Nist Compliant Computer Setup

Topic

Configure a Linux computer to be NIST compliant per ITSS guidelines. 

 

Audience

Internal Only

Solution

Background Information

Some computers in our environment may end up being used for special grants and require a more secure configuration that our standard Linux Ubuntu machines. With this in mind this KB will walk you through setting one of these devices up for a customer. It is a little more manual at this time but may become more automated in the future depending on the amount of devices that require this specific configuration. The biggest differences between this configuration and the standard configuration we use on all other Linux machines are:

  1. The local admin account is not erausupport (The correct account is in secret server and shared with only the people who have permission to work on the machine.)
  2. There is an ACL that prevents everyone from logging into the machine unless they are on the ACL.
  3. The machine must have an Ubuntu Pro Subscription (at this time this would be purchased by the customer)
  4. The standard software such as Google Chrome, Firefox, Edge, VLC media player, will not be installed on the device.
  5. Only certain Desktop support techs are allowed to authenticate to the machine and thus only those techs will have a sudoers.d file.

With the above differences it becomes necessary for these devices to be in a separate project in semaphore with limited access to the project and task templates that can be run. Technicians that are allowed to authenticate onto the device will have access to that project in Semaphore. 

 

OS install

The initial OS install will be more manual at this time. We may be able to create a preseed/cloud_init file in the future to handle some of the steps but the most important one cannot be automated. That step is performing full drive encryption. Unfortunately with Ubuntu the only time you can fully encrypt the hard drive is at the time of OS install. It cannot be done afterwards. Which is why this process becomes more manual. When the hard drive is fully encrypted, every time the device is powered on or restarted the passphrase must be entered to unlock it. When Installing the OS you can use our normal ipxe boot disk and go through the setup process manually. Here are the steps to complete

  1. Boot into iPXE and select the Ubuntu version you want to install on the device.
  2. At the language selection screen choose English then continue

        

  1. Select the appropriate keyboard layout (likely English for both) and click continue

        

  1. At the software selection screen you can leave default selection of normal installation and click continue.

       

  1. At the installation type screen make sure that "Erase Disk and install Ubuntu is the option select then select Advanced features and choose "Use LVM with new Ubuntu Installation" and "Encrypt the new Ubuntu installation for security" click OK

        

  1. Click Install Now at the Installation type screen after setting up the advanced features

        

  1. At the "Choose a security Key" screen put in a security key (this is the passphrase that will be used to unlock the drive) store the security key you use in secret server in case it is needed by future techs. Click Enable recovery key. This generates a 48 digit number. You have 2 options for storing/creating this recovery key. The first option is to allow the system to create it and then write it down so that you can put it into secret server along with the passphrase for this device. The second option is to create the 48 digit key with secret server or something like lastpass and then you type it into the recovery key and confirm recovery key boxes. I would recommend the second option as if you allow secret server or last pass to create the key it will make for easier copy and paste into secret server for storage. Also when you type the key into both boxes it less likely that you make a mistake and that should increase the likely hood of the key being correct on the device and in secret server. Check overwrite empty disk space. Then click install now.

        ​​​​​​​

  1. You may see this screen if you have a flash drive inserted into the machine or there are multiple drives. Select the one you want the OS to be installed on and then click Install Now. If you only have 1 disk in the machine you will see the popup in step 9 instead.

        

  1. Once you click install now you should see an overview of the drive properties that will be applied click continue at this screen

        

  1. Select the location (it wont change from New York but you can place the pin on Florida if you want) click continue
  2. Create the local admin account the account username and password are in secret server and shared with only the techs that are allowed to authenticate on the device. Set Your computer's name" to appropriate hostname convention we currently use. i.e ldb-servicetag, lcoa123-1234, etc. make sure the name is all lowercase and started with an l. Click Continue

       

  1. Once the install is complete you will see a restart popup. Click restart

      

  1. At the unlock disk screen put in the security key you created in step 7

       

  1. You should now be able to login into the device 

     

Once you have signed into the device you can contact EDM to help run the playbooks that will be required to configure the device. Eventually the plan is to place these in semaphore so that the technicians can run them without having to wait for edm to run the configurations. The ACL and Ubuntu pro playbooks will be different for every machine which is what makes these configurations unique to the point that creating one playbook to do all the setup does not really work.

 

Main playbook run

This playbook sets the default state of the device and configures things like the login screen, the color scheme of the os, the background image, installs around 150 default packages that ubuntu needs to run effectively. It creates the sudoers files which will only include those technicians authorized to authenticate to the device. It also verifies and if necessary configures some of the nist settings such as ssh encryption methods, password hashing methods, firewall state, and verifies if the disk is encrypted or not. If the disk is not encrypted there is nothing that can be done once the OS is installed other than wiping the drive and starting over.

Creating the ACL

Nist standards dictate that only people working on the project are allowed to authenticate to the device. It also dictates that they must do this using LDAP. Our devices are normally configured to use LDAP but they allow anyone with an ldap account to login. With this in mind we must adjust this file so that only the people authorized to work on the device can authenticate to it. This is another playbook that will eventually be moved into sempahore so that the technicians that are providing support can run it on a device and set the acl list easily. For the time being EDM can run the playbook once the appropriate information is given to them by the support team. Once the playbook is moved into semaphore additional information will be provided so that the technicians know how to run it properly. This list will be different for every device.

 

Attaching to Ubuntu Pro

Another Nist Requirement is that the device be attached to an Ubuntu Pro subscription. Currently IT does not purchase Ubuntu Pro Subscriptions so the customer that is requiring the NIST compliance will need to purchase one and provide that to the desktop support personnel. Similar to ACL since this subscription token is unique to each device this is is harder to code into a playbook for repeated use. With that said this will also eventually get moved into semaphore as a task template to be run on the device by the support techs. For now there are two options

Option 1:

Log into the device using your erau account which should have sudo permissions. Open a terminal and type the following commands

  • sudo apt update
  • sudo apt install ubuntu-advantage-tools
  • sudo apt install ubuntu-fips
  • ​​​​​​​sudo pro attach token" where token is the customer's Ubuntu Pro Subscription token. 
  • sudo pro enable fips-updates
  • sudo pro enable livepatch - you will likely see a message that the kernel will be downgraded. This is fine.

Option 2:

There is a playbook that can automate this that EDM can run but we need the Subscription token. If you would Like EDM to run this playbook contact them and we can run it while we are on talking with one another. 

 

Creating additional hard drive unlock keys

Once the device is setup and delivered to the customer at least 1 additional key needs to be set so that the customer can unlock the drive. The customer should not have the key that was created by the support tech and the support tech nor any of IT should have the key that the customer creates. If there are multiple non IT people that will be accessing the device all of them should create their own keys. There is a limit of 8 keys total that can be used to unlock the drive. If more than 6 non IT people are using the computer some of them will need to share a key.

To create additional keys sign into the device using your ldap account, open a terminal and type the following commands:

  • lsblk -f - this will list the drives look for an entry with the FSTYPE of crypto_LUKS write down the name of the device (in the screen shot below it is nvme0n1p3)

       

  • sudo cryptsetup luksHeaderBackup /dev/devicename​​​​​​​ --header-backup-file /root/luks-header-backup.img (where devicename is the name from step 1)
  • sudo cryptsetup luksDump /dev/devicename (again devicename is the device name from step 1. This command will show you how many keys you currently have as long as it is not 8 you are fine)
  • sudo cryptsetup luksAddKey /dev/devicename​​​​​​​ (once you type this command you will need to input the current security key that you created when setting up the device. After that the user will be able to set their own key. Allow them to set their key, they will need to type in the key and then hit enter and then type it in again to confirm the key and hit enter. Repeat this as necessary to allow all people to create their keys. Keep in mind only 7 additional keys can be created on the device.
  • sudo cryptsetup luksDump /dev/devicename (you can do this again so that you can see that an additional key has been created. 

Once all keys have been set reboot the computer and allow each person to test their keys to unlock the drive.

 

 

Print Article