Compliance Check
Before a Managed OS VM can go into the Full Managed state, compliance checks must be run. Only if all relevant checks are successfully passed, the VM will be transferred to the respective state. If one or more tests are not successful, then this must be corrected by the customer. Afterwards the state change can be requested again.
The compliance check will be executed when the following state changes are requested:
- Temp Admin to Customer Maintenance
- Temp Admin to Full Managed
Compliance Checks for Managed Windows
This section describes the checks to be executed before offering the Full Managed service on a given system.
ID | Test case | Expected results & How to fix it |
---|---|---|
Base.AdminAutologon.Tests | Testing if automatic logon for Admins is disabled | Automatic logon should be disabled. If failed, use the following powershell command to reset it: Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "AutoAdminLogon" -Value 0 |
Base.Administrators.Tests | Testing local Administrators membership | Local Administrators should have only swisscom-allowed accounts as member Please remove any added users from Administrators group and follow user management procedure to give access: https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/ |
Base.AdminPrivilege.Tests | Testing Administrators Privileges | Local Administrators Group must have the following Privileges: - Access this computer from the network - Allow log on locally - Allow log on through Terminal Services If failed, please confirm and re-add group Administrators to the privileges above by: Run secpol.msc , navigate to Security Settings/Local Policies/User Rights AssignmentIn the list of privileges, find each of the above. Make sure Administrators is member of all 3. |
Base.AuditPolicy.Tests | Testing if Audit Policies are configured to audit Success and Failure | The following Audit Policies are configured to audit Success and Failure: - Logon - Logoff - Account Lockout - IPsec Main Mode - IPsec Quick Mode - IPsec Extended Mode - Special Logon - Other Logon/Logoff Events - Network Policy Server - User / Device Claims - Non Sensitive Privilege Use - Other Privilege Use Events - Sensitive Privilege Use - Authentication Policy Change - Authorization Policy Change - MPSSVC Rule-Level Policy Change - Filtering Platform Policy Change - Other Policy Change Events - Audit Policy Change - User Account Management - Computer Account Management - Security Group Management - Distribution Group Management - Application Group Management - Other Account Management Events - Kerberos Service Ticket Operations - Other Account Logon Events - Kerberos Authentication Service - Credential Validation If test failing, please check the error message, which policy is causing trouble To get all Audit policies, please use the following command: auditpol.exe /get /category:* The failing audit item should not be set to audit Success and Failure To set one item audit for success and failure, please use the following command (Replace {FAILING_NAME_HERE} with correct policy item): auditpol.exe /set /subcategory:{FAILING_NAME_HERE} /success:enable /failure:enable For example, let's say that Logon policy is not set correctly, to set it to audit both success and failure, the following command should be used: auditpol.exe /set /subcategory:Logon /success:enable /failure:enable |
Base.BitLockerDriveEncryption.Tests | Testing if the WindowsFeature Bitlocker is installed | The Bitlocker should not be installed on the local the machine. In case of failure, please first ensure that no disks are encrypted on the system. This can be done by running command manage-bde -status !!! Only after confirming that there are no encrypted disks on the system !!! Bitlocker can be removed by running the following command: Uninstall-WindowsFeature -Name Bitlocker |
Base.BITSService.Tests | Testing BITS Service StartMode | The BITS Service should not be disabled To enable service, please set it to Manual startup (default): Set-Service BITS -StartupType Manual |
Base.BuiltInAccountsDisabled.Tests | Testing if Built-in Accounts are disabled | The Built-in Administrator should be enabled To enable Built-in Administrator, please run the following powershell command Get-LocalUser | where {$\_.sid -like 'S-1-5-\*-500'} | Enable-LocalUser The Built-in Guest should be disabled To disable guest, please run the following powershell command Get-LocalUser | where {$\_.sid -like 'S-1-5-\*-501'} | Disable-LocalUser |
Base.ComputernameChanged.Tests | Testing if the Computername changed | The computer name should not have changed since it is registered in the cloud management systems. Please set the computer name to the original name by running Rename-Computer powershell command. You will be prompted for new computer name, which should be the name as set when machine has been created. |
Base.CpuUsage.Tests | Testing CPU load average | The average CPU usage should be less than 95 Percent. Please ensure there are no application overloading the CPU or increase number of CPU cores if required (pleas use day 2 action "Reconfigure" once the server it's in Customer Maintenance Mode). |
Base.DeviceManager.Tests | Testing Device Manager for errors | The Device Manager should not return any errors. Please open device manager and make sure there are no failing or problematic devices. There should be no problem as long as VmWare tools are installed correctly on the system. |
Base.DistributedCOMUsers.Tests | Testing local DistributedCOMUsers membership | Local DistributedCOMUsers should have only swisscom-allowed accounts as member Please remove any added users from Distributed COM Users group and follow user management procedure to give access: https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/ |
Base.DomainJoin.Tests | Testing the computers domain membership | The Computer should be part of a swisscom resource domain. Should computer fall off the domain, please ask support to re-join it. |
Base.DriveFull.Tests | Testing Drive capacity | System Drive Should have minimum 20 GB of free space Data Drive Should have minimum 5 GB of free space Please free up some space, for system drive or Data drive. Run disk cleanup ( cleanmgr.exe ), selecting Windows Update Cleanup can free up space, it will not be possible to uninstall updates after this action.Otherwise, please extend the disk. |
Base.EventlogProperties.Tests | Testing if event log maximum size and -log mode are configured correctly | The log mode for Application-, System- and Securitylog should be Circular The maximum size for the Systemlog should be greater than or equal to 262'144 KB The maximum size for the Applicationlog should be greater than or equal to 262'144 KB The maximum size for the Securitylog should be greater than or equal to 524'288 KB The following commands can set the minimum acceptable limit: Limit-EventLog -LogName System -MaximumSize 262144KB -OverflowAction OverwriteAsNeeded Limit-EventLog -LogName Application -MaximumSize 262144KB -OverflowAction OverwriteAsNeeded Limit-EventLog -LogName Security -MaximumSize 524288KB -OverflowAction OverwriteAsNeeded |
Base.IISLogLocation.Tests | Testing if the IIS logs are at the correct location | The IIS Logs for each website should be at the data volume, please move them away from C:\ drive by configuring Logging for each site in IIS Manager console. |
Base.LocalAccountTokenFilterPolicy.Tests | Testing Remote UAC LocalAccountTokenFilterPolicy | The LocalAccountTokenFilterPolicy should be activated Allow local accounts of the Administrators group other than the built-in administrator account to remotely manage the server If policy is not activate, please re-activate it by setting up the registry key Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system' -Name "LocalAccountTokenFilterPolicy" -Value 1 |
Base.LoggedOnUsers.Tests | Testing Logged on Users | There should be no local users with local admin rights logged on. Please log off all users from the server and try again. |
Base.LogMgmtInstallation.Tests | Testing installed Log Management software | The Log Management Agent Service should be running The Log Management Agent Service should be Automatic The connectivity to the Log Management server should work |
Base.MalwareProtectionInstallation.Tests | Testing Deep Security Installation | Trend Micro Deep Security Agent Service should be Automatic. If it is not, please reset it to AutomaticSet-Service ds_agent -StartupType Automatic Trend Micro Deep Security Agent Service should be running. To start it up, please run Start-Service ds_agent The connectivity to the Deep Security Manager should be in a good state Trend Micro Deep Security Agent Status should be green Trend Micro Deep Security Agent Component AM Mode should be on Agent is configured by policy, and it is not changeable from the machine. If there are problems with Trend Micro Deep Security Agent, please ensure that network connectivity is present for policy to come down: Query agent status: "C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c "GetAgentStatus" From the output, please copy value for AgentStatus.dsmUrl . This is the management point.Ensure that dsmURL is accessible from the machine Test-NetConnection -ComputerName '{Management point hostname here}' -Port '4120' |
Base.MonitoringInstallation.Tests | Testing installed Monitoring software | The Monitoring Agent Service should be Automatic To change service startup type: Set-Service 'End Point Operations Management Agent' -StartupType Automatic The Monitoring Agent Service should be running To start a stopped service, please run: Start-Service 'End Point Operations Management Agent' The Monitoring Agent should be in a good state and Operations manager endpoint should be accessible with good network connectivity. Please ensure that network connectivity exist and network round trip is less than 200ms: Find out the hostname and the port of the endpoint: Select-String -Path "$($env:ProgramFiles)\VMware\ep-agent\conf\agent.properties" -Pattern 'agent.setup.serverIP=*' Select-String -Path "$($env:ProgramFiles)\VMware\ep-agent\conf\agent.properties" -Pattern 'agent.setup.serverSSLPort=*' The following command to run network check to the endpoint: Test-NetConnection -ComputerName '{Management point hostname here}' -Port '443' |
Base.NicPowerSaving.Tests | Testing Network Adapter Power Management | Each network interface should have Powersaving disabled. Please use the following Powershell command to disable power saving on all Network adapters attached to the machine: Get-NetAdapter -Physical | Get-NetAdapterPowerManagement | foreach {$_.AllowComputerToTurnOffDevice = 'Disabled'; $_ | Set-NetAdapterPowerManagement} |
Base.NugetAccess.Tests | Testing Web Access to the Nuget repository | The Nugetfeed should be accessible within 100ms |
Base.OSLanguage.Tests | Testing OS Language | The OS Language should be 'english, United States (en-US) This affects only language for Operating system User Interface, e.g. menus, messages. Keyboards layouts can be of any language and are not restricted. Swisscom does not supply multilingual UI build and also does not distribute patches for languages other than English US To confirm language for OS, please run the following command: Dism /online /Get-Intl To change default UI language: Dism /online /set-allIntl:en-US |
Base.OSLicenceState.Tests | Testing the Windows Licence activation | The KMS Server should be registered The name resolution for the KMS Server should return an ip address The connectivity to the KMS Server should be accessible within 100ms The OS should be licensed The OS Licence should be activated The Key Management server is found via DNS, to confirm if your configured DNS server have KMS, please run the following query: slmgr.vbs /dli If server is resolved correctly, the output should give you KMS server IP address and port (1688) If this server is accessible, please run the following command to re-activate the machine: slmgr.vbs /ato |
Base.OSVersion.Tests | Testing OS Version | The Server should have a Swisscom-supported OS Version Swisscom supports Windows Server 2019, Windows Server 2016 or Windows Server 2012 R2 |
Base.PageFileSettings.Tests | Testing PageFile Configuration | The Server should have PageFile manually managed Page file Initial size should be equal or greater then 4'096 MB Page file Maximum size should be equal or greater then 4'096 MB. To set pagefile to minimal acceptable limits, please run the following command: wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=4096,MaximumSize=4096 |
Base.PerformanceMonitorUsers.Tests | Testing local PerformanceMonitorUsers membership | Local PerformanceMonitorUsers should have only swisscom-allowed accounts as member Please remove any added users from Performance Monitor Users group and follow user management procedure to give access: https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/ |
Base.PuppetInstallation.Tests | Testing Puppet Installation | The Puppet Service should be Automatic The following command can be used to set puppet service to be Automatic Set-Service 'puppet' -StartupType Automatic The Puppet Service should be running, please use the following command to start the service Start-Service 'puppet' The connectivity to the Puppet Master should be in a good state. If there are connectivity problems, Puppet will write Events into Application logs. Please analyse Errors from Puppet in Application logs to understand the problem. This can be done via Powershell as well: Get-EventLog -LogName 'Application' -Source 'Puppet' -EntryType 'Error' |
Base.RegistryRunKeys.Tests | Testing entries in Run and RunOnce | Run, RunOnce, RunServices, RunServicesOnce should not have any subkeys. Please analyse the following keys to ensure there are only allowed entries there: HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce By default, only the these entries are allowed: Deep Security Notifier InstallWindowsUpdates" VMware VM3DService Process VMware User Process |
Base.RemoteDesktopProtocol.Tests | Testing Remote Desktop Protocol Settings | The remote desktop connections should be enabled in 'HKLM:\System...' The remote desktop connections should be enabled in 'HKLM:\SOFTWARE\Policies...' To enable this, please set the following registry key with the Powershell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 The firewall rule 'RemoteDesktop-UserMode-In-TCP' should be enabled, to enable it, please use the following Powershell Command: Enable-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP The firewall rule 'RemoteDesktop-UserMode-In-UDP' should be enabled, to enable it, please use the following Powershell Command: Enable-NetFirewallRule -Name RemoteDesktop-UserMode-In-UDP |
Base.RemoteDesktopUsers.Tests | Testing local RemoteDesktopUsers membership | Local RemoteDesktopUsers should have only swisscom-allowed accounts as member Please remove any added users from Remote Desktop Users group and follow user management procedure to give access: https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/ |
Base.Services.Tests | Testing if unnecessary services are disabled | The following Services should be disabled - AudioEndpointBuilder - Audiosrv - Browser - FontCache - iphlpsvc - NcaSvc - NetTcpPortSharing - RemoteAccess - SCardSvr - seclogon - SharedAccess - ShellHWDetection - SSDPSRV - Themes - upnphost - WcsPlugInService To disable all these services at once, please use the following Powershell command: @('AudioEndpointBuilder', 'Audiosrv', 'Browser', 'FontCache', 'iphlpsvc', 'NcaSvc', 'NetTcpPortSharing', 'RemoteAccess', 'SCardSvr','seclogon','SharedAccess', 'ShellHWDetection', 'SSDPSRV', 'Themes', 'upnphost', 'WcsPlugInService') | foreach {Set-Service -Name $\_ -Status stopped -StartupType disabled} |
Base.SNMPWriteCommunity.Tests | Testing SNMP Write Community String | There should be no SNMP Write Communities defined. Please ensure, there is nothing defined under this registry key: SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities\ |
Base.StickyKeyBackdoor.Tests | Testing for Sticky Key Backdoors | The hash value of Ease of Access system files should meet the OS version Scan each of those files to ensure they have not been maliciously replaced: sfc /verifyfile=C:\Windows\System32\sethc.exe sfc /verifyfile=C:\Windows\System32\utilman.exe sfc /verifyfile=C:\Windows\System32\osk.exe sfc /verifyfile=C:\Windows\System32\utilman.exe sfc /verifyfile=C:\Windows\System32\Magnify.exe sfc /verifyfile=C:\Windows\System32\Narrator.exe sfc /verifyfile=C:\Windows\System32\DisplaySwitch.exe Ease of Access system files should not be have a debugger for hijacking the system Remove Debug key, by running the following Powershell command: |
Base.SwisscomCertificate.Tests | Testing Swisscom Root Certificates | There should be Swisscom Root certificates available The Swisscom Root certificates should be valid |
Base.UnsupportedSoftwareInstalled.Tests | Testing if unsupported software is installed | The following Features/Software should not be installed: - Active Directory Domain Services - SAP - SharePoint - Exchange The DB directory of the following Databases should not be on the system disk: - Microsoft SQL Server - MySQL - MongoDB - Oracle - MariaDB - PostgreSQL The current version of the following Applications should be greater or equal than: - Java Version 1.8.0 - OpenJDK Version 1.8.0 - Apache Tomcat Webserver 8.5 - Microsoft SQL Server 12.0 (MS SQL Server 2014) The installation directory of the following Applications should not be located on the system disk: - Apache Tomcat Webserver - JBoss |
Base.VMTools.Tests | Testing VMware Tools | The 'VMware Tools' Service should be running, please use the following command to start the serviceStart-Service 'VMTools' The 'VMware Tools' Service should be Automatic, please useservice the following command to set service startup type to Automatic Set-Service 'VMTools' -StartupType Automatic The VMware Tools should be up to date |
Base.WindowsFirewall.Tests | Testing Windows Firewall | The 'MpsSvc' Service should be running, please use the following command to start the serviceStart-Service 'MpsSvc' The 'MpsSvc' Service should be Automatic, please useservice the following command to set service startup type to Automatic Set-Service 'MpsSvc' -StartupType Automatic All Windows Firewall profiles should be enabled The firewall rule for File and Printer Sharing (SMB-In) should be enabled, to enable it, please use the following Powershell Command: Enable-NetFirewallRule -DisplayName 'File and Printer Sharing (SMB-In)' |
Base.WindowsManagementFramework.Tests | Testing installed Windows Management Framework | Windows Management Framework version 5.1 should be installed |
Base.WindowsPatching.Tests | Testing Windows Patching | The difference between the last Windows updates should not be more than 45 days |
Base.WindowsRemoteManagement.Tests | Testing Windows Remote Management | The 'WinRM' Service should be running, please use the following command to start the serviceStart-Service 'WinRM' The 'WinRM' Service should be Automatic, please use the following command to set service startup type to Automatic Set-Service 'WinRM' -StartupType Automatic The WinRM Listener should be active The firewall rule 'WINRM-HTTP-In-TCP' should be enabled, to enable it, please use the following Powershell Command: Enable-NetFirewallRule -Name WINRM-HTTP-In-TCP The firewall rule 'WINRM-HTTP-In-TCP' should be Allowed |
Base.WindowsUpdate.Tests | Testing Windows Update | The 'wuauserv' Service should not be Disabled Please do not disable Windows Update service, if it is disabled, please set it back to Automated (Delayed Start): sc.exe config wuauserv start= delayed-auto The connectivity to the Update Server should be in a good state |
Feature.SystemCenter.Tests | Testing installed System Center components | The Configuration Manager Client should be installed The SMS Agent Host Service should be running, please use the following command to start the service Start-Service 'CcmExec' The SMS Agent Host Service StartType should be Automatic, please useservice the following command to set service startup type to Automatic Set-Service 'CcmExec' -StartupType Automatic The Management Point should be member of Swisscom-CMS-Domain The Assigned Site should be the Enterprise Service Cloud Site |
Additional Tests for PreMigration | ||
PreMig.CmsSystemAccess.Tests | Testing connectivity to the CMS systems | The name resolution to the cloud management systems should return an ip address The connectivity to the cloud management systems should be accessible within 100ms |
PreMig.MalwareProtection.Tests | Testing Malware Protection Installation | There should be no Malware Protection installed |
PreMig.NetFramework35.Tests | Testing if the WindowsFeature .NetFramework 3.5 is installed | The .NetFramework 3.5 should be installed on the local the machine |
PreMig.SystemManagement.Tests | Testing if a System Management Tool is installed | The Product 'Configuration Manager Client' should not be installed The Service 'CcmExec' should not be installed The Product 'Puppet' should not be installed The Service 'Puppet' should not be installed |
Compliance Checks for Managed RHEL 7 and Managed RHEL 8
This section describes the checks to be executed before offering the Full Managed state on a given system.
To see whether a system is healthy i.e. able to be changed back to Full Managed state, run the following command from the command line at anytime:
$ sudo checkmate -a
The output of the command is written to standard output and to /var/log/messages
.
Check | Explanation | Troubleshooting |
---|---|---|
check_autofs | It's not allowed to have the autofs-rpm installed. Therefore, it must be removed. | Remove the autofs-rpm by executing:$ sudo yum -y remove autofs.x86_64 |
check_cron | There are no crontab entries allowed which run as user root. There are only dedicated root cronjobs which sha1sum checksums are trusted from check_cron, due to that, it's not allowed to edit existing cronfiles. | If the cronjob is absolutely needed, send an incident to the Managed OS operation team explaining why the cronjob is needed. Also provide the exact error message, the hostname and the ip-address. |
check_fs_content | Ensure you create no additional content on the OS mountpoints. No application directories, application logfiles or any other application data is allowed on os mounted filesystems (/, /boot, /usr/local, /usr/local, /opt, /opt/ds_agent, /opt/vmware, /home, /var, /var/log, /var/log/audit, /tmp). Create all your application specific content on additionally added disks which belongs to the LVM volume group "datavg". | Proposed valid procedure: 1. Add a disk for every new mountpoint you want to create via the portal. 2. Add the new disks to the LVM volume group "datavg". 3. Create a new LVM logical volume for every custom mountpoint. 4. Alter /etc/fstab 5. Mount the new filesystems. 6. Test the new filesystems. |
check_fslayout | The OS requires the following filesystem layout: /dev/mapper/vrhvg-slashlv / /dev/mapper/vrhvg-optlv /opt /dev/mapper/vrhvg-homelv /home /dev/mapper/vrhvg-usrloclv /usr/local /dev/sda1 /boot /dev/mapper/vrhvg-tmplv /tmp /dev/mapper/vrhvg-varlv /var /dev/mapper/vrhvg-varloglv /var/log /dev/mapper/vrhvg-logaudlv /var/log/audit /dev/mapper/vrhvg-swaplv01 swap All OS filesystems must be in the volume group "vrhvg". All customer filesystems must be in the volume group "datavg" or "datavg[0-9][0-9]". The size of the OS filesystems must not be changed. | You can check the filesystem layout by executing:$ df -hP |
check_fstab | Checks if all entries from /etc/fstab are mounted. All entries from /etc/fstab must be mounted before switching back to Full Managed state. | To test your fstab configuration, you can mount everything in it by executing:$ sudo mount -a |
check_fstypes | Ensure all partitions have an allowed file system type. Allowed filesystem types: autofs, binfmt_misc, cgroup, cifs, configfs, debugfs, devpts, devtmpfs, ext4, hugetlbfs, mqueue, nfs, nfs4, proc, pstore, rootfs, securityfs, selinuxfs, smbfs, swap, sysfs, tmpfs, usbfs, xfs | You can check the filesystem type of a mounted filesystem by executing:$ df -hT [FILESYTEM] |
check_hostname | Checks if the hostname has not been changed. If you have tried to change the hostname, you must revert all changes. | You can make sure all relevant places have the right hostname set by executing:$ sudo grep sccloudres /etc/sysconfig/rhn/systemid $ sudo facter fqdn $ sudo cat /etc/hostname $ sudo grep sccloudres /etc/sysconfig/network $ sudo grep sccloudres /etc/hosts $ hostnamectl status | grep sccloudres |
check_hosts_file | The /etc/hosts file must contain a localhost entry and all IPv4 and IPv6 addresses must be valid. | Get an overview about your actual /etc/hosts file by executing:$ ls -la /etc/hosts && cat /etc/hosts |
check_local_users | Ensure that there are no local users with root permissions except for the user root. Ensure the GID for users and groups are not higher than 99999, as this GIDs are reserved for Groups which are managed in the Active Directory Ressource Domain. Ensure no local group "dl_esc-mos-lnx-access*" exists as these groups are managed in the Active Directory Ressource Domain. | You can change the UID of a user by executing:$ sudo usermod -u [NEWUID] [USER] You can change the GID of a group by executing: $ sudo groupmod -g [NEWGID] [GROUP] |
check_lvm | Checks if the pvs command finds no unknown/missing devices. | You can start debugging this issue by executing:$ sudo pvs |
check_malware | There must not be any malware protection installed, besides the malware protection installed by Swisscom. | |
check_malware_inst | Ensure Deep Security is installed, configured, and running. | You get information about the relevant services by executing:$ sudo systemctl status puppet $ sudo systemctl status ds_agent |
check_monitoring_inst | Ensure the Swisscom monitoring agent is installed and running. Puppet is installing the monitoring agent, if the check fails because the monitoring agent is not installed, check why Puppet is not running. | You get information about the relevant services by executing:$ sudo systemctl status node_exporter $ sudo ps aux | grep node_exporter | grep -v grep |
check_pam_config | Ensure the pam RPM is installed. Pam configuration must not have been changed or must match an accepted configuration. | Install the pam-rpm, in case it is missing, by executing:$ sudo yum -y install pam.x86_64 Also make sure to not alter or add any files to /etc/pam.d. |
check_reboot | Ensure the OS does not require a reboot, otherwise you must reboot the OS. | Install the yum-utils-rpm, in case it is missing, by executing:$ sudo yum -y install yum-utils.noarch Reboot your server in case it is necessary by executing: $ sudo shutdown -r now |
check_repos | Ensure there aren't any unreachable repos configured. | Troubleshoot your issues according to the error-message provided. In case you need to update packages, you may do so by executing:$ sudo yum -y update |
check_rhel_version | The OS version must be any of the following: - RHEL 7.4 or higher minor release - RHEL 8.0 or higher minor release | You can check your OS- and kernel-version by executing:$ cat /etc/redhat-release && uname -a |
check_root_processes | Ensure only dedicated system processes are running as root. Applications must not run as root. | You get a list of all processes with the running user by executing:$ sudo ps auxf |
check_rpm | The system packages must be from Redhat and must not be modified. | In case of an error, check what has changed on the package$ rpm -V [PACKAGE] try to fix the problem with a reinstall of the package by executing: $ sudo yum reinstall [PACKAGE] |
check_satellite | Ensure the host is registered to the Red Hat satellite server from Swisscom. | In case of an error, check if a proper Satellite server is configured by executing:$ grep cms2capsule /etc/rhsm/rhsm.conf |
check_scs_puppet | Ensure puppet agent is installed and has configured the dedicated puppet master from Swisscom. Puppet must run without errors. | You can start debugging this issue by executing: Is the Puppet RPM installed? $ sudo rpm -qa --last | grep puppet Is the Puppet-Service enabled and running? $ sudo systemctl status puppet Is a Swisscom Puppet-Server defined in /etc/puppetlabs/puppet/puppet.conf? $ grep '^server\=' /etc/puppetlabs/puppet/puppet.conf Is the Puppet-Run without errors? (all green) $ sudo puppet agent -t |
check_selinux | Ensure selinux is enabled (permissive or enforcing). | You can start debugging this issue by executing: Is getenforce returning Enforcing or Permissive? $ sudo getenforce Is selinuxenabled returning the return code 0? $ selinuxenabled && echo $? Is /etc/selinux/config containing SELINUX=enforcing or SELINUX=permissive? $ sudo grep '^SELINUX\=' /etc/selinux/config |
check_snmp | If a SNMP daemon/service is configured and running on the system, only read-access and SNMPv3 is allowed. Write access is disallowed. | In case of an error, check for disallowed directives in /etc/snmp/snmpd.conf by executing:$ grep rw /etc/snmp/snmpd.conf 2>/dev/null $ grep write /etc/snmp/snmpd.conf 2>/dev/null |
check_space | Ensure minimum free space: / > 1 GB /boot > 100 MB /var/log > 200 MB /tmp > 500 MB /var/log/audit > 100 MB /opt > 50 MB swap > 1 GB | You can compare the free space with the figures here by executing:$ df -hP |
check_ssh | Ensure sshd is running and the configuration file exists. Ensure sshd is running with the default configuration file. Ensure sshd has a minimal sane configuration. Only allowed ciphers are enabled/configured. Allowed MACs: hmac-sha2-512,hmac-sha2-256 Allowed Ciphers: aes256-ctr,aes128-ctr Allowed kexalgorithms: diffie-hellman-group-exchange-sha256 | In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:$ sudo checkmate -c -f -I check_ssh |
check_ssh_keys | Ensure root doesn't have any unknown ssh keys installed in /root/.ssh/authorized_keys, otherwise you must remove the unknown ssh keys. | In case of an error, make sure to remove all keys from roots authorized keys file. You can check roots authorized keys by executing:$ sudo cat /root/.ssh/authorized_keys 2>/dev/null |
check_sudo_processes | There must not be any sudo process running. | Stop the mentioned process, otherwise it will not be possible to leave the Temp Admin state. |
check_sudoers | There must not be any sudoers configurations (aliases etc.) that allow a user to acquire root-privileges. Only trusted sudoers configurations are allowed, which means each sudoers configuration needs to be requested with a CRQ from ManagedServicesLNX | Try to avoid sudo configurations, better use the Temp Admin state for administration tasks. If the sudo command is absolutely needed, send an incident to the Managed OS operation team explaining why the sudo file is needed. Also provide the sudo file, the hostname and the ip-address. |
check_suid | There must not be any unknown setuid binaries. Filesystems which are mounted with the "nosuid" option, are excluded from this check. To prevent a long running search for files with the suid bit set, mount the application or nfs filesystems with the "nosuid" option. | In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:$ sudo checkmate -c -f -I check_suid |
check_update_age | Determine last patch date. If the installed kernel is older than 90 days, you must update and reboot the server manually, with these commands: $ sudo yum update -y $ sudo yum check-update $ sudo reboot | In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:$ sudo checkmate -c -f -I check_update_age |
check_vmware_tools | Vmware tools must be installed. | In case of an error, try to reinstall the package by executing:$ sudo yum install open-vm-tools |
check_yum_conf | Ensure there are no importand RPMs excluded from patching It is not allowed to exclude the following RPMs from updating: '*', 'BESAgent', 'coreutils', 'dracut', 'ds_agent', 'epops-agent', 'facter', 'firewalld', 'gpg-pupkey', 'grub2', 'gugent', 'hiera', 'iptables', 'iputils', 'kernel', 'openssl-libs', 'open-vm-tools', 'pam', 'passwd', 'puppet', 'SCCMS-checkmate', 'splunkforwarder', 'sudo', 'VMware-Log-Insight-Agent', 'vmware-vra-software-agent-service' | In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:$ sudo checkmate -c -f -I check_yum_conf |
t-tec-aut-b-1 | Ensure information about last logon is displayed on login. | |
t-tec-aut-b-3 | Ensure login banner is configured. | |
t-tec-aut-b-4 | Ensure the shell timeouts after 30 minutes. | |
t-tec-bgk-b-7 | Ensure a secure the PATH variable for root. | |
t-tec-bgk-b-10 | Ensure time synchronisation is enabled and running. | |
t-tec-bgk-b-14 | Ensure security limits are present. | |
t-tec-bgk-b-17 | Ensure user data is protected (user home,ssh and mail directories are not world accessible). | |
t-tec-bnk-b-2 | Ensure the network stack is hardened as specified in the config file. | |
t-tec-del-b-1 | Ensure dd is available. | |
t-tec-enc-b-1 | Ensure OpenSSH is installed and running and passwords are hashed in /etc/shadow using a secure algorithm. | |
t-tec-fil-b-1 | Ensure iptables is installed and active. | |
t-tec-log-b-2 | Ensure the following events are logged: Logins and login attempts, system messages, permission changes (user mods, visudos), administrative actions, SSH messages | |
t-tec-pfs-b-4 | Ensure the system requires a password on emergency boot and for the single user mode. | |
t-tec-sof-b-2 | Ensure software is integrity-checked. | |
t-tec-sof-b-3 | Ensure the system is set to use the English language. | |
t-tec-uam-b-1 | Ensure accounts are locked after five unsuccessful login attempts. |
Run Compliance Checks manually
Managed Windows
The compliance checks for Managed Windows OS on Swisscoms ESC are run using a custom build framework called PccComplianceChecks or PCC for short.
Each time a compliance check is run, the PCC is called behind the curtains and it triggers a so called PccRun.
A PCCRun is the operation that runs when an Exit Temp Admin is launched in the Portal or system is returned to Full Managed mode for instance.
A PccRun executes a number of infrastructure related tests to validate the OS running in the VM is compliant with Swisscoms Managed OS standards. The module has been made publicly available so that compliance checks can be run locally on the Managed Windows OS.
PCC is locally available to ESC customers starting with version 1.0.0 of the PccComplianceChecks package.
Why use PCC manually
Executing an ExitTempAdmin or Return to Full Managed mode via the regular Day 2 Action can last a few minutes and potentially result in failing checks that need to be corrected. To simplify and to speed up this process, it is now possible to call the same tests that run during the Return to Full Managed mode but directly on your VM.
The main benefit of doing so is the gain in time in validating that the OS is Swisscom standards conform before executing the Return to Full Managed action.
With PCC, it is also possible to get a history of the past runs.
Verify the local PCC version
IMPORTANT NOTE: To download and install the latest versions of the PCC Framework and the required module "PCC.CHK.ESC.WIN.MOS" locally, we recommend to execute first an "Exit Temp Admin" or "Return To Full Managed" Day 2 Action in the ESC Portal.
Open a PowerShell prompt and execute the following PowerShell command(s):
This request is used to get the current version of PCC working on your Managed Windows OS.
Request
Get-Module PccComplianceChecks -ListAvailable
Note: One or more different PCC versions can co-exist on the same machine. The one with the highest version number is the latest version available.
Execute a PCCRun
Open a PowerShell prompt and execute the following PowerShell command(s):
Only messages of the failed checks will be displayed on screen. If none are shown, it means that the Managed Windows OS is compliant.
Request
Test-TempAdmin
Alternatively, it is possible to output directly the run using the following snippet.
Request
Test-TempAdmin -ShowRun
Get all past PCC run results
NOTE: Results can only be retrieved from compliance checks that have run using the PccComplianceChecks version 1.2.0 or above. Any run done with a previous version will not generate the needed PccRunDocument.
Open a PowerShell prompt and execute the following PowerShell command(s):
Request
Get-PccRundocument
Note: The 'ErrorCount' property indicates how many compliance checks have failed during that specific run.
Results will look similar to the screen shot below but will vary according to the VM and its current compliance.
Request
Get-PccrunDocument -Latest
To get the list of the failed checks from the last PCC run (or failed Return to FullAdmin) execute the following code. Results will look similar to the screen shot below but will vary according to the VM and its current compliance.
Request
(Get-PCCRunDocument -Latest).GetFailedChecksConcise()
Managed RHEL
If the VM is in Temp Admin state, the compliance check can also be performed manually.
The command below can be used to check whether the VM can be successfully transferred to the Full Managed state.
$ sudo checkmate -a