Difference between revisions of "Customizing Hardening Policies"
Amit sharma (talk | contribs) |
Amit sharma (talk | contribs) |
||
Line 8: | Line 8: | ||
In-order to customize the server hardening parameters, it is important to understand the server hardening policy database. The policy database has the following important tables: | In-order to customize the server hardening parameters, it is important to understand the server hardening policy database. The policy database has the following important tables: | ||
− | ''Policy_Definition'' -> Policy_definition table is used for defining various group of policies e.g. 'Password Policy' is the policy group for various password related parameters/settings. | + | ''Policy_Definition'' -> Policy_definition table is used for defining various group of policies e.g. 'Password Policy' is the policy group for various password related parameters/settings. Please refer the picture below: |
+ | [[File:policy_def.png|thumb|Policy Definition]] | ||
− | + | ''Policy_Details'' -> For each Policy Group, there are several parameters that need to be checked and the policy details table is used to define these parameters. e.g. Within Password Policy, there are parameters like minimum password length, maximum password validity period, etc which need to be evaluated. The Policy_Details table is used to capture the configuration such that each parameter will have its own record containing details such desired value, concise description of the parameter, etc. Please refer the picture below: | |
− | + | [[File:policy_details.png|thumb|Policy Details]] | |
− | ''Policy_Details'' -> For each Policy Group, there are several parameters that need to be checked and the policy details table is used to define these parameters. e.g. Within Password Policy, there are parameters like minimum password length, maximum password validity period, etc which need to be evaluated. The Policy_Details table is used to capture the configuration such that each parameter will have its own record containing details such desired value, concise description of the parameter, etc. | ||
''Server_Group'' -> This table defines the group of servers and the mapping of the group to the set of hardening policies applicable to all the servers within the group. | ''Server_Group'' -> This table defines the group of servers and the mapping of the group to the set of hardening policies applicable to all the servers within the group. | ||
+ | [[File:server_group.png|thumb|Server Group]] | ||
''Server_Details'' -> This table is used to capture the details of the server and the server_group to which the server belongs. | ''Server_Details'' -> This table is used to capture the details of the server and the server_group to which the server belongs. | ||
+ | [[File:server_details.png|thumb|Server Group]] | ||
=== To edit an existing hardening policy === | === To edit an existing hardening policy === |
Revision as of 10:27, 20 August 2019
The KHIKA Hardening Compliance Report internally uses a sqlite database (www.sqlite.org) to maintain the hardening templates and the sqlite database is available on the KHIKA Application Server at the following location:
- For Windows Servers -> /opt/KHIKA/Apps/Dashboards_n_Reports/WIN_GRC/policy_db.dat
- For Linux Servers -> /opt/KHIKA/Apps/Dashboards_n_Reports/Linux_GRC/linux_policy.db
Customization of Hardening policy may include anything from creating your own hardening policy template to editing an existing hardening policy. To know more, please read on:
Contents
Policy Database
In-order to customize the server hardening parameters, it is important to understand the server hardening policy database. The policy database has the following important tables:
Policy_Definition -> Policy_definition table is used for defining various group of policies e.g. 'Password Policy' is the policy group for various password related parameters/settings. Please refer the picture below:
Policy_Details -> For each Policy Group, there are several parameters that need to be checked and the policy details table is used to define these parameters. e.g. Within Password Policy, there are parameters like minimum password length, maximum password validity period, etc which need to be evaluated. The Policy_Details table is used to capture the configuration such that each parameter will have its own record containing details such desired value, concise description of the parameter, etc. Please refer the picture below:
Server_Group -> This table defines the group of servers and the mapping of the group to the set of hardening policies applicable to all the servers within the group.
Server_Details -> This table is used to capture the details of the server and the server_group to which the server belongs.
To edit an existing hardening policy
The KHIKA Server Hardening mechanism internally uses an sqlite database to maintain the various hardening parameters and along with their expected values and in order to edit an existing hardening policy, you will need to update the sqlite database. This can be easily done by coping the appropriate policy database from the KHIKA Application server to the Windows Machine where SQLiteBrowser is available via WinSCP or any other equivalent utilities. Once the policy database sqlite file is copied to the windows server, open the policy database using SQLite Browser.
In order to edit the existing hardening policy, one has to identify the relevant policy group and then check the parameter within the policy group that needs to be updated. Typically it is either the desired value or the description of the parameter that gets updated. Please refer the example below to see how this done.
Once the desired updated to the policy database are done, please save the policy database and copy the updated policy database to KHIKA Application Server. That is it - the updated to the hardening policy will get reflected the next time hardening report is run.
To create your own hardening policy template
NOTE
To edit the sqlite database, it is recommended to use an open source utility named 'Sqlite Browser' which may be downloaded from the https://sqlitebrowser.org/ (please review the license policy before downloading & using the sqlite browser utility).