Nexpose. Hardening Guide. Product version: 6.0

Similar documents
Appliance Guide. Version 1.0

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus

SECURE Gateway with Microsoft Azure Installation Guide. Version Document Revision 1.0

NeXpose Software Installation Guide

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Installation & Getting Started Guide. Version Document Revision 1.0

Passwords Overview. Set up Initial Address 2 Setup Forgotten Password/Change Your Password 4 Direct Access (DA) Self Service Password Reset 6

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Symantec Encryption (PGP) Installation Guide

Setting Up the Sensor

Clearswift SECURE ICAP Gateway Installation & Getting Started Guide. Version Document Revision 1.0

DUAL OS INSTALLATION

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Installation & Getting Started Guide. Version Document Revision 1.0

Course 55187B Linux System Administration

epldt Web Builder Security March 2017

Operating system hardening

Linux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage

Exam LFCS/Course 55187B Linux System Administration

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

"Charting the Course... MOC B: Linux System Administration. Course Summary

Clearswift SECURE Gateway Installation & Getting Started Guide. Version 4.3 Document Revision 1.0

CIS 191A Final Exam. Fall CIS 191 Final Exam

Performing Administrative Tasks

Veritas NetBackup Appliance Security Guide

SYMANTEC DATA CENTER SECURITY

Welcome to the Contra Costa Community College District and InSite

Clearswift SECURE Exchange Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

Veritas NetBackup Appliance Security Guide

Installation Manual InfraManage.NET Installation Instructions for Ubuntu

MU2b Authentication, Authorization and Accounting Questions Set 2

SysadminSG RHCSA Study Guide

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Linux Systems Security. Security Design NETS Fall 2016

Acronis Backup & Recovery 11.5

Chapter 4. Network Security. Part II

Ubuntu Manual Disk Partitioning Guide

Installation of Fedora 12 with CD

VMware Horizon Workspace Security Features WHITE PAPER

vcenter CapacityIQ Installation Guide

Fair Isaac Product Name User s Guide ENHANCEMENT NOTIFICATION Fair Isaac LenStar. Security Requirements

UBUNTU OPENSTACK. Ubuntu Server Administration Training

McAfee Web Gateway

User guide NotifySCM Installer

Configuring Vulnerability Assessment Devices

VIGIL Server Recovery User Guide

Cisco CSPC 2.7x. Configure CSPC Appliance via CLI. Feb 2018

Release Notes for Snare Server v6 Release Notes for Snare Server v6

Installation & Getting Started Guide. Version Document Revision 1.0

IBM Security QRadar SIEM Version 7.2. Installation Guide

Creating an Adobe Connect Presentation: Using Your Personal Computer to Record and Publish

CIT 480: Securing Computer Systems

CS 356 Operating System Security. Fall 2013

macos Security Checklist:

Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 7 Application Password Crackers

Acronis Backup Version 11.5 Update 6 INSTALLATION GUIDE. For Linux Server APPLIES TO THE FOLLOWING PRODUCTS

Juniper Secure Analytics Patch Release Notes

(Ubuntu 10.04), the installation command is slightly different.

Clearswift SECURE Exchange Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Dell EMC Avamar Virtual Edition for Azure


Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes

PMAPS WebPro Installed Technical Requirements Checklist

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 2 Installing Windows Server 2008

PASSWORDS & ENCRYPTION

Dell EMC Avamar Virtual Edition for OpenStack KVM

Veritas System Recovery 18 Linux Edition: Quick Installation Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Booting a Galaxy Instance

Ubuntu installation alongside windows 8/8.1 and 10

2016 OPSWAT, Inc. All rights reserved. OPSWAT, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc.All other trademarks, trade names,

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Oracle Linux 7: System Administration Ed 2 Duration: 5 Days

Ubuntu - How to Create Software RAID 1 in Ubuntu Linux - Tutorial

QuickStart Guide for Managing Computers. Version 9.73

SUREedge MIGRATOR INSTALLATION GUIDE FOR VMWARE

Operating Systems Linux 1-2 Measurements Background material

MARCH NETWORKS PRODUCT HARDENING GUIDE

QuickStart Guide for Managing Computers. Version 9.32

Critical Analysis and last hour guide for RHCSA/RHCE Enterprise 7

FastTrack to Red Hat Linux System Administrator Course Overview

Clearswift SECURE Exchange Gateway Installation & Getting Started Guide. Version Document Revision 1.0

RSA Authentication Manager 8.0 Security Configuration Guide

BIG-IP System: Migrating Devices and Configurations Between Different Platforms. Version

How to Secure SSH with Google Two-Factor Authentication

SonarVision Enterprise Security Primer

WLM1200-RMTS User s Guide

Landlord Tutorial: Property Database

Amalgamated Investment Management (AIM) User Manual

Tanium Appliance Installation Guide

SUREedge MIGRATOR INSTALLATION GUIDE FOR HYPERV

WEB HOSTING SERVICE OPERATING PROCEDURES AND PROCESSES UNIVERSITY COMPUTER CENTER UNIVERSITY OF THE PHILIPPINES DILIMAN

Client Portal User Guide

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

QuickStart Guide for Managing Computers. Version

SUREedge MIGRATOR INSTALLATION GUIDE FOR NUTANIX ACROPOLIS

16/24/48-Port 10/100/1000T + 2/4-Port 100/1000X SFP Managed Switch GS T2S/GS T2S/GS T4S. Quick Installation Guide

Transcription:

Nexpose Hardening Guide Product version: 6.0

Table of contents Table of contents 2 Revision history 3 File System 4 Installation 5 Configuration 6 Users 6 Services 6 Kernel Settings 6 CIS Benchmarks 8 Not Configured 8 Customer Configured 8 Updates 10 Offline Updates 11 Table of contents 2

Revision history Copyright 2015 Rapid7, LLC. Boston, Massachusetts, USA. All rights reserved. Rapid7 and Nexpose are trademarks of Rapid7, Inc. Other names appearing in this content may be trademarks of their respective owners.copyright 2015 Symantec Corporation. All rights reserved. For internal use only. Revision date November 30, 2015 Created document. Description Revision history 3

File System The Rapid7 appliance file system consists of a bootable ext3 partition and an LVM volume. The LVM volume contains the root partition / and a LUKS encrypted /opt partition that contains all the Nexpose data. File System 4

Installation The Rapid7 appliance base OS is a minimal install of Ubuntu 14.04. A minimal install provides the following benefits: Approximately 270 packages, where a full server install typically consists of over 750 package Reduced attack surface (i.e. fewer packages to exploit) Faster patching (meaning fewer packages to upgrade) Improved performance (fewer services for the OS to manage) Installation 5

Configuration Users The Rapid7 appliance is only configured with a single user account. The username is administrator and the default password is rapid7. The default password will expire by default upon first login. The user will then be required to set a complex password. The password must be more than 8 characters and include at least three of the four options below: At least one uppercase letter At least one lowercase letter At least one number At least one special character (!@#$%^&*()) The new password cannot be a simple dictionary word. Note: The root account has no password set to allow password recovery via single-user mode. Also, Rapid7 does not provide any other method for password recovery other than booting to single-user mode. Therefore, if a root password is set and subsequently forgotten, there is no way to recover the password. Services The Rapid7 appliance is configured with only 2 services that listen on the network. Nexpose: Listens for HTTPS requests on port 3780 SSH: Listens for connections on port 22 Kernel Settings The Rapid7 appliance configures several kernel parameter via sysctl settings. The following files configure specific sysctl settings. Configuration 6

60-r7-cis.conf: CIS Benchmark specific settings 60-r7-nexpose.conf: Nexpose specific optimizations 60-r7-security.conf: Security settings not covered by CIS Benchmarks For more details, see the corresponding 60-r7-*.conf file in the /etc/sysctl.d/ folder on the appliance. Kernel Settings 7

CIS Benchmarks The Rapid7 appliance includes most of the CIS Benchmarks for Ubuntu 14.04. For more details, see the CIS Ubuntu 14.04 LTS Server Benchmark. See /root/cisbenchmark.log on the appliance for more details about which CIS benchmarks are configured. Not Configured Some of the CIS benchmarks were not implemented by default. The reason why some CIS benchmarks were not implemented varies depending on the benchmark. Some reasons include: Reduced functionality: Some recommended CIS benchmarks make remote management difficult For example, setting a boot password for grub. This would require a user to have physical access to the appliance and enter the password at the boot prompt. Unnecessary complexity: Some recommended CIS benchmarks for the file system introduce unnecessary complexity For example, creating separate partitions for /var, /var/log, and /home. There is only one user configured on the appliance and Nexpose saves all logs to the /opt partition. Impact Nexpose functionality: Some recommended CIS benchmarks may reduce or break Nexpose functionality For example, it is NOT recommended to run AppArmor or AIDE. It is also NOT recommended to run restrictive firewall rules as they can negatively impact scan performance. Customer Configured Some CIS benchmarks must be configured by the end user in accordance with their organization's security policies. It is recommended that customers configure the following services in accordance with their organization's security policies. SSH for remote management rsyslog for remote logging logrotate for log rotation auditd for auditing CIS Benchmarks 8

It is also recommended that customers configure password policies in accordance with their organization's security policies Customer Configured 9

Updates The Rapid7 appliance is shipped with all the latest Ubuntu 14.04 updates. All Ubuntu update repositories remain intact. Customers are responsible for applying all future Ubuntu updates. A script is included on the appliance to facilitate unattended updates. Run /root/postinstall/tools/updateappliance.sh to apply Ubuntu updates. Automatic Updates The Rapid7 appliance can be configured to perform automatic updates of the Ubuntu OS. See etc/apt/apt.conf.d/30r7applaptupdate for more details. Updates 10

Offline Updates The Rapid7 appliance supports performing offline OS updates in accordance with Ubuntu's recommendations. See Ubuntu's AptGet/Offline/Repository page for complete details on offline updates. Offline Updates 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback