How to disable root login to SSH on RSA Security Analytics

Blog Post created by David Waugh

on Apr 21, 2016

Like • Show 3 Likes3
Comment • 1

I had a question about how to disable root login on Security Analytics for SSH.

Note before proceeding, make sure that you have IDrac access set up to your appliances. Although I have tested this script and found it working in my test environment, this does have the potential to lock you out of your appliances. Please take necessary precautions to prevent this....

You may also wish to explore STIG hardening Configure DISA STIG Hardening - RSA Security Analytics Documentation

The steps to do this are widely available and an example is

How do I disable SSH login for the root user? - Media Temple

This article will demonstrate how we implement these steps in puppet so that they will automatically be propagated through the Security Analytics Deployment.

Changes to SSH Config are made in the file /etc/puppet/modules/ssh/manifests/init.pp on the SA Server.
Make a backup of this file and copy it to a different directory
Replace the existing /etc/puppet/modules/ssh/manifests/init.pp with the one attached. It contains the following content. Make sure that you amend the password for your emergencyroot user.

The changes will then be propagated throughout the deployment on the next Puppet run so could take up to 30 minutes to take effect.

class ssh {
  service { 'sshd':
    enable      =>  true,
    ensure      =>  running,
  }


    exec { 'fix-ssh':
      #path        => ["/bin", "/usr/bin"],
      command     => "/etc/puppet/scripts/sshdcnf.py",
    }
    augeas { "sshd_config_X11Forwarding":
       context => "/files/etc/ssh/sshd_config",
       changes => "set X11Forwarding no",
    }


# Fixes to disable root login and to create an Emergency Root User


group { 'emergencyroot' :
        ensure          => 'present',
  gid             => '10018',
        }


user { 'emergencyroot' :
        ensure          => 'present',
        home            => '/home/emergencyroot',
        gid             => '10018',
        password        => 'myverysecurepassword',
        uid             => '10018',
        shell           => '/bin/bash',
}


augeas { "Disable_Root_Login":
       context => "/files/etc/ssh/sshd_config",
       changes => "set PermitRootLogin no",
       notify    =>  Service['sshd']


    }


augeas { "sudo-emergencyroot":
  context => "/files/etc/sudoers",
  changes => [
    "set spec[user = 'emergencyroot']/user emergencyroot",
    "set spec[user = 'emergencyroot']/host_group/host ALL",
    "set spec[user = 'emergencyroot']/host_group/command ALL",
    "set spec[user = 'emergencyroot']/host_group/command/runas_user ALL",
  ],
 notify    =>  Service['sshd']
}
 file { '/etc/ssh/sshd_config':
      ensure    =>  present,
      owner     =>  'root',
      group     =>  'root',
      mode      =>  600,
      #source    =>  'puppet:///modules/ssh/sshd_config',
      notify    =>  Service['sshd']
  }


}

Attachments

init.pp.zip684 bytes

Outcomes

1 Comment

David Waugh Apr 21, 2016 1:06 PM
Note I've noticed that this overwrites the normal sshd_config on a log collector where we upload files over sshd.

The following is removed:

# SFTP server settings added for NwLogCollector
StrictModes no
Subsystem sftp internal-sftp
Match User sftp
    AllowTCPForwarding no
    PasswordAuthentication no
    X11Forwarding no
    ForceCommand internal-sftp
    ChrootDirectory /var/netwitness/logcollector
Match Group uploads
    ChrootDirectory /var/netwitness/logcollector/upload_chroot
    X11Forwarding no
    AllowTcpForwarding no
    PasswordAuthentication no

I fixed this and correct it above.
2 people found this helpful
Like • Show 1 Like1
Actions