Difference between revisions of "Customizing Hardening Policies"
Amit sharma (talk | contribs) |
Amit sharma (talk | contribs) |
||
| Line 27: | Line 27: | ||
Let us consider the following example to understand the role played by the policy database in the workflow of Server Hardening Report. Please assume that hardening data is collected from the server 'khika-pc'. To generate the server hardening report for 'khika-pc', workflow will proceed as follows: | Let us consider the following example to understand the role played by the policy database in the workflow of Server Hardening Report. Please assume that hardening data is collected from the server 'khika-pc'. To generate the server hardening report for 'khika-pc', workflow will proceed as follows: | ||
| − | + | # To understand the hardening policies that need to be applied to check hardening compliance for 'khika-pc', obtain the server_group_id corresponding to the server_group for 'khika-pc' from the table 'server_details'. | |
| − | + | # From the server_group table, get the list of policies to be checked for server_group. | |
| − | + | # For each policy in the policy_details, get the list of hardening parameters,their desired values,description and other configured values. | |
| − | + | # Compare the collected value for the hardening parameters against the desired value and determine the result i.e. whether the parameter is configured properly or not. | |
=== To edit an existing hardening policy === | === To edit an existing hardening policy === | ||
The KHIKA Server Hardening mechanism internally uses an sqlite database to maintain the various hardening parameters and along with their expected values and in order to edit an existing hardening policy, you will need to update the sqlite database. This can be easily done by coping the appropriate policy database from the KHIKA Application server to the Windows Machine where SQLiteBrowser is available via WinSCP or any other equivalent utilities. Once the policy database sqlite file is copied to the windows server, open the policy database using SQLite Browser. | The KHIKA Server Hardening mechanism internally uses an sqlite database to maintain the various hardening parameters and along with their expected values and in order to edit an existing hardening policy, you will need to update the sqlite database. This can be easily done by coping the appropriate policy database from the KHIKA Application server to the Windows Machine where SQLiteBrowser is available via WinSCP or any other equivalent utilities. Once the policy database sqlite file is copied to the windows server, open the policy database using SQLite Browser. | ||
| − | In order to edit the existing hardening policy, one has to identify the relevant policy group and then check the parameter within the policy group that needs to be updated. Typically it is either the | + | In order to edit the existing hardening policy, one has to identify the relevant policy group and then check the parameter within the policy group that needs to be updated. Typically it is either the column 'policy_value' or 'policy_desc' of the parameter that gets updated. Please refer the Policy Database section to see how this done. |
Once the desired updated to the policy database are done, please save the policy database and copy the updated policy database to KHIKA Application Server. That is it - the updated to the hardening policy will get reflected the next time hardening report is run. | Once the desired updated to the policy database are done, please save the policy database and copy the updated policy database to KHIKA Application Server. That is it - the updated to the hardening policy will get reflected the next time hardening report is run. | ||
Revision as of 12:06, 20 August 2019
The KHIKA Hardening Compliance Report internally uses a sqlite database (www.sqlite.org) to maintain the hardening templates and the sqlite database is available on the KHIKA Application Server at the following location:
- For Windows Servers -> /opt/KHIKA/Apps/Dashboards_n_Reports/WIN_GRC/policy_db.dat
- For Linux Servers -> /opt/KHIKA/Apps/Dashboards_n_Reports/Linux_GRC/linux_policy.db
Customization of Hardening policy may include anything from creating your own hardening policy template to editing an existing hardening policy. To know more, please read on:
Contents
Policy Database
In-order to customize the server hardening parameters, it is important to understand the server hardening policy database. The policy database has the following important tables:
Policy_Definition -> Policy_definition table is used for defining various group of policies e.g. 'Password Policy' is the policy group for various password related parameters/settings. Please refer the picture below:
Policy_Details -> For each Policy Group, there are several parameters that need to be checked and the policy details table is used to define these parameters. e.g. Within Password Policy, there are parameters like minimum password length, maximum password validity period, etc which need to be evaluated. The Policy_Details table is used to capture the configuration such that each parameter will have its own record containing details such desired value, concise description of the parameter, etc. Please refer the picture below:
Server_Group -> This table defines the group of servers and the mapping of the group to the set of hardening policies applicable to all the servers within the group.
Server_Details -> This table is used to capture the details of the server and the server_group to which the server belongs.
Let us consider the following example to understand the role played by the policy database in the workflow of Server Hardening Report. Please assume that hardening data is collected from the server 'khika-pc'. To generate the server hardening report for 'khika-pc', workflow will proceed as follows:
- To understand the hardening policies that need to be applied to check hardening compliance for 'khika-pc', obtain the server_group_id corresponding to the server_group for 'khika-pc' from the table 'server_details'.
- From the server_group table, get the list of policies to be checked for server_group.
- For each policy in the policy_details, get the list of hardening parameters,their desired values,description and other configured values.
- Compare the collected value for the hardening parameters against the desired value and determine the result i.e. whether the parameter is configured properly or not.
To edit an existing hardening policy
The KHIKA Server Hardening mechanism internally uses an sqlite database to maintain the various hardening parameters and along with their expected values and in order to edit an existing hardening policy, you will need to update the sqlite database. This can be easily done by coping the appropriate policy database from the KHIKA Application server to the Windows Machine where SQLiteBrowser is available via WinSCP or any other equivalent utilities. Once the policy database sqlite file is copied to the windows server, open the policy database using SQLite Browser.
In order to edit the existing hardening policy, one has to identify the relevant policy group and then check the parameter within the policy group that needs to be updated. Typically it is either the column 'policy_value' or 'policy_desc' of the parameter that gets updated. Please refer the Policy Database section to see how this done.
Once the desired updated to the policy database are done, please save the policy database and copy the updated policy database to KHIKA Application Server. That is it - the updated to the hardening policy will get reflected the next time hardening report is run.
To create your own hardening policy template
NOTE
To edit the sqlite database, it is recommended to use an open source utility named 'Sqlite Browser' which may be downloaded from the https://sqlitebrowser.org/ (please review the license policy before downloading & using the sqlite browser utility).
