VID Security assessment requires attestation for V0003070, V0003967, V0005612, V0005613, V0014717, V0017850, V0023747
search cancel

VID Security assessment requires attestation for V0003070, V0003967, V0005612, V0005613, V0014717, V0017850, V0023747

book

Article ID: 137625

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

We are required to assess one of the VAPP servers in our environment. All VIDs must be PASSED or FAILED. We require either an attestation from the vendor stating that these are true or (preferably) evidence containing the proof, hostname, and date. 


Please assist us with reviewing the following configuration checks:

V0003070 - Devices that are able to log access attempts log all access attempts to establish a management connection for administrative access.

V0003967 - Devices capable of a timeout associated with Idle connections have the Idle console connection timeout set to 10 minutes.

V0005612 - Inactivity timeout is set to 60 seconds for Shell access.

V0005613 - SSH capable devices have a maximum number of unsuccessful SSH logon attempts of 3.

V0014717 - SSH version 1 is disabled on devices with SSH configured.

V0017850 - The NTP server configuration on devices with NTP configured use two distinct NTP servers.

V0023747 - The NTP server configuration on devices capable of utilizing NTP use two distinct NTP servers.



Environment

Release : 14.x

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

V0003070 - Devices that are able to log access attempts log all access attempts to establish a management connection for administrative access.

      ***PASS***

 vApp admin console logs all access requests as attested by Broadcom Engineering.

 

V0003967 - Devices capable of a timeout associated with Idle connections have the Idle console connection timeout set to 10 minutes.

     ***FAIL***

 vApp Web ui timeout is configurable, default is set to 20 minutes, can be set to least 1 minute. Current state is failed but the timeout configuration can be validated and changed by the customer at the command line via the set_vApp_webui_session_timeout alias:

 

set_vApp_webui_session_timeout

Displays or configures the session inactivity timeout (in minutes) for the Virtual Appliance Admin UI (listening on port 10443).

 

See also, Using the Login Shell

 

V0005612 - Inactivity timeout is set to 60 seconds for Shell access.

     ***FAIL***

This is set to 900 Seconds (15 minutes)

A hot fix would be required to change the  timeout value. Please open a support case requesting a hotfix if required.



V0005613 - SSH capable devices have a maximum number of unsuccessful SSH logon attempts of 3.

      **PASS*** 

Attested by Broadcom Engineering.

 

V0014717 - SSH version 1 is disabled on devices with SSH configured.

     ***PASS***

 

Run the following ssh command to determine whether version 1 is enabled or disabled. This command attempts to force the server to use version 1. For example,  

config@VApp02 VAPP-14.2.0 (10.10.10.10):~ > ssh -1 [email protected]

Protocol major versions differ: 1 vs. 2

The return message "Protocol major versions differ: 1 vs. 2" validates that ssh1 is not enabled.

See also, http://ask.xmodulo.com/check-ssh-protocol-version-linux.html 

 

 

V0017850 - The NTP server configuration on devices with NTP configured use two distinct NTP servers.

***PASS***

On the vAPP you can see that the NTP daemon is running:

config@VApp02 VAPP-14.2.0 (10.10.10.10):~ > ps -ef|grep ntp

ntp 1561 1 0 Sep12 ? 00:00:05 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g

The NTP configuration in /etc/ntp shows that it uses more that two distinct NTP servers:

/etc/ntp.conf

....

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

server 0.centos.pool.ntp.org iburst

server 1.centos.pool.ntp.org iburst

server 2.centos.pool.ntp.org iburst

server 3.centos.pool.ntp.org iburst

 

V0023747 - The NTP server configuration on devices capable of utilizing NTP use two distinct NTP servers.

***PASS***

On the vAPP you can see that the NTP daemon is running:

config@VApp02 VAPP-14.2.0 (10.10.10.10):~ > ps -ef|grep ntp

ntp 1561 1 0 Sep12 ? 00:00:05 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g

The NTP configuration in /etc/ntp shows that it uses more that two distinct NTP servers:

/etc/ntp.conf

....

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

server 0.centos.pool.ntp.org iburst

server 1.centos.pool.ntp.org iburst

server 2.centos.pool.ntp.org iburst

server 3.centos.pool.ntp.org iburst

Powered by Wolken Software