System Admin - Universal (Deprecated)

This content applies to the deprecated standalone Delinea PRA Engine. Existing PRA Engines will continue to operate normally but customers can no longer create new PRA Engines or Sites. For all new deployments, use the Platform Engine with the PRA Workload. To upgrade previously deployed PRA Engines, see Upgrading Standalone PRA Engine to the Delinea Platform Engine

Network SSH/OpenSSL:

It is recommended to disable all network protocols not in use.

It is recommended that the operating system configures the uncomplicated firewall to rate-limit impacted network interfaces.

It is recommended that the operating system has an application firewall installed in order to control remote access methods.

It is recommended that customers use host-based endpoint protection (which includes FIM, firewall, anti-malware, alerting and monitoring, etc.)

It is recommended that the operating system immediately terminates all network connections associated with SSH traffic after a period of inactivity.

It is recommended that the operating system uses SSH to protect the confidentiality and integrity of transmitted information.

It is recommended that the operating system configures the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

  • It is recommended that SSH root login is disabled

  • It is recommended that SSH HostbasedAuthentication is disabled

  • It is recommended that SSH PermitEmptyPasswords is disabled

  • It is recommended that SSH PermitUserEnvironment is disabled

  • It is recommended that SSH IgnoreRhosts is enabled

  • It is recommended that SSH X11 forwarding is disabled

  • It is recommended that only strong ciphers are used

  • It is recommended that SSH AllowTcpForwarding is disabled

  • It is recommended that SSH MaxAuthTries is set to 4 or less

  • It is recommended that SSH MaxStartups is configured

  • It is recommended to set SSH MaxSessions to the minimum value needed by system administrators to manage the host machine

  • It is recommended that SSH LoginGraceTime is set to one minute or less

  • It is recommended that SSH Idle Timeout Interval is configured

  • It is recommended that sudo commands use pty

Auditing

It is recommended that the operating system configures audit tools to be owned by root, group-owned by root with a mode of 0755 or less permissive.

It is recommended that the operating system is configured so that audit configuration files are not write-accessible by unauthorized users.

It is recommended that the operating system is configured so that the audit log directory is not write-accessible by unauthorized users.

It is recommended that the operating system permits only authorized groups ownership of the audit log files.

It is recommended that the operating system is configured to permit only authorized users ownership of the audit log files.

It is recommended that the operating system is configured so that audit log files are not read or write-accessible by unauthorized users.

It is recommended that the operating system generates audit records when successful/unsuccessful attempts to use the following commands:

  • fdisk

  • modprobe

  • usermod

  • gpasswd

  • passwd

  • sudo

  • sudoedit/visudo

  • umount

  • mount

  • su

CIS standards

  • It is recommended that the mounting of cramfs filesystems is disabled

  • It is recommended that the mounting of squashfs filesystems is disabled

  • It is recommended that the mounting of udf filesystems is disabled

  • It is recommended that the nodev option set on /var partition

  • It is recommended that the nodev option set on /var/tmp partition

  • It is recommended that the nodev option set on /var/log partition

  • It is recommended that the noexec option set on /var/log partition

  • It is recommended that the noexec option set on /var/log/audit partition

  • It is recommended that the nodev option set on /var/log/audit partition

  • It is recommended to disable Automounting

  • It is recommended to disable USB Storage

If SNMP is installed, it is recommended to use a complex community string.:

  • It is recommended that packet redirect sending is disabled

  • It is recommended that IP forwarding is disabled

  • It is recommended that ICMP redirects are not accepted

  • It is recommended that broadcast ICMP requests are ignored

  • It is recommended that bogus ICMP responses are ignored

  • It is recommended that IPv6 router advertisements are not accepted