Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > April > 21

I had a question about how to disable root login on Security Analytics for SSH.

 

Note before proceeding, make sure that you have IDrac access set up to your appliances. Although I have tested this script and found it working in my test environment, this does have the potential to lock you out of your appliances. Please take necessary precautions to prevent this....

 

You may also wish to explore STIG hardening Configure DISA STIG Hardening - RSA Security Analytics Documentation

 

The steps to do this are widely available and an example is

How do I disable SSH login for the root user? - Media Temple

 

This article will demonstrate how we implement these steps in puppet so that they will automatically be propagated through the Security Analytics Deployment.

  1. Changes to SSH Config are made in the file /etc/puppet/modules/ssh/manifests/init.pp on the SA Server.
  2. Make a backup of this file and copy it to a different directory
  3. Replace the existing /etc/puppet/modules/ssh/manifests/init.pp with the one attached. It contains the following content. Make sure that you amend the password for your emergencyroot user.

 

The changes will then be propagated throughout the deployment on the next Puppet run so could take up to 30 minutes to take effect.

 

class ssh {
  service { 'sshd':
    enable      =>  true,
    ensure      =>  running,
  }


    exec { 'fix-ssh':
      #path        => ["/bin", "/usr/bin"],
      command     => "/etc/puppet/scripts/sshdcnf.py",
    }
    augeas { "sshd_config_X11Forwarding":
       context => "/files/etc/ssh/sshd_config",
       changes => "set X11Forwarding no",
    }


# Fixes to disable root login and to create an Emergency Root User


group { 'emergencyroot' :
        ensure          => 'present',
  gid             => '10018',
        }


user { 'emergencyroot' :
        ensure          => 'present',
        home            => '/home/emergencyroot',
        gid             => '10018',
        password        => 'myverysecurepassword',
        uid             => '10018',
        shell           => '/bin/bash',
}


augeas { "Disable_Root_Login":
       context => "/files/etc/ssh/sshd_config",
       changes => "set PermitRootLogin no",
       notify    =>  Service['sshd']


    }


augeas { "sudo-emergencyroot":
  context => "/files/etc/sudoers",
  changes => [
    "set spec[user = 'emergencyroot']/user emergencyroot",
    "set spec[user = 'emergencyroot']/host_group/host ALL",
    "set spec[user = 'emergencyroot']/host_group/command ALL",
    "set spec[user = 'emergencyroot']/host_group/command/runas_user ALL",
  ],
 notify    =>  Service['sshd']
}
 file { '/etc/ssh/sshd_config':
      ensure    =>  present,
      owner     =>  'root',
      group     =>  'root',
      mode      =>  600,
      #source    =>  'puppet:///modules/ssh/sshd_config',
      notify    =>  Service['sshd']
  }


}

Filter Blog

By date: By tag: