The Ohio State University requires all devices connecting to university network resources to be compliant with the Minimum Computer Security Standard (MCSS) document, which can be found at:

http://buckeyesecure.osu.edu/Policy/MCSS

The MCSS consists of four components:

1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.

2. Current operating system and application software with current security patches must be installed.

3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.

4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.

There are other important aspects of the MCSS policy, so it is important to read.  The CSE computing staff officially supports the Red Hat Enterprise Linux distribution, but these notes can be used with Fedora to become MCSS complaint, provided that:

·         All the commands execute correctly on any specific installation of Fedora.

·         All of the steps in this document are followed exactly.

Any deviations from these steps or changes to how the software installed works needs to be discussed with CSE staff members before a device can be certified as MCSS compliant.  Any attempts to circumvent MCSS compliance checks will result in disconnection from the CSE network until the device in question can be brought back into compliance.

These notes and the associated software included have been tested with Fedora 8 and the previous Fedora 7 release.  This procedure might work on other Fedora versions, but it has not been tested.  If tried and there are problems, contact CSE computing staff.  If running a release older than Fedora 7, it should be updated anyway.

Initial Setup

All the commands prefixed with “sudo” in this document assume that an entry like the following was added to /etc/sudoers using “visudo”:

<username> ALL=(ALL) ALL

Substitute “<username>” with the normal user account name used when interacting with the system, otherwise run the commands as root without “sudo” instead.

Whether installing from scratch or working with an already installed device, first run the following command:

sudo yum update

This will update the system software before moving to the MCSS specific configuration steps.  Answer yes to any prompts if required (there should be one to import the Fedora GPG key if updates have never been run before, and there are prompts to actually download and install the packages).  If yum complains that it cannot download a required file, wait a few minutes and run the command again.  If the update process indicates a reboot is required, reboot the device.  Even if not prompted, if there are a lot of updates, it is advisable to reboot regardless.  Another alternative is to use the update notification icon at the top right of the screen, which shows up as a brown box as shown below:

If you find the update process painfully slow in Fedora, edit the following files:

/etc/yum.repos.d/fedora.repo

/etc/yum.repos.d/fedora-updates.repo

and uncomment the "baseurl=" lines and comment out the "mirrorlist=" lines directly below them.

Sometimes software updates can cause currently running applications to behave strangely.  Firefox and Thunderbird experience this quite frequently when updated.  This can be solved by restarting the applications or logging out and logging in again.

Firewall

Fedora systems come with a firewall already installed.  The firewall settings can be checked from the System --> Administration --> Firewall Gnome menu as shown below:

The MCSS policy requires that CSE computing staff are able to check device compliance at any time, therefore opening the SSH port is required.  It should already be enabled in the same window shown above if scrolled down further (if it is not, enable it).  The default settings above should be all right, but mostly SSH is required.  We also need to be able to ping the machine (which is enabled by default).  Do not enable any Masquerading settings.

It is acceptable to open up more ports or port ranges if required for research work, but the firewall should be operated in the default manner where it blocks incoming connections except for exceptions.  It is possible there will be other requirements that might need different configurations.  If needed, these should be discussed with CSE computing staff to make sure the settings meet the MCSS firewall requirement.

Current OS/Software

The update notification icon mentioned in the first section should indicate when updates are required.  If prompted for updates or notified by the MCSS check script (more in the next section), install the updates to ensure that your system is secure.  If a reboot is necessary, do so as soon as possible.

It might be necessary to remove the install media repository before the update notification icon can be used to update the system properly.  If an error happens when trying to use the update notification icon to update the system, there will be an option to edit the repository settings.  Click this option and remove the install media from the repository list.  It is probably the first entry.  An example showing this already removed is shown below:

Anti-Malware

Install the following packages:

sudo yum install clamav

sudo yum install clamav-update

Once installed, perform the following additional steps:

·         Edit /etc/sysconfig/freshclam and remove or comment out the last line.

·         Edit /etc/freshclam.conf and remove or comment out the bare “Example” line near the beginning of the file.

·         Run “sudo freshclam” one time by hand to get the initial ClamAV definitions update.

In the future it might be necessary to use a CSE created package to keep the anti-malware software up-to-date.  For now, the vendor supported anti-malware software will be utilized to meet MCSS compliance.

Authentication Controls

This should be fine by default, but do not do any of the following:

·         Create an account with no password.

·         Create an account with a weak password:

o   Username: guest / Password: guest

o   See “man passwd” for more information.

·         Configure the graphical login screen to automatically login any account.

·         Use the root account as a regular login account, instead make a normal user account for general use (this is the default anyway).

Install MCSS Software

The CSE computing staff are required to make MCSS compliance automated and auditable.  These additional steps are necessary to meet these additional requirements, therefore these steps are required.  Any changes or problems must be discussed with CSE computing staff before proceeding with MCSS certification.  The first step is to download the fedora-mcss-1.1.tar.gz package containing the necessary programs and configuration files:

http://www.cse.ohio-state.edu/~rowland/mcss/fedora-mcss-1.1.tar.gz

Save this file to your normal user account’s home directory.   If your home directory is mounted over NFS or a networked filesystem, do these steps in /tmp instead because root can’t normally access files over NFS or a networked filesystem mount, and that will cause problems.  Once downloaded, extract the contents and move into the source directory with the following commands:

tar -vxzf fedora-mcss-1.1.tar.gz

cd fedora-mcss-1.1

Once in the fedora-mcss-1.1 directory, run the installation script:

sudo ./install.sh

If the machine is a server that does not usually have a single user logged into it, run the following installation command instead:

sudo ./install.sh -s

The “-s” argument is only for servers.  Do not use the server install argument on a desktop system.

The MCSS installation script does the following:

·         Creates /root/mcss installation directory structure.

·         Installs MCSS software.

·         Sets up log rotation for /var/log/mcss.log and /var/log/anti-malware.log.

·         Updates the PAM configuration to meet the MCSS appropriate authentication controls requirement.

·         Schedules the anti-malware command to run at 4:30am every day.

·         Schedules the mcss check command to run every 6 hours.

The anti-malware script runs the ClamAV software every day at 4:30am.  The anti-malware configuration simply detects malware.  It doesn’t modify, move, or copy suspected malware files.  It is possible to get a false positive.  It is also possible to put the paths to files and directories in the /root/mcss/malware-exclude file.  Files and directories listed in that file will not be scanned, and there are notes in that file that explain this in more detail.  If there is a false positive, put the full path to the file in /root/mcss/malware-exclude.  Don’t simply put blanket directory exclusions for the parent directory unless there is a specific reason to do so.  One example of when a full directory exclusion is appropriate is the case were a directory contains tar archives generated for some reason where it is absolutely known those aren’t malware.  If unsure, please ask in advance.  In addition, there are some default exclusions that should remain in the file.  It is important to check this file for the last two sections concerning the /home directory and any other network filesystem mounts.

It is important that network filesystem mounts are excluded from scanning as this will generate unnecessary network traffic.  If /home is mounted over NFS, its entry should be uncommented.  Additionally, any other network filesystem mounts should be added at the bottom of the /root/mcss/malware-exclude file using the full path to the mount point with no trailing slash.  See the comments in the /root/mcss/malware-exclude file for more details.  Do not forget this step!

In the case of malware detection or an MCSS compliance check failure, a warning message is walled to all users and added to /etc/bashrc so that it will be seen on login.  In addition, if an MCSS compliance failure is not fixed within seven days, after seven days the system will schedule a halt every time the MCSS compliance check fails.  Once the problem is fixed and the MCSS compliance check passes again, the warning message will be removed and the system will remove the halt countdown.  The server install option disables the notification and halt countdown, but these systems will be monitored more closely to ensure MCSS compliance.

After the installation, run the mcss check script interactively to make sure that it works and sees the previous configuration steps as making the system MCSS compliant:

sudo ./mcss -i

MCSS Check: Sun Jan 13 23:04:05 EST 2008

Firewall: pass

Software: pass

Malware: pass

Authentication: pass

If the above command shows anything other than the above output (except for the date being different), there is either a problem with MCSS compliance or the software needs some bug fix.  In that case, run the uninstallation script:

sudo /root/mcss/uninstall.sh

and contact CSE computing staff so that the problem can be investigated.  If the installation was successful and there were no error messages or failures when testing as noted above, the source files for the MCSS software can be removed.  Do not remove the installed files in /root/mcss.

CSE Staff Account

All research machines are required to have a CSE staff account with full sudo access.  Once all of the steps in this document have been followed, contact the CSE computing staff by sending a help request to help@cse.ohio-state.edu indicating that you need to have your Fedora system certified for MCSS compliance.  Someone will come to your machine and verify everything is working, setup a CSE computing staff access account with full sudo access, and certify the system as MCSS compliant.