An introduction to the Avantra SUSE hardening Add in

Included with Avantra Enterprise edition, Avantra Add ins are pre-packaged best practice scenarios that accelerate your business time to value using our expertise. One such Add in is SUSE hardening and is based on the hardening guide from the makers of SUSE Enterprise Linux. This Add in is a collection of eight custom checks that are designed to be extensible by you to match your organizational requirements.

The SUSE hardening Add in is downloaded as a ZIP file which includes an overview guide that offers all the details of the Add in (as well as the installation instructions). To access this Add in, go to support.avantra.com. Once logged into your account, you will see all of the Add ins that are available to you under the Avantra Add ins section. 

Checks included with the SUSE hardening Add in

The checks included with the SUSE hardening Add in go a long way to keep your SUSE servers secure. There are eight checks in all which are:

• Kernel parameters - checks various kernel parameters for security issues (and allows you to customize those parameters to perfectly fit your needs).

• Listening ports - checks to see what network ports are open on your servers.

• ASLR verification - checks Address space layout randomization for certain types of buffer overflow attacks.

• Kernel address leak check - checks to see if there are any memory leaks in the kernel.

• Installed packages check - checks to see what packages are installed as well as the versions.

• UMASK verification - checks to make sure the umask setting (which determines the permissions for newly created files) is set properly.

• User account self check - checks all user accounts to make sure they are legitimate and secure.

• Security patch check - checks security patches against known vulnerabilities.

So, with a single Add in, you can very easily ensure your SUSE servers are secure, updated, and ready to meet your company's stringent standards.

How the SUSE Add in works

The installation of the Add in is as simple as clicking (from the main Avantra window) Configuration > Custom Checks. From the resulting window, click More followed by Import Custom Checks. You'll then upload the file ending in Zip. Click Next, select all of the included checks and then click Next. Click Import and all of the checks will then be imported as deactivated. At that point you have full visibility to the source code of each check, so you can see how it works or even change it should you need.

SUSE Add in configuration

You'll want to go through each check, configuring as needed, and assign the checks to your SUSE based servers. You can do this with a server system selector to select all servers running SUSE based operating systems.  Once you've installed and deployed the SUSE hardening Add in, you’ll see the checks have automatically run and will give you feedback on what they've discovered. You will know immediately if your SUSE servers have passed or failed the checks. Each test will also include links to the SUSE hardening guide for more information on what's been checked and why, and what needs to be corrected, should a test fail.

Packages Check test

One very interesting aspect of the Packages Check test is that the Add in will report every package installed on your SUSE servers. This can then serve as a Software bill of materials, which can be used with future development projects or even as proof to clients that your systems meet certain compliance standards. That package list can also be searched for auditing purposes and will report if any prohibited binaries have been included.

Failed checks

When a check fails, refer back to the configuration guide where you'll find advice on why the check might not have passed and how to resolve the problem. For example, in the User Account check, you'll most likely find your first issue requires that you edit the sudoers file (on the SUSE host) to allow the service user privilege to execute specific commands without having to enter a password. Don't worry if you run into such problems, as the overview document (found within the original download file) is a great source for solving these issues.

Kernel Parameters and Security Patch checks

The same thing will happen with the Kernel Parameters and Security Patch checks. Here you'll need to edit the /etc/sudoers.d/avantra file (as the root user), which will need to include the entries that allow the Avantra agent to auto-update itself. If you're not terribly familiar with how to edit the sudoers file, the ZIP file contains the necessary entries, so you can just append the contents into the /etc/sudoers.d/avantra file. You'll add entries for the kernel parameters check, the user account check, and the system patches check. Once you've made the configuration changes, you can execute the check and see that it successfully runs and will report back the results. 

Kernel Parameter Self Check

Another really handy feature found in the SUSE hardening Add in is the Kernel Parameter Self Check, which is (via the open-source code) editable. With this, you can add any other checks you need or customize the pre-built checks.

Your business case for the SUSE hardening Add in

If your organization deploys SUSE Enterprise Linux servers, you should consider the Avantra SUSE hardening Add in as a must use. Not only will it take the guesswork out of securing your systems, but it'll also give you and your administrators the peace of mind that only a security hardened system can offer. If you would like to see more please schedule time for a Avantra SUSE hardening Add in overview.