Hardening

The recommendations of the Center for Internet Security (CIS) have been merged with Pandora FMS monitoring technology to offer an integrated assurance audit system. This allows the evolution of hardening measures (security strengthening) to be tracked and evaluated over time in the environments used and monitored.

System hardening is a process used to improve the security of a computer system by reducing its attack surface and strengthening its defenses. It consists of making it more difficult for potential attackers to explore configuration errors, whether due to default configurations, bad configurations or improper configurations.

System hardening is an ongoing process as security threats and vulnerabilities evolve over time. It requires constant monitoring, risk assessments, and adjustments to security configurations to adapt to changing circumstances. Additionally, organizations often follow industry-specific standards and best practices, such as CIS controls or National Institute of Standards and Technology (NIST) guidelines, to ensure integral hardening system.

Pandora FMS uses several CIS categories to group the checks it performs.

We have taken the CIS recommendations a step further by implementing more than 1,500 individual checks across a variety of safety-critical categories.

Inventory and control of hardware and software assets: Monitor and manage all devices and software in your organization. Maintain an up-to-date inventory of your technology assets and use authentication to block unauthorized processes.

Device inventory and control: Identify and manage your hardware devices so that only authorized ones have access, blocking others. Maintaining proper inventory minimizes internal risks, organizes your environment, and provides clarity to your network.

Vulnerability Management: Analyze your assets continuously over time to detect potential vulnerabilities and fix them before they become the gateway to an attack. Strengthen network security by ensuring that software and operating systems in the organization are always up-to-date with the latest security measures and patches. Help manage your software to ensure that only authorized software is installed and running. Avoid vulnerabilities and risks by maintaining accurate inventory and managing your software.

Controlled use of administrative privileges: Closely monitor access controls and the behavior of users with privileged accounts to prevent any unauthorized access to critical systems. Ensure that only authorized people have the appropriate privileges to avoid any misuse of administrative privileges. Establish strict policies to prevent misuse of privileges.

Secure hardware and software configuration: Establish and maintain security configurations based on standards approved by your organization. Create a rigorous configuration management system that detects and alerts about any bad configuration, and establishes a change control process to prevent attackers from exploiting vulnerable services and configurations.

Log and audit log maintenance, monitoring, and analysis: Collect, manage, and analyze event audit logs to identify potential anomalies. Maintain detailed logs to fully understand attacks and respond effectively to security incidents.

Malware Defenses: Monitor and control the installation and execution of malicious code at different points in your organization to prevent attacks. Configure and use anti-malware software and leverage automation to ensure fast defense updates and prompt corrective action in the event of attacks.

Email and Web Browser Protection: Protect and manage your web browsers and email systems from online threats to reduce your attack surface. Disable unauthorized email plugins and ensure that users only access trusted websites using web-based URL filters. Keep common entry doors safe from attacks.

Data recovery capabilities: Establish processes and tools to ensure your organization's critical information is properly backed up. Ensure you have a reliable data recovery system to restore information in the event of attacks that compromise critical data. Prepare your organization to deal with data loss effectively.

Boundary defense and data protection: Identify and separate sensitive data, and establish a series of processes that include encryption, data infiltration protection plans, and data loss prevention techniques. Establish strong barriers to prevent unauthorized access.

Monitoring and Account Control: Closely monitors the entire life cycle of your systems and application accounts, from creation to deletion, usage and inactivity. This active management prevents attackers from exploiting legitimate but inactive user accounts for malicious purposes and allows you to maintain constant control over the accounts and their activities.

The checks are performed by the EndPoint that runs on each machine. Usually an audit takes place every week, but that period can be set to a longer period, such as a month. That way you can take a snapshot of the security of the system, calculate and assign a security index (a numerical rating, defined as the percentage of checks carried out and approved versus checks that do not pass the tests) and see the evolution of that safety index over time.

Example of a “snapshot” of the hardening status of a system:

Example of the evolution of hardening of a system over time:

The system allows us to see, broken down by category, the checks that have been executed:

And for each group of elements, see the detail, to be able to work on its correction:

Controls have been developed, depending on each system if applicable, that will help determine if they are relevant for the environment to be monitored. Currently this feature is available for MS Windows® and Linux® servers.

For that, activate the corresponding plugin in the EndPoint configuration. It can be done manually or through monitoring policies on machine groups.

On MS Windows®:

module_begin
module_plugin "%PROGRAMFILES%\Pandora_Agent\util\pandora_hardening.exe -t 150"
module_absoluteinterval 7d
module_end

Linux®:

module_begin
module_plugin /usr/share/pandora_agent/plugins/pandora_hardening -t 150
module_absoluteinterval 7d
module_end

By default, the Hardening plugin applies a set of policies in YAML format that are built into it.

To customize these Hardening policies, you can download and extract them to a directory to begin editing them. Once you have edited them as needed, copy the directory — including all its subdirectories and files — to a location accessible by the Hardening plugin on each endpoint, and add the parameter
--policy-dir along with the path to that directory.

module_plugin /usr/share/pandora_agent/plugins/pandora_hardening -t 150 --policy-dir POLICY_DIRECTORY

In addition to the dashboard and specific views to be able to analyze this data in specific systems or at a global level, there are some modules generated by the hardening system that will allow the hardening evaluation data to be processed like other Pandora FMS data, to establish alerts, generate graphics or any other use that is needed. These modules are generated or updated automatically each time a hardening audit is run and belong to the Module group called Security.

• Hardening - Failed checks: It shows the total number of checks that did not pass the securing test.
• Hardening - Not applied checks: It shows the total number of checks that were not run because they do not apply (for example, checks for another version of your Linux distribution or Windows version, or because they look for a certain component that is not installed).
• Hardening - Passed checks: It shows the total number of checks that passed the securing test.
• Hardening - Score: It shows the percentage of checks that passed. A threshold can be set here to show when the system is in Warning or Critical state regarding securing.

Once the EndPoints run the hardening module for the first time, the information will arrive and you may see in the detail of each EndPoint (Operation → Monitoring views → Agent detail → Agent main view) in the Agent Contact box three elements summarizing the security status (SecurityMon, hovering the pointer over it will show the number of security modules), the security percentage achieved (Hardening) and the vulnerability status (Vulnerability, hovering the pointer over it will show the score achieved):

A specific section will also be enabled for the hardening of these agents:

In addition, you will be able to see a section in the operation menu called Security, where there is a specific dashboard for Hardening data where you may filter by groups, agents, CIS categories and other details.

New report types have been created to display hardening information:

• Top N agents with the worst score. Filtered by groups.
• Top N of checkups that fail most frequently. Filtered by groups.
• Pie chart with Vulnerabilities by type. Choosing a CIS category, the fails, passed and skipped (optional) of all agents are grouped (or only the group selected) by category.
• Top N of checks that fail by category, the latest data from all agents (or only the selected group) is grouped by hardening categories and the categories with the highest number of fails among all agents are listed.
• List of security checks is a technical and exhaustive report with all the details, the latest checks of an agent are listed, filtered by group, category and status.
• Scoring, the latest scoring of the agents of the selected group or of all within the time range selected in the default filter of the reports is shown. The last scoring of each agent within the temporal range is always taken, that is, if a range of one month is set, the last scoring of the agents within that month will be searched.
• Evolution, a global evolution of hardening is shown by averaging the tests that passed and those that failed, grouped by day, for all agents or those within the selected group.

Here are some examples of PDF reports:

A new widget in the Pandora FMS Dashboard groups most hardening reports:

Configuration options:

Operation → Security → Agent security menu.

In the agents' security view, Hardening column, you will be able to see the score of each agent, among other data. You may filter by hardening score percentage and include other additional fields. To show the agents without hardening score, use the All option.

Return to Pandora FMS documentation index