating system and application software with current security patches must be installed.

3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.

4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.

There are other important aspects of the MCSS policy, so it is important to read.  The CSE computing staff officially supports the Red Hat Enterprise Linux distribution, but these notes can be used with Debian to become MCSS complaint, provided that:

·         All the commands execute correctly on any specific installation of Debian.

·         All of the steps in this document are followed exactly.

Any deviations from these steps or changes to how the software installed works needs to be discussed with CSE staff members before a device can be certified as MCSS compliant.  Any attempts to circumvent MCSS compliance checks will result in disconnection from the CSE network until the device in question can be brought back into compliance.

These notes and the associated software included have been tested with the latest Debian 4.0r2 release using the network install (netinst) ISO and performing a basic installation with the Gnome Desktop.  The examples here mention Gnome menu paths, but the same utilities should be seen in similar KDE menus that might have slightly different paths.  If there are any questions, please ask CSE computing staff for assistance.

Initial Setup

All the commands prefixed with “sudo” in this document assume that an entry like the following was added to /etc/sudoers using “visudo”:

<username> ALL=(ALL) ALL

Substitute “<username>” with the normal user account name used when interacting with the system, otherwise run the commands as root without “sudo” instead.  If the initial installation was done with a CDROM, it will be necessary to remove the CDROM entries from the APT sources list.  This can be done by commenting out the lines that start with “deb cdrom:” in the /etc/apt/sources.list file by prefixing them with the “#” character, but the easiest way to remove the CDROM sources is to use the Desktop --> Administration --> Software Properties Gnome menu and clicking on the “Installation Media” tab.  Below is a screenshot of this with the CDROM sources removed after unsetting the check that was present:

Whether installing from scratch or working with an already installed device, first run the following commands:

sudo apt-get clean

sudo apt-get update

sudo apt-get -y --purge dist-upgrade

This will clean the cache, resynchronize the package index files, and update the system software before moving to the MCSS specific configuration steps.  If there are a large number of package updates, it would be advisable to reboot the device.  It might be necessary to answer some prompts with the dist-upgrade.

It is possible that the software package installs in the sections below won’t be necessary.  It won’t cause a problem to run the install commands anyway, but it is possible to check if a package is already installed with the “dpkg -s <package_name>” command first.

Sometimes software updates can cause currently running applications to behave strangely.  Firefox and Thunderbird experience this quite frequently when updated.  This can be solved by restarting the applications or logging out and logging in again.

Firewall

Install the following packages:

sudo apt-get -y install firestarter

sudo apt-get -y install openssh-server

If you have already configured firewall rules, firestarter is not strictly required, but read this section for informational purposes.  The openssh-server package, opening up the SSH port, and enabling ping (this is enabled by default with firestarter) are required however.

Next configure the firewall:

sudo firestarter

The following sreenshots show the proper settings to start with.  Running firestarter for the first time brings up the firewall configuration wizard:

Click on the “Forward” button to move to the “Network device setup” screen where you choose the network device used to connect to the Internet.  Make sure to choose the Ethernet device that is connected to the CSE network and leave the other options unchecked as shown below:

Click the “Forward” button to move to the “Internet connection sharing setup” screen.  Do not enable Internet connection sharing by leaving the screen exactly as shown below:

Click the “Forward” button to move on to the “Ready to start your firewall” screen.  Make sure “Start firewall now” is checked and click the “Save” button.

Once the settings are saved, the normal firestarter GUI will open.  The firestarter GUI can be used to check firewall status, check firewall events, and set policy.  The only thing that should be done without prior approval is setting some policy exceptions.  By default, the firewall policy will be restrictive with inbound network traffic and unrestrictive with outbound traffic.  It is acceptable to open individual ports or port ranges for specific applications.  More complicated requirements need to be discussed with CSE computing staff to ensure the firewall MCSS requirement is still met, but it should be possible to configure the firewall as necessary to accomplish any research need.  The main GUI interface is shown below:

This example will show how to add a port exception for SSH.  The MCSS policy requires that CSE computing staff are able to access machines to check their compliance, therefore a port exception for remote SSH access is required.

Adding a policy exception can be done by clicking on the “Policy” tab in the main GUI interface as shown below:

With “Inbound traffic policy” selected for the “Editing” label, click in the white box area at the bottom under the “Allow service | Port | For” heading.  Once the white box is highlighted, click the “Add Rule” button at the top of the main GUI interface.  This brings up the “Add new inbound rule” dialog box as shown below:

Common services listed in /etc/services are available from the “Name” drop-down box.  Here SSH was selected, which fills in the “Port” textbox with the SSH port number 22.  Once this is done, click the “Add” button.  Once the rule is added, the main GUI will display the new rule as shown below:

Once all desired exceptions are added, click the “Apply Policy” button.  When finished, click the “Firewall” menu option, then click “Quit”.  The firestarter application can be run from the command line as in this example, or it can be run from the Applications --> System Tools  --> Firestarter Gnome menu selection.

Current OS/Software

If the Gnome desktop is installed, the Desktop --> Administration --> Software Properties Gnome menu item will show the default software update settings when clicking on the “Internet Updates” tab as shown below:

These settings should be left at their defaults or changed to match the above settings.  If prompted for updates or notified by the MCSS check script (more in the next section), install the updates to ensure that your system is secure.  If a reboot is necessary, do so as soon as possible.

Anti-Malware

Install the following packages:

sudo apt-get -y install clamav

sudo apt-get -y install clamav-docs

In the future it might be necessary to use a CSE created package to keep the anti-malware software up-to-date.  For now, the vendor supported anti-malware software will be utilized to meet MCSS compliance.

Authentication Controls

Install the following package:

sudo apt-get -y install libpam-cracklib

This should be fine by default, but do not do any of the following:

·         Create an account with no password.

·         Create an account with a weak password:

o   Username: guest / Password: guest

o   See “man passwd” for more information.

·         Configure the graphical login screen to automatically login any account.

·         Use the root account as a regular login account, instead make a normal user account for general use (this is the default anyway).

Install MCSS Software

The CSE computing staff are required to make MCSS compliance automated and auditable.  These additional steps are necessary to meet these additional requirements, therefore these steps are required.  Any changes or problems must be discussed with CSE computing staff before proceeding with MCSS certification.  The first step is to download the debian-mcss-1.1.tar.gz package containing the necessary programs and configuration files:

http://www.cse.ohio-state.edu/~rowland/mcss/debian-mcss-1.1.tar.gz

Save this file to your normal user account’s home directory.  If your home directory is mounted over NFS or a networked filesystem, do these steps in /tmp instead because root can’t normally access files over NFS or a networked filesystem mount, and that will cause problems.  Once downloaded, extract the contents and move into the source directory with the following commands:

tar -vxzf debian-mcss-1.1.tar.gz

cd debian-mcss-1.1

Once in the debian-mcss-1.1 directory, run the installation script:

sudo ./install.sh

If the machine is a server that does not usually have a single user logged into it, run the following installation command instead:

sudo ./install.sh -s

The “-s” argument is only for servers.  Do not use the server install argument on a desktop system.

The MCSS installation script does the following:

·         Creates /root/mcss installation directory structure.

·         Installs MCSS software.

·         Sets up log rotation for /var/log/mcss.log and /var/log/anti-malware.log.

·         Updates the PAM configuration to meet the MCSS appropriate authentication controls requirement.

·         Schedules the anti-malware command to run at 4:30am every day.

·         Schedules the mcss check command to run every 6 hours.

The anti-malware script runs the ClamAV software every day at 4:30am.  The anti-malware configuration simply detects malware.  It doesn’t modify, move, or copy suspected malware files.  It is possible to get a false positive.  It is also possible to put the paths to files and directories in the /root/mcss/malware-exclude file.  Files and directories listed in that file will not be scanned, and there are notes in that file that explain this in more detail.  If there is a false positive, put the full path to the file in /root/mcss/malware-exclude.  Don’t simply put blanket directory exclusions for the parent directory unless there is a specific reason to do so.  One example of when a full directory exclusion is appropriate is the case were a directory contains tar archives generated for some reason where it is absolutely known those aren’t malware.  If unsure, please ask in advance.  In addition, there are some default exclusions that should remain in the file.  It is important to check this file for the last two sections concerning the /home directory and any other network filesystem mounts.

It is important that network filesystem mounts are excluded from scanning as this will generate unnecessary network traffic.  If /home is mounted over NFS, its entry should be uncommented.  Additionally, any other network filesystem mounts should be added at the bottom of the /root/mcss/malware-exclude file using the full path to the mount point with no trailing slash.  See the comments in the /root/mcss/malware-exclude file for more details.  Do not forget this step!

In the case of malware detection or an MCSS compliance check failure, a warning message is walled to all users and added to /etc/bash.bashrc so that it will be seen on login.  In addition, if an MCSS compliance failure is not fixed within seven days, after seven days the system will schedule a halt every time the MCSS compliance check fails.  Once the problem is fixed and the MCSS compliance check passes again, the warning message will be removed and the system will remove the halt countdown.  The server install option disables the notification and halt countdown, but these systems will be monitored more closely to ensure MCSS compliance.

After the installation, run the mcss check script interactively to make sure that it works and sees the previous configuration steps as making the system MCSS compliant:

sudo ./mcss -i

MCSS Check: Sun Jan 13 23:04:05 EST 2008

Firewall: pass

Software: pass

Malware: pass

Authentication: pass

If the above command shows anything other than the above output (except for the date being different), there is either a problem with MCSS compliance or the software needs some bug fix.  In that case, run the uninstallation script:

sudo /root/mcss/uninstall.sh

and contact CSE computing staff so that the problem can be investigated.  If the installation was successful and there were no error messages or failures when testing as noted above, the source files for the MCSS software can be removed.  Do not remove the installed files in /root/mcss.

CSE Staff Account

All research machines are required to have a CSE staff account with full sudo access.  Once all of the steps in this document have been followed, contact the CSE computing staff by sending a help request to help@cse.ohio-state.edu indicating that you need to have your Debian system certified for MCSS compliance.  Someone will come to your machine and verify everything is working, setup a CSE computing staff access account with full sudo access, and certify the system as MCSS compliant.