Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
In the HYCU Web UI, only one logon can be used at a time. If the previous connection is not logged upon logging on to the Web UI again with the same credentials, this is a finding. Log on to the HYCU VM console. To check number of allowed concurrent session connections, grep file "/etc/security/limits.conf" by executing the following command: grep maxlogins /etc/security/limits.conf Verify the following line exists: hycu hard maxlogins 1 If the "maxlogins" value is not set to 1 or is missing, this is a finding.
The Web UI will only always allow one user session at a time. For CLI, configure the operating system to limit the max number of concurrent sessions to 1 by adding the following line to "/etc/security/limits.conf": hycu hard maxlogins 1
Log on to the VM console. grep ClientAliveInterval /etc/ssh/sshd_config If "ClientAliveInterval" is missing or commented out, this is a finding. If "ClientAliveInterval" exists and is configured to less than 15 minutes, this is a finding. Log on to the Web UI console and leave the session open. Determine if the VM console session locks after 15 minutes. If it does not, this is a finding. The Web UI will also time out automatically after 15 minutes of user inactivity. If the Web UI session does not log out the inactive user, this is a finding.
Log on to the VM console and use the following command to edit the "sshd_config" file: vi /etc/ssh/sshd_config ClientAliveInterval 15m # 15 minutes ClientAliveCountMax 0 # 0 times Web UI by default performs an automatic logout after 15 minutes of user inactivity. Do the following to further tweak the inactivity timeout if required: If the "config.properties" file is not yet created, copy the "config.properties.template" file to become the "config.properties" file by typing: cp /opt/grizzly/config.properties.template /opt/grizzly/config.properties Edit the "/opt/grizzly/config.properties" file by running: sudo vi /opt/grizzly/config.properties Locate the following setting: # api.session.expiration.minutes=15 #int Change the number from 15 to the desired value, uncomment the line by removing the #, and save the file by typing: :wq! Restart the grizzly service by running: service grizzly restart
Within the HYCU Web UI in the Self-Service menu, check for users or groups that no longer need access. If any old or unused accounts or groups exist, this is a finding.
Within the HYCU Web UI, remove the users or groups that no longer need access. If any AD users or groups have been left within the HYCU Web UI in the Self-Service menu, remove users that are no longer needed from their respective AD groups.
Review the Self-Service menu within HYCU to view accounts and user roles (Administrator, Backup Operator, Restore Operator, Backup and Restore Operator, or Viewer). User roles have a predefined and non-changeable set of user privileges. To check exact set of privileges of each user, navigate to Self-Service context in the HYCU UI. Click on the question mark in the upper-right corner, followed by "Help with This Page". Scroll down to the "User Roles" section. If users can perform more functions than those specified for their role, this is a finding.
Apply the appropriate user role to the required user from one of the predefined and non-changeable roles: Administrator, Backup Operator, Restore Operator, Backup and Restore Operator, or Viewer.
HYCU offers the capability to leverage RBAC controls within the Web UI's Self-Service menu. The organization would need to generate and document its own specific requirements around using RBAC in HYCU. For the HYCU VM console, administrators should only allow access to anyone else deemed to be qualified as a server administrator for the system. Review the groups and accounts within Web UI's Self-Service menu. If any RBAC setting does not meet the organization's own guidelines, this is a finding.
Ensure the correct RBAC controls and access are applied properly within the HYCU Web UI's Self-Service menu. Avoid granting too much access to any particular user or group. Ensure that any needed DACLs are also being applied to and enforced on any OUs or groups in Active Directory that are being leveraged within the HYCU Web UI Self-Service menu. For the HYCU VM console, administrators should only allow access to anyone else deemed to be qualified as a server administrator for the system. To check for any unauthorized users, run the following command within the HYCU Web console: cat /etc/passwd Use the "userdel" command to remove any unauthorized users.
By default, HYCU firewall is locked and enabled. The firewall only permits DHCP, SMB, and access to the web UI port 8443. Verify the firewall is running by executing the following command: sudo firewall-cmd --state If service is not running, this is a finding. Determine which services and ports are open by executing the following command: sudo firewall-cmd --list-all Output should show the following two lines: 'services: cockpit dhcpv6-client iscsi-target samba ssh' 'ports: 8443/tcp' If more services than those listed above are open, this is a finding.
Enable the firewall by executing the following commands: sudo systemctl enable firewalld sudo systemctl start firewalld
Check the contents of the "/var/log/audit/audit.log" file. HYCU also maintains Event (Audit) information in the HYCU Web UI Events menu. Verify the audit log contains records showing when the execution of privileged functions occurred. If the audit log is not configured or does not have the required contents, this is a finding.
Log on to the HYCU VM console and load the STIG audit rules by using the following commands: 1. cp /usr/share/doc/audit/rules/10-base-config.rules /usr/share/doc/audit/rules/30-stig.rules /usr/share/doc/audit/rules/31-privileged.rules /usr/share/doc/audit/rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load
Log on to the HYCU VM console and go to the "/etc/pam.d/" folder. Verify that "password-auth" and "system-auth" contain the following three lines, and the values for deny and unlock_time are as shown. Commands: sudo grep pam_faillock.so /etc/pam.d/password-auth sudo grep pam_faillock.so /etc/pam.d/system-auth Both should displays the following three lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 auth required pam_faillock.so authfail audit unlock_time=900 account required pam_faillock.so If the required content is not present, this is a finding.
Go to the "/etc/pam.d/" folder. Move the current configuration and make new copies to be edited by executing the following commands: sudo mv password-auth password-auth-as sudo mv system-auth system-auth-as sudo cp password-auth-as password-auth sudo cp system-auth-as system-auth Edit the files "password-auth" and "system-auth". Add the lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=60 unlock_time=900 after line auth required pam_env.so Add: auth required pam_faillock.so authfail audit unlock_time=900 after auth sufficient pam_unix.so nullok try_first_pass Add: account required pam_faillock.so before account required pam_unix.so The files "system-auth" and "password-auth" are identical, so the procedure can be done on one of the files and copied to the second one. Restart sssd service: sudo systemctl restart sssd.service
Log on to the HYCU VM console and verify the banner setting is in use in the "/etc/ssh/sshd_config" file by executing the following command: grep Banner /etc/ssh/sshd_config If the banner is not set to "/etc/issue.net", this is a finding. Verify "/etc/issue" contains valid DoD notice text by executing the following command: sudo cat /etc/issue If the DoD notice is not present in the "/etc/issue" file, this is a finding. Open the HYCU Web UI logon page and verify the mandatory notice is present on the welcome page. If the mandatory notice is not present at the HYCU Web UI welcome page, this is a finding.
The GUI logon page welcome message and look of the logon can be changed by following the procedure below: 1. Open a remote session to the HYCU backup controller: ssh hycu@<HYCUBackupControllerIPAddress> 2. Copy custom images to the custom-images folder at the following location: /opt/grizzly/www/webapp/resources/ 3. Open the "customBranding.json" file from the following location: /opt/grizzly/www/webapp/ 4. In the "customBranding.json file", do the following: a. To modify the images, specify the names of the custom files added to the custom-images folder. The logon page image recommended size is 1574x1920. b. To modify the welcome message, replace "customWelcomeTitle" and "customWelcomeSubtitle" with the desired text. 5. Perform a hard reload of the HYCU Web UI page in the web browser. The console and ssh logon can be configured to display the DoD banner by modifying "/etc/issue" with the required text and editing the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to "/etc/issue" as shown below: banner=/etc/issue
Log on to the HYCU VM console and verify the banner setting is in use in the "/etc/ssh/sshd_config" file by executing the following command: grep Banner /etc/ssh/sshd_config If the banner is not set to "/etc/issue.net", this is a finding. Verify "/etc/issue.net" contains valid DoD notice text by executing the following command: sudo cat /etc/issue.net If DoD Notice is not present in the "/etc/issue.net" file, this is a finding. Open the HYCU Web UI logon page and verify the mandatory notice is present on the Welcome page. If the mandatory notice is not present at HYCU Web UI welcome page, this is a finding.
The GUI logon page welcome message and look of the logon can be changed by following the procedure below: 1. Open a remote session to the HYCU backup controller: ssh hycu@<HYCUBackupControllerIPAddress> 2. Copy custom images to the custom-images folder at the following location: /opt/grizzly/www/webapp/resources/ 3. Open the "customBranding.json" file from the following location: /opt/grizzly/www/webapp/ 4. In the customBranding.json file, do the following: a. To modify the images, specify the names of the custom files added to the custom-images folder. The logon page image recommended size is 1574x1920. b. To modify the welcome message, replace "customWelcomeTitle" and "customWelcomeSubtitle" with the desired text. 5. Perform a hard reload of the HYCU Web UI page in the web browser. The console and ssh logon can be configured to display the DoD banner by modifying "/etc/issue.net" with the required text and editing the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to "/etc/issue" as shown below: banner=/etc/issue.net
Verify the SSHD daemon has been disabled using the following command: $ sudo systemctl status sshd Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled) Active: inactive (dead) If the SSHD daemon is not disabled and inactive or is not documented and approved for use, this is a finding.
Stop the SSHD daemon: $ sudo systemctl stop sshd Disable the SSHD daemon: $ sudo systemctl disable sshd Note: The service must be stopped before it can be disabled.
Configure Active Directory authentication by adding one or more Active Directories as authentication sources in HYCU. This allows users to log on to the HYCU web user interface with their Active Directory domain accounts or, if certificate authentication is enabled, with a client certificate or a smart card (CAC authentication). Log on to the HYCU Web UI, select the gear menu, and then choose the Active Directory option. Verify that at least one Active Directory authentication server is configured. If no Active Directory is configured, this is a finding. When using certificate authentication using client certificate or smart card (CAC authentication), verify "Enable Certification Authentication" is enabled. If "Enable Certification Authentication" is not enabled, this is a finding.
Log on to the HYCU Web UI, select the gear menu, and choose the "Active Directory" option. Configure Active Directory by specifying needed LDAP strings to allow HYCU to use AD users and groups for access to the Web UI. When using certificate authentication using client certificate or smart card (CAC authentication), ensure "Service Account" is specified in the Active Directory configuration and "Enable Certification Authentication" is enabled.
HYCU Web UI user access accounts cannot be edited, only removed and readded from/to user groups in the Web UI Self-Service menu. After adding a user to a group, log on to the HYCU Web UI, navigate into Events context, and search for message of category "USER_GROUP" and text "Successfully added user to group". Events cannot be modified. Log on to the VM console and run the following command: chkconfig auditd If the Audit Service is not in a running state, this is a finding. Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding.
Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. Log on to the HYCU VM console and run the following command: chkconfig auditd on Log on to the HYCU VM console and load the STIG audit rules by using the following commands: 1. sudo cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/ 2. sudo augenrules --load
Check the contents of the "/var/log/audit/audit.log" file. HYCU also maintains Event (Audit) information in the "HYCU Web UI Events" menu. Verify the audit log contains records showing successful/unsuccessful attempts to modify or delete administrator privileges. If the audit log is not configured or does not have required contents, this is a finding.
Log on to the HYCU VM console and load the STIG audit rules by using the following commands: 1. cp /usr/share/doc/audit/rules/10-base-config.rules /usr/share/doc/audit/rules/30-stig.rules /usr/share/doc/audit/rules/31-privileged.rules /usr/share/doc/audit/rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load
Check the contents of the "/var/log/audit/audit.log" file. HYCU also maintains Event (Audit) information in the "HYCU Web UI Events" menu. Verify the audit log contains records showing when successful/unsuccessful logon attempts occur. If the audit log is not configured or does not have required contents, this is a finding.
Log on to the HYCU VM console and load the STIG audit rules by using the following commands: 1. cp /usr/share/doc/audit/rules/10-base-config.rules /usr/share/doc/audit/rules/30-stig.rules /usr/share/doc/audit/rules/31-privileged.rules /usr/share/doc/audit/rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load
Log on to the VM console and run the following command: chkconfig auditd If the Audit Service is not in a running state, this is a finding. Also, if no logs are present in the "/var/log/secure directory", this is a finding.
Audit logging is enabled by default within the HYCU VM console. If an administrator disabled it, reenable it by logging on to the HYCU VM console and running the following command: chkconfig auditd on Use the following command to review the logs: cat /var/log/secure | less Use the "/" character to search the log or timeframe for any undesired/unapproved changes.
Check the contents of the "/var/log/audit/audit.log" file. HYCU also maintains Event (Audit) information in the "HYCU Web UI Events" menu. Verify the audit log contains records for: - When (date and time) of events occurred - Where events occurred - The source of the event(s) - The outcome of the event(s) - The identity of any individual or process associated with the event(s) If the audit log is not configured or does not have required contents, this is a finding.
Log on to the HYCU VM console and load the STIG audit rules by using the following commands: 1. cp /usr/share/doc/audit/rules/10-base-config.rules /usr/share/doc/audit/rules/30-stig.rules /usr/share/doc/audit/rules/31-privileged.rules /usr/share/doc/audit/rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load
Check the contents of the "/var/log/audit/audit.log" file. HYCU also maintains Event (Audit) information in the "HYCU Web UI Events" menu. Verify the audit log contains records showing the identity of an individual or process associated with the event. If the audit log is not configured or does not have required contents, this is a finding.
Log on to the HYCU VM console and load the STIG audit rules by using the following commands. 1. cp /usr/share/doc/audit/rules/10-base-config.rules /usr/share/doc/audit/rules/30-stig.rules /usr/share/doc/audit/rules/31-privileged.rules /usr/share/doc/audit/rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load
Check the contents of the "/var/log/audit/audit.log" file. HYCU also maintains Event (Audit) information in the "HYCU Web UI Events" menu. Verify the audit log contains records showing full-text recording of privileged commands. If the audit log is not configured or does not have required contents, this is a finding.
Log on to the HYCU VM console and load the STIG audit rules by using the following commands. 1. cp /usr/share/doc/audit/rules/10-base-config.rules /usr/share/doc/audit/rules/30-stig.rules /usr/share/doc/audit/rules/31-privileged.rules /usr/share/doc/audit/rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load
The Grizzly logs and Web UI events capture these activities. Log on to the VM console and run the following command: chkconfig auditd If the Audit Service is not in a running state, this is a finding. Check the contents of the "/var/log/audit/audit.log" file. If the audit log does not have the required contents, this is a finding.
Audit logging is enabled by default within the HYCU VM console. If an administrator disabled it, reenable it by logging on to the HYCU VM console and running the following command: chkconfig auditd on Use the following command to review the logs: cat /var/log/secure | less Use the "/" character to search the log or timeframe for any undesired/unapproved changes. Log on to the HYCU VM console and load the STIG audit rules by using the following commands: 1. sudo cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/ 2. sudo augenrules --load
Log on to the HYCU VM console. To verify audit logs size is restricted, check for the value of the "max_log_file_action" option in "/etc/audit/auditd.conf" with the following command: sudo grep max_log_file_action /etc/audit/auditd.conf If the "max_log_file_action" value is not set to "ROTATION", this is a finding.
Configure the operating system to enforce log rotation and restrict log file size to an organization-defined value by editing "/etc/audit/auditd.conf" files using the following command: sudo vi /etc/audit/auditd.conf Add or modify the following lines to have the required value: max_log_file_action = ROTATION max_log_file = 6
Verify that HYCU is backing itself up by logging on to the HYCU Web UI and checking the HYCU Controller widget at the HYCU Dashboard. If the message "Controller VM is not protected" is found and highlighted with orange, this is a finding.
Log on to the HYCU Web UI, go to the "Virtual Machines" menu, and apply a backup policy to the HYCU Server to back it up. Any documentation/configuration files stored on the HYCU server will be backed up as a result.
Log on to the HYCU Web UI and review the Events menu and Email Notifications to verify that all appropriate/relevant audit failure events are included in the "Category" drop-down menu. If these events are not shown (reference a recent event capturing a login to HYCU for validation), this is a finding.
Log on to the HYCU Web UI and go to the "Events" menu and open "Email Notifications". Ensure that all the appropriate/relevant categories are selected and that the "Status" includes failures. Add a "Subject" for the Email Notifications and email address for necessary auditors or HYCU administrators.
HYCU is a VM that synchronizes time with the Nutanix or VMware platform as part of maintenance task using the "chronyd" daemon. To verify the service is up and running, execute the following command: systemctl status chronyd If service is not active (running), this is a finding.
Verify time synchronization by logging on to the HYCU console and executing the following command: sudo systemctl start chronyd Additional assistance can be found at: https://support.hycu.com/hc/en-us/articles/115005424345-HYCU-system-time
Verify the operating system audit records have proper permissions and ownership. Log on to the HYCU console and list the full permissions and ownership of the audit log files with the following command: # sudo ls -la /var/log/audit total 4512 drwx------. 2 root root 23 Apr 25 16:53 . drwxr-xr-x. 17 root root 4096 Aug 9 13:09 .. -rw-------. 1 root root 8675309 Aug 9 12:54 audit.log Audit logs must be mode 0600 or less permissive. If any are more permissive, this is a finding. The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.
Change the mode of the audit log files with the following command: # chmod 0600 [audit_file] Change the owner and group owner of the audit log files with the following command: # chown root:root [audit_file]
Verify the operating system audit tools and config files have proper permissions and ownership. Log on to the HYCU console and list the full permissions and ownership of the audit folder with the following command: sudo ls -al /etc/audit Folder and files must be owned by root and the following permissions must be set: drwxr-x---. 4 root root 126 Mar 15 10:16 . drwxr-xr-x. 106 root root 8192 May 6 13:58 .. -rw-r-----. 1 root root 751 Apr 24 2020 audisp-remote.conf -rw-r-----. 1 root root 856 Apr 24 2020 auditd.conf -rw-r-----. 1 root root 107 Feb 3 13:18 audit.rules -rw-r-----. 1 root root 127 Apr 24 2020 audit-stop.rules drwxr-x---. 2 root root 67 Mar 15 10:16 plugins.d drwxr-x---. 2 root root 25 Feb 3 13:13 rules.d Audit files must be mode 0640 or less permissive. If any are more permissive, this is a finding. The owner and group owner of all audit files must both be "root". If any other owner or group owner is listed, this is a finding.
Change the mode of the audit log files with the following command: # chmod 0640 [audit_file] Change the owner and group owner of the audit files with the following command: # chown root:root [audit_file]
Verify that the HYCU device is running a supported version. In the HYCU Web UI, on top bar in the right corner click on question mark icon >> About. The About menu shows the running version of HYCU. If HYCU version is not on the list of supported versions, as specified in the End-of-Life Milestones and Dates, this is a finding. Note: The HYCU support portal specifies the HYCU end of life policies. Visit https://www.hycu.com/wp-content/uploads/2017/03/HYCU-EOL-policy-Milestones-and-Dates.pdf to determine if the system is utilizing a supported version.
Perform upgrade to the supported HYCU version following upgrade section of user manual.
Log on to HYCU's Web UI and verify that a backup policy, with "Backup Every" setting set to seven days or less, has been applied to the HYCU Controller VM. Navigate to the "Virtual Machines" menu, and in the table list of Virtual Machines, identify the assigned policy in the "Policy" column of the "HYCU VM" row. Navigate to the "Policy" menu, left-click the assigned policy, and review "Detailed view". Verify "Backup Every" setting is set to seven days or less. If "Policy" is not assigned to the HYCU Controller VM or assigned policy has "Backup Every" setting set to more than seven days, this is a finding. Verify HYCU Controller VM backups are successful and are taken every seven days or less. Navigate to the "Virtual Machines" menu and left-click "HYCU Controller VM" to reveal all the existing backups (restore points). Verify dates between restore points are no longer than seven days. If the HYCU Controller VM does not have any restore points visible, or if time between restore points is more than seven days, this is a finding.
Log on to the HYCU Web UI. Under the "Policies" menu, create a new Policy with "Backup Every" setting set to seven days or less. Assign this policy to the HYCU Controller VM from the "Virtual Machines" menu by left-clicking the HYCU controller VM, and then the "Policies" icon (top right), and then selecting the configured policy and left-clicking "Assign".
Open a new HYCU Web UI browser tab and verify there is no warning prompt before proceeding to the Web UI logon page. If a warning appears in the web browser stating "Not secure", this is a finding.
Log on to the HYCU Web UI and generate a CSR within the gear menu and "SSL Certificates" menu. Submit this CSR to a DoD PKI authority to have a new certificate created. Note: By default, HYCU is configured with a self-signed certificate, but this can be replaced with a DoD-issued certificate. This certificate can be configured by logging on to the HYCU Web UI, going to the gear menu and "SSL Certificates" menu, and importing the DoD-issued certificate.
The HYCU firewall is, by default, locked and enabled. Only the required/necessary services and ports are running on the HYCU Server. Verify the firewall is running by executing the following command: sudo firewall-cmd --state If the service is not running, this is a finding. Determine which services and ports are open by executing the following command: sudo firewall-cmd --list-all Output should show following two lines: 'services: cockpit dhcpv6-client iscsi-target samba ssh' 'ports: 8443/tcp' If more services than these are open, this is a finding.
Enable the firewall by logging on to the HYCU console and executing the following commands: sudo systemctl enable firewalld sudo systemctl start firewalld
The use of SSH-2 protocol for network/remote access prevents replay attacks. The SSH-2 protocol is the standard for the SSH daemon in CentOS 8 used by HYCU. To determine the SSH version in use, log on to the HYCU console and execute the following command: ssh -v localhost If the output does not show remote protocol version 2.0 in use, this is a finding. HYCU web access uses TLS, which addresses this threat. HYCU web access cannot be configured not to use TLS.
Log on to the HYCU console and configure SSH to use the SSH-2 protocol by editing the Protocol variable in the file "/etc/ssh/sshd_config".
HYCU is a VM that synchronizes time with the Nutanix or VMware platform as part of the maintenance task using the "chronyd" daemon. To verify the service is synchronizing the NTP servers from Nutanix as part of maintenance task, log on to the HYCU console and edit the "/etc/chrony.conf" configuration file by executing the following command: sudo vi /etc/chrony.conf Change the last line in the file showing the value of server variable to an incorrect IP and save the file (:wq!). Trigger the maintenance task by restarting HYCU services with the following command: sudo systemctl restart grizzly If the value of the server variable inside the "/etc/chrony.conf" file is not fixed to match Nutanix NTP servers, this is a finding.
Enable synchronization by logging on to the HYCU console and executing the following command: sudo systemctl start chronyd
Log on to the HYCU VM console. Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: grep minclass /etc/security/pwquality.conf If the minclass value is not set to "5", this is a finding.
Configure the operating system to enforce a minimum class setting. Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): minclass = 5
Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command. grep minlen /etc/security/pwquality.conf If the minlen value is not set to "15", this is a finding.
Configure the operating system to enforce a minimum class setting. Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value). minlen = 15
Log on to the HYCU VM console. Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: grep mincla /etc/security/pwquality.conf If the minclass value is not set to "5", this is a finding.
Configure the operating system to enforce a minimum class setting. Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value). minclass = 5
Log on to the HYCU VM console. Log on to the HYCU Web UI with the following default credentials: Username: "hycu" Password: "hycu/4u" Log on to the HYCU Web UI with the following default credentials: Username: "admin" Password: "admin" If the logon with either of the default credentials is successful, this is a finding.
Log on to the HYCU VM console with the following username and password: Username: "hycu" Password: "hycu/4u" Run the passwd command to change the default password. In the HYCU Web UI, log on and change the password by selecting the Admin account in the upper-right corner and changing the password. You will be logged off and prompted to log on with the updated credentials.
Log on to the HYCU VM console and run the following command: grep Defaults /etc/sudoers Verify the "Defaults" value is set to "env_reset,timestamp_timeout=0". If the "Defaults" value is not set to "env_reset,timestamp_timeout=0", this is a finding.
Log on to the HYCU VM console and run the following command: grep Defaults /etc/sudoers Verify the "Defaults" value is set to "env_reset,timestamp_timeout=0". If it is not set, run sudo vi /etc/sudoers and configure the timeout value to "0" by adding/editing the following line into the file and saving it: Defaults env_reset,timestamp_timeout=0
When FIPS mode is enabled, the HYCU application will use FIPS-compliant behavior. Validation of FIPS status can be done using the following commands: 'cat /proc/sys/crypto/fips_enabled' If command output does not show "1", this is a finding. 'fips-mode-setup --check' If command output does not show "FIPS mode is enabled", this is a finding. 'update-crypto-policies --show' If command output does not show "FIPS", this is a finding.
Stop the HYCU web server: sudo systemctl stop grizzly.service Enable FIPS-compliant mode: sudo /opt/grizzly/bin/enable_fips.sh Reboot the HYCU virtual machines: shutdown -r now
Log on to the HYCU VM console. For console connections, check for the value of the "TMOUT" option in "/home/hycu/.bashrc" with the following command: grep TMOUT /home/hycu/.bashrc If the "TMOUT" value is not set to 900 or less, this is a finding. For SSH connections, check for the value of the "ClientAliveInterval" option in "/etc/ssh/sshd_config" with the following command: grep ClientAliveInterval /etc/ssh/sshd_config If the "ClientAliveInterval" value is not set to 15 or less, this is a finding. For UI connections, run the following command to check configured HYCU session timeout: cat /opt/grizzly/config.properties | grep api.session.expiration.minutes If not configured at "15" or less, this is a finding.
Configure the operating system to enforce timeout settings. Add the following line to "/home/hycu/.bashrc" (or modify the line to have the required value): TMOUT=900 Add the following line to "/etc/ssh/sshd_config" (or modify the line to have the required value): ClientAliveInterval 900 Edit the "/opt/grizzly/config.properties" file by running: sudo vi /opt/grizzly/config.properties Add the following line or modify the line to have the required value: api.session.expiration.minutes=15 Save the file by typing: :wq!
When FIPS mode is enabled, HYCU will use FIPS-compliant behavior. Validation of FIPS status can be done using the following commands: 'cat /proc/sys/crypto/fips_enabled' If command output does not show "1", this is a finding. 'fips-mode-setup --check' If command output does not show "FIPS mode is enabled", this is a finding. 'update-crypto-policies --show' If command output does not show "FIPS", this is a finding.
Stop the HYCU web server: sudo systemctl stop grizzly.service Enable FIPS-compliant mode: sudo /opt/grizzly/bin/enable_fips.sh Reboot the HYCU virtual machines: shutdown -r now
Log on to the HYCU Web UI and verify that an SMTP server is configured under the gear menu and SMTP Server Settings. Verify that Email Notifications have been enabled to send predetermined alerts to an ISSO and/or HYCU Admin. Verify that HYCU VM logs are being set to a central logging server by way of a mechanism that is specific to the customer's central logging server. If Auditors and Security Ops teams are not receiving email notifications or logs from HYCU, this is a finding.
Log on to the HYCU Web UI and verify that an SMTP server is configured under the gear menu and "SMTP Server Settings". Within the "Events" menu, click on the email notifications button and configure the items to be sent in an email notification. Ensure the correct email address is used for the individual(s) who will need to receive the notifications. To ship/send logs from the HYCU VM to a central logging server (e.g., Splunk, SolarWinds), engage with the log server vendor and HYCU Support. In the absence of another third-party solution, consider setting up a Rsyslog Server and make HYCU a client. To configure an Rsyslog client: # in addition to existing settings (output to local log files), # send logs to remote host, too [root@hycuserver ~]# vi /etc/rsyslog.conf # add to the end action(type="omfwd" queue.filename="fwdRule_customerloggingservername.local" queue.maxdiskspace="1g" queue.saveonshutdown="on" queue.type="LinkedList" action.resumeRetryCount="-1" Target="fwdRule_customerloggingservername.local" Port="514" Protocol="tcp") # for the case to send specific facility logs # for example, set [authpriv] [root@hycuserver ~]# vi /etc/rsyslog.conf # comment put existing line if you do not want to output to local filesystem #authpriv.* /var/log/secure authpriv.* action(type="omfwd" queue.filename="fwdRule_fwdRule_customerloggingservername.local" queue.maxdiskspace="1g" queue.saveonshutdown="on" queue.type="LinkedList" action.resumeRetryCount="-1" Target="fwdRule_customerloggingservername.local" Port="514" Protocol="tcp") [root@hycuserver ~]# systemctl restart rsyslog