I had a question about how to disable root login on Security Analytics for SSH.
Note before proceeding, make sure that you have IDrac access set up to your appliances. Although I have tested this script and found it working in my test environment, this does have the potential to lock you out of your appliances. Please take necessary precautions to prevent this....
You may also wish to explore STIG hardening Configure DISA STIG Hardening - RSA Security Analytics Documentation
The steps to do this are widely available and an example is
How do I disable SSH login for the root user? - Media Temple
This article will demonstrate how we implement these steps in puppet so that they will automatically be propagated through the Security Analytics Deployment.
- Changes to SSH Config are made in the file /etc/puppet/modules/ssh/manifests/init.pp on the SA Server.
- Make a backup of this file and copy it to a different directory
- Replace the existing /etc/puppet/modules/ssh/manifests/init.pp with the one attached. It contains the following content. Make sure that you amend the password for your emergencyroot user.
The changes will then be propagated throughout the deployment on the next Puppet run so could take up to 30 minutes to take effect.
class ssh { service { 'sshd': enable => true, ensure => running, } exec { 'fix-ssh': #path => ["/bin", "/usr/bin"], command => "/etc/puppet/scripts/sshdcnf.py", } augeas { "sshd_config_X11Forwarding": context => "/files/etc/ssh/sshd_config", changes => "set X11Forwarding no", } # Fixes to disable root login and to create an Emergency Root User group { 'emergencyroot' : ensure => 'present', gid => '10018', } user { 'emergencyroot' : ensure => 'present', home => '/home/emergencyroot', gid => '10018', password => 'myverysecurepassword', uid => '10018', shell => '/bin/bash', } augeas { "Disable_Root_Login": context => "/files/etc/ssh/sshd_config", changes => "set PermitRootLogin no", notify => Service['sshd'] } augeas { "sudo-emergencyroot": context => "/files/etc/sudoers", changes => [ "set spec[user = 'emergencyroot']/user emergencyroot", "set spec[user = 'emergencyroot']/host_group/host ALL", "set spec[user = 'emergencyroot']/host_group/command ALL", "set spec[user = 'emergencyroot']/host_group/command/runas_user ALL", ], notify => Service['sshd'] } file { '/etc/ssh/sshd_config': ensure => present, owner => 'root', group => 'root', mode => 600, #source => 'puppet:///modules/ssh/sshd_config', notify => Service['sshd'] } }
Note I've noticed that this overwrites the normal sshd_config on a log collector where we upload files over sshd.
The following is removed:
# SFTP server settings added for NwLogCollector
StrictModes no
Subsystem sftp internal-sftp
Match User sftp
AllowTCPForwarding no
PasswordAuthentication no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory /var/netwitness/logcollector
Match Group uploads
ChrootDirectory /var/netwitness/logcollector/upload_chroot
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication no
I fixed this and correct it above.