Skip to end of banner
Go to start of banner

Linux Hardening Guide - Ubuntu/RHEL

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

This guide steps through the changes to settings and filesystem privileges required to enhance the security on a standalone machine running NMIS9 Modules on Ubuntu Linux.

This guide has also been tested on RHEL8.8, the steps are exactly the same, and along with verification. The only difference is that you have to use service instead of systemctl on RHEL/Centos distributions.


This guide runs top to bottom as a sequence. It is important that this sequence is followed in order to prevent issues on restart.

Backups are highly recommended.

Preparation

The changes involved in this document include the use of recursive rights changes and recursive directory deletion as the "root" user.

The changes involved require the shutdown of all monitoring tasks and the cron daemon.

If this solution is critical to your environment ensure that an outage window is allocated. In the testing environment the required changes executed in less than 1 minute scripted however a manual implementation with cross-checking and cross-checking post change on a system with additional local customisation will take longer in the validation stage of the change.

This document was tested on an Ubuntu 20.04 installation running default service files and directory settings for nmis and omk modules from their respective installers.

DO NOT PROCEED WITHOUT BACKUPS

Tested Modules

Be aware that in the event the system is running any other applications/modules that require access to the file structures on the following list there is a very high probability that their rights will be blocked and the additional processes could fail to execute properly.

  • nmis9
  • opAddress
  • opAdmin
  • opCharts
  • opConfig
  • opEvents
  • opHA
  • opReports

System Snapshot/Backup

For System Snapshots and Backups you will need to refer to the documentation for your environment.

If the information on your system, or stability of the system is critical to your business it is important to retain a working backup. It is important that you have confirmed that you backups can be restored.

  • Full system backups, including Operating System and Data - Contact your IT department, Vendor Support, or Integrator
  • Virtual Machine Snapshots - Refer to the solution guides for your environment

User Setup

All commands in this document are run as the root user unless otherwise stated.

These steps will allow omkadmin as a user and as a group able to execute OMK scripts. To do this, we will follow the steps below:

If the omkadmin user does not exist it will have to be created. We will create the user in a manner that does not allow ssh access as this user will be acting as the "system" account.

adduser omkadmin --disabled-login

Example session output

root@server:~# adduser omkadmin --disabled-login
Adding user `omkadmin' ...
Adding new group `omkadmin' (1010) ...
Adding new user `omkadmin' (1009) with group `omkadmin' ...
Creating home directory `/home/omkadmin' ...
Copying files from `/etc/skel' ...
Changing the user information for omkadmin
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@server:~#

In the previous example output you will note the line "Adding new user `omkadmin' (1009) with group `omkadmin'", there is a default setting that adds a group at the same time as adding a user.

The following command will not work if there was ANY error issued when creating the user or group. If you get an error in creating the user this needs to be resolved before proceeding.

Adjust User Groups

Next we will add the USER "nmis" to the GROUP "omkadmin" and the add USER "omkadmin" to the GROUP "nmis"

Reciprocal rights are required as applications running under both users write and read into the omk and nmis directory structures.

usermod -a -G omkadmin nmis
usermod -a -G nmis omkadmin

The following example shows how running the command "groups <username>" will list all group memberships for the specified user as a validation.

User "nmis" should now have "omkadmin" in the groups list and user "omkadmin" should have "nmis" in its groups list.

root@server:~# groups nmis
nmis adm plugdev netdev lxd google-sudoers omkadmin
root@server:~# groups omkadmin
omkadmin nmis

Open-AudIT and the Apache user

If you are using Open-AudIT, you will also need to add the Apache user (www-data) to the omkadmin group.

usermod -a -G omkadmin www-data

Shutdown all impacting services

This section will bring all services that are going to be altered down this will include; crond, nmis9d, omk daemons.

Because we are shutting crond down some system administrative tasks may not fire during this period.

This step is required to prevent nmis/omk processes from creating files that may block or create issues with this update process.

Run the following commands:

/usr/local/omk/bin/checkomkdaemons.sh stop
systemctl stop nmis9d
systemctl stop cron

Output example

root@server:~# /usr/local/omk/bin/checkomkdaemons.sh stop

job complete!

root@server:~# systemctl stop nmis9d
root@server:~# systemctl stop cron
root@server:~# 

The commands can take some time to gracefully shutdown. You can check the status of the shutdown by running the following command:

ps ax | grep -E "(nmis|cron| op)"

It may output a list of running processes to start with. If the server is small and/or not very busy the processes may exit immediately and this long list won't be seen.

root@server:~# ps ax | grep -E "(nmis|cron| op)"
1443255 ?        Ss     0:00 /usr/sbin/cron -f
1443265 ?        Ss     0:00 nmisd.scheduler
1443266 ?        S      0:00 nmisd.fping
1443268 ?        S      0:00 nmisd.worker.<idle>
1443269 ?        S      0:00 nmisd.worker.<idle>
1443272 ?        S      0:00 nmisd.worker.<idle>
1443273 ?        S      0:01 nmisd.worker.<idle>
1443276 ?        S      0:00 nmisd.worker.<idle>
1443279 ?        S      0:01 nmisd.worker.<idle>
1443282 ?        S      0:00 nmisd.worker.<idle>
1443283 ?        S      0:01 nmisd.worker.<idle>
1443285 ?        S      0:00 nmisd.worker.<idle>
1443288 ?        S      0:00 nmisd.worker.<idle>
1443359 ?        Ss     0:04 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443365 ?        Ss     0:00 opchartsd
1443366 ?        S      0:00 opchartsd worker
1443415 ?        Ss     0:00 opeventsd
1443416 ?        S      0:00 opeventsd.worker
1443438 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443439 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443440 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443441 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443442 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443443 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443444 ?        S      0:00 opeventsd.tail.winlogd.log
1443445 ?        S      0:00 opeventsd.tail.trap.log
1443446 ?        S      0:00 opeventsd.tail.event.log
1443447 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443448 ?        S      0:00 opeventsd.tail.cisco.log
1443450 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443451 ?        S      0:00 opeventsd.tail.tivoli.log
1443453 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443455 ?        S      0:00 opmantek.pl-webserver                                                                                  -f -p /var/run/opmantek.exe.pid -r
1443463 ?        Ss     0:00 opconfigd
1443464 ?        S      0:00 opconfigd worker
1443546 pts/0    S+     0:00 grep --color=auto -E (nmis|cron| op)

When processes have all shutdown gracefully the previous command will return something very similar to the following. The first number on the line can be ignored:

root@server:~# ps ax | grep -E "(nmis|cron| op)"
1443224 pts/0    S+     0:00 grep --color=auto -E (nmis|cron| op)
root@server:~#

Ownership and Rights Changes

The following set of commands will run through and alter all of the file and directory rights as the key security task. You should be able to cut and past the entire block into the cli as root user.

# START of standard installer changes
OMK_DIR=/usr/local/omk

# These command are exactly as for /data/omk:
echo Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR}";
sudo find "${OMK_DIR}" -type d -exec chmod 0770 '{}' \;;

echo Set user and group able to write files:
sudo find "${OMK_DIR}" -type f -exec chmod 0660 '{}' \;;

echo Set scripts executable by user and group:
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR}/script" -type f -exec chmod 0770 '{}' \;;

echo Set scripts executable by user and group:
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR}/bin" -type f -exec chmod 0770 '{}' \;;

# END of standard installer changes

Cleanup and set appropriate "common" directory rights. If we don't kill the cron process as per the beginning of this document, this part of the change can cause issues.

This command will output a lot of information to the screen for debugging should something not work properly here.

echo Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
# structure when executing the previous commands.
# The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR
# script exe by that user):
OMK_DIR=/usr/local/omk
sudo rm -Rvf ${PAR_GLOBAL_TMPDIR}/par-*
sudo rm -Rvf /tmp/par-*

# The following commands should be executed after any of the the above commands
# to ensure PAR directory structure is re-created with PAR's own permissions set:
echo Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
# This is a more secure implementation of the linux /tmp/ directory implementation which also uses
# sticky bit, but with chmod 1777:
sudo chmod 3700 ${PAR_GLOBAL_TMPDIR}

echo Run tests
sudo ${OMK_DIR}/bin/patch_config.exe
sudo -u nmis ${OMK_DIR}/bin/patch_config.exe
sudo -u omkadmin ${OMK_DIR}/bin/patch_config.exe

Review the temporary directory by running the following command:

ls -la /usr/local/omk/var/lib/common/

This following screenscrape is very important. It is a crosscheck that user rights are being allocated properly when applications run. The output should return something very similar to this example:

Note the single Capital "T" and three Capital "S" and that the username nmis, omkadmin, and root in lines 5,6,7 are all followed by omkadmin (the group name).

root@server:~# ls -la /usr/local/omk/var/lib/common/
total 20
drwxrws--T  5 omkadmin omkadmin 4096 Jul 13 11:55 .
drwxrwx---  3 omkadmin omkadmin 4096 Jun 28 03:41 ..
drwx--S---  3 nmis     omkadmin 4096 Jul 13 11:55 par-6e6d6973
drwx--S---  3 omkadmin omkadmin 4096 Jul 13 11:55 par-6f6d6b61646d696e
drwx--S--- 12 root     omkadmin 4096 Jul 13 12:57 par-726f6f74

Change Process PID locations:

In /usr/local/omk/conf/opCommon.json set each *_pid entry as follows (note that each service has its own pid directory under /var/run):

  • "opchartsd_pid" : "/var/run/omk/opchartsd.pid"
  • "opconfigd_pid" : "/var/run/omk/opconfigd.pid"
  • "opeventsd_pid" : "/var/run/omk/opeventsd.pid"

This command will search through the config file and insert the appropriate entries for you:

sed -i 's/var\/run/var\/run\/omk/g' /usr/local/omk/conf/opCommon.json

Check that the entries look correct as follows:

root@server:/run# grep "/var/run/omk" /usr/local/omk/conf/opCommon.json
      "opflowd_pid" : "/var/run/omk/opflowd.pid",
      "opchartsd_pid" : "/var/run/omk/opchartsd.pid",
      "opeventsd_pid" : "/var/run/omk/opeventsd.pid",
      "opconfigd_pid" : "/var/run/omk/opconfigd.pid",
root@server:/run#


SYSTEMCTL Service Files

Locate necessary service files for alteration using a grep command

cd /etc/systemd/system
grep -s omk *

Example output

root@server:~# cd /etc/systemd/system
root@server:/etc/systemd/system# grep -s omk *
omkd.service:ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/opmantek.exe.pid -r
opchartsd.service:ExecStart=/usr/local/omk/bin/opchartsd.pl
opconfigd.service:ExecStart=/usr/local/omk/bin/opconfigd.pl
opeventsd.service:ExecStart=/usr/local/omk/bin/opeventsd.pl
root@server:/etc/systemd/system#

From this output we can see that there are four (4) files that will need to be altered:

  • omkd.service
  • opchartsd.service
  • opconfigd.service
  • opeventsd.service

omkd.service

sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/omkd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/omkd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/omkd.service

opchartsd.service

sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opchartsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opchartsd.service

opconfigd.service

sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opconfigd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opconfigd.service

opeventsd.service

sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opeventsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opeventsd.service

Confirm SYSTEMCTL Changes:

The output of the above commands will have been to adjust the service files to add some additional entries to the Service section of the configs and to alter PID references in the omkd.service file

The requirement is to add a User and Group entry into the Service section of each of the service files. We will also match any PID references to the new setup as well. As per the following example:

Original Service File - omkd.service
# simple systemd unit file for the Opmantek Webserver daemon

[Unit]
Description=Opmantek Webserver
After=network-online.target
After=mongod.service
Requires=mongod.service
Wants=mongod.service
Wants=network-online.target

[Install]
WantedBy=multi-user.target

[Service]
Type=forking
Restart=no
EnvironmentFile=/etc/environment
PIDFile=/var/run/opmantek.exe.pid
TimeoutSec=120s
KillMode=process
ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/opmantek.exe.pid -r

With the new USER, GROUP and altered PID entries as per the following - post change. You can use this example as a guide for a concise review of each file if you wish.

Updated Service File - omkd.service
# simple systemd unit file for the Opmantek Webserver daemon

[Unit]
Description=Opmantek Webserver
After=network-online.target
After=mongod.service
Requires=mongod.service
Wants=mongod.service
Wants=network-online.target

[Install]
WantedBy=multi-user.target

[Service]
PermissionsStartOnly=true
ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/"
ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/"
ExecStartPre=/bin/sh -c "chmod 3700 /var/run/omk/"
User=omkadmin
Group=omkadmin
Type=forking
Restart=no
EnvironmentFile=/etc/environment
PIDFile=/var/run/omk/opmantek.exe.pid
TimeoutSec=120s
KillMode=process
ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/omk/opmantek.exe.pid -r

Alternatively if you want to do a quick cross-check of the changes you can do so with the following grep command.

grep -s omk /etc/systemd/system/* | grep -vE "pl$

The output will be similar to the following which should reveal all new entries.

root@server:/etc/systemd/system# grep -s omk /etc/systemd/system/* | grep -vE "pl$"
/etc/systemd/system/omkd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/"
/etc/systemd/system/omkd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/"
/etc/systemd/system/omkd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/"
/etc/systemd/system/omkd.service:User=omkadmin
/etc/systemd/system/omkd.service:Group=omkadmin
/etc/systemd/system/omkd.service:PIDFile=/var/run/omk/opmantek.exe.pid
/etc/systemd/system/omkd.service:ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/omk/opmantek.exe.pid -r
/etc/systemd/system/opchartsd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/"
/etc/systemd/system/opchartsd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/"
/etc/systemd/system/opchartsd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/"
/etc/systemd/system/opchartsd.service:User=omkadmin
/etc/systemd/system/opchartsd.service:Group=omkadmin
/etc/systemd/system/opchartsd.service:PIDFile=/var/run/omk/opchartsd.pid
/etc/systemd/system/opconfigd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/"
/etc/systemd/system/opconfigd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/"
/etc/systemd/system/opconfigd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/"
/etc/systemd/system/opconfigd.service:User=omkadmin
/etc/systemd/system/opconfigd.service:Group=omkadmin
/etc/systemd/system/opconfigd.service:PIDFile=/var/run/omk/opconfigd.pid
/etc/systemd/system/opeventsd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/"
/etc/systemd/system/opeventsd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/"
/etc/systemd/system/opeventsd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/"
/etc/systemd/system/opeventsd.service:User=omkadmin
/etc/systemd/system/opeventsd.service:Group=omkadmin
/etc/systemd/system/opeventsd.service:PIDFile=/var/run/omk/opeventsd.pid

Logrotate Changes

/etc/logrotate.d/omk-rotate.conf needs to be edited and each section of the logrotate script needs to include:

The following commands with do this for the default conf.

sed -i 's/create 0660 nmis nmis/create 0660 omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf
sed -i 's/endscript/endscript\n\tsu omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf

The commands set the following directives:

  • create 0660 omkadmin omkadmin
  • su omkadmin omkadmin

The su directive is new and is required so that logrotate will continue to work when writing to a no-root owned file (non-privileged). We place it at after the "endscript" statement.

CRON Job Changes

The following commands are used to change all of the default cronjobs. Replacing all "root" user entries with "omkadmin" user entries.

sed -i 's/   root\t/\tomkadmin\t/g' opaddress
sed -i 's/\troot\t/\tomkadmin\t/g' opconfig
sed -i 's/\troot\t/\tomkadmin\t/g' opevents
sed -i 's/\troot\t/\tomkadmin\t/g' opha
sed -i 's/\troot\t/\tomkadmin\t/g' oplicense
sed -i 's/\troot\t/\tomkadmin\t/g' opreports

Rights Checks

If crond was not disabled prior to updating all of the directory rights this list will likely return many files owned by root.root. Those specific files will need to be manually changed to omkadmin.omkadmin ownership.

sudo find /usr/local/omk/ ! -group omkadmin ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;
-rw-rw-r-- 1 nmis nmis 453 Jul 13 20:15 /usr/local/omk/var/opcore/registry/open-audit.json
-rw-rw-r-- 1 nmis nmis 3.5K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opEvents.json
-rw-rw-r-- 1 nmis nmis 1.5K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opHA.json
-rw-rw-r-- 1 nmis nmis 5.1K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opCharts.json
-rw-rw-r-- 1 nmis nmis 2.0K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opConfig.json
-rw-rw-r-- 1 nmis nmis 108 Jul 13 20:27 /usr/local/omk/var/opevents/file_state/_usr_local_nmis9_logs_event.log.json

Rights Check CronJob

Create cronjob /etc/cron.d/omk_check_omkadmin_user_group:

Copy and paste the following code block to the command line to create the new cronjob

touch /etc/cron.d/omk_check_omkadmin_user_group
echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "# m h dom mon dow user command" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "40 * * * * root find /usr/local/omk ! -group omkadmin ! -group nmis ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "42 * * * * omkadmin find /usr/local/omk ! -writable -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "44 * * * * root find /usr/local/omk -perm /+2000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "46 * * * * root find /usr/local/omk -perm /+4000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group

Reboot the machine

Rebooting the machine will restore all services and allow for system maintenance and startup tasks that were halted to be run as required with the new users and privileges.

sudo reboot


Full Script

Note that the following script has been added for convenience at this stage and has no checks or error handling embedded.


# Setup User Logins and Groups
useradd -m -U omkadmin
passwd -l omkadmin
usermod -a -G omkadmin nmis
usermod -a -G nmis omkadmin

# NOTE - uncomment the below if also using Open-AudIT
# usermod -a -G omkadmin www-data

# Showdown all impacting/impacted services
/usr/local/omk/bin/checkomkdaemons.sh stop
systemctl stop nmis9d
systemctl stop cron
sleep 10
systemctl stop nmis9d

# START of standard installer changes
OMK_DIR=/usr/local/omk

# 
echo Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR}";
sudo find "${OMK_DIR}" -type d -exec chmod 0770 '{}' \;;

# 
echo Set user and group able to write files:
sudo find "${OMK_DIR}" -type f -exec chmod 0660 '{}' \;;

# 
echo Set scripts executable by user and group:
sudo find "${OMK_DIR}/script" -type f -exec chmod 0770 '{}' \;;

# 
echo Set scripts executable by user and group:
sudo find "${OMK_DIR}/bin" -type f -exec chmod 0770 '{}' \;;
 
# END of standard installer changes

#
echo Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
sudo rm -Rf ${PAR_GLOBAL_TMPDIR}/par-*
sudo rm -Rf /tmp/par-*

#
echo Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
sudo chmod 1700 ${PAR_GLOBAL_TMPDIR}

#
echo Recreate $PAR_GLOBAL_TMPDIR/par- directories for root,nmis and omkadmin
sudo ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
sudo -u nmis ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
sudo -u omkadmin ${OMK_DIR}/bin/patch_config.exe 2> /dev/null

#
echo Update opCommon.json config with new PID directories
sed -i 's/var\/run/var\/run\/omk/g' /usr/local/omk/conf/opCommon.json

#
echo Update SYSTEMCTL Server Files
#
echo omkd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/omkd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/omkd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/omkd.service

#
echo opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opchartsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opchartsd.service

#
echo opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opconfigd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opconfigd.service

#
echo opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opeventsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opeventsd.service

#
echo Update logrotate config
sed -i 's/create 0660 nmis nmis/create 0660 omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf
sed -i 's/endscript/endscript\n\tsu omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf

#
echo Update all crontab job owners
sed -i 's/   root\t/\tomkadmin\t/g' /etc/cron.d/opaddress
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opconfig
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opevents
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opha
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/oplicense
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opreports

#
echo Add an Hourly Rights Check to CRONTAB
touch /etc/cron.d/omk_check_omkadmin_user_group
echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "# m h dom mon dow user command" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "40 * * * * root find /usr/local/omk ! -group omkadmin ! -group nmis ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "42 * * * * omkadmin find /usr/local/omk ! -writable -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "44 * * * * root find /usr/local/omk -perm /+2000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "46 * * * * root find /usr/local/omk -perm /+4000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group

Hardening NMIS

The above guide can also be applied to the nmis user and change the nmid9d service to execute and own all of it's process's rather than having the root process own the nmis workers.

This can be done concurrently, independantly or after following the above guide.

This has been tested on Ubuntu 20.04/RHEL 8.8 installations running default service files and directory settings for nmis and omk modules from their respective installers. You will need to modify some commands into their respective RHEL/Centos counterparts in the above script and steps.

DO NOT PROCEED WITHOUT BACKUPS BEFORE MODIFYING NMIS9D.SERVICE

Shutdown all impacting services

/usr/local/omk/bin/checkomkdaemons.sh stop
systemctl stop nmis9d
systemctl stop cron

SYSTEMCTL Service File changes for NMIS

sudo sed -i 's/\/var\/run/\/var\/run\/nmis9/' /etc/systemd/system/nmis9d.service
sudo sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/nmis9\/\"\nExecStartPre\=\/bin\/sh \-c \"chown nmis\.nmis \/var\/run\/nmis9\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/nmis9\/\"/g' /etc/systemd/system/nmis9d.service
sudo sed -i 's/PIDFile=\/usr\/local\/nmis9\/var\/nmis_system\/nmisd.pid/PIDFile=\/var\/run\/nmis9\/nmis9d.pid/' /etc/systemd/system/nmis9d.service
sudo sed -i '/\[Service\]/a User=nmis\nGroup=nmis' /etc/systemd/system/nmis9d.service

CRON Job Changes for NMIS

sed -i 's/\troot/\/nmis\t/g' /etc/cron.d/nmis9

Reboot the machine

Rebooting the machine will restore all services and allow for system maintenance and startup tasks that were halted to be run as required with the new users and privileges.

sudo reboot

Verify the changes

  • No labels