Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LME won't install on CIS hardened server #520

Open
GRRLjay opened this issue Nov 22, 2024 · 3 comments
Open

LME won't install on CIS hardened server #520

GRRLjay opened this issue Nov 22, 2024 · 3 comments

Comments

@GRRLjay
Copy link

GRRLjay commented Nov 22, 2024

If users are running an Ubuntu 22.04 server hardened according to the CIS benchmark, the Ansible playbook won't get everything installed correctly.

Through trial and error I was able to determine that the following changes were necessary:

  1. Loosen the UMASK in /etc/login.defs from the CIS recommended 027. Going back to the default 022 works.
  2. Disable UFW during the install or determine which ports need to be opened for the install to complete successfully.

Maybe this is too specific to document, but now it's at least recorded in an issue.

@aarz-snl
Copy link
Collaborator

aarz-snl commented Nov 26, 2024

IRT UMASK during the playbook we set the permissions for each directory.

Maybe the initial directory upon download of the source code is being set to 750?

@mreeve-snl
Copy link
Collaborator

In addition, we have documentation around firewall rules here that you can add to UFW to allow communication for LME clients to speak with LME services.

The tricky piece is that because they're running in podman containers, you have to add special rules that allow communication for the LME network devices that podman creates:
https://github.com/cisagov/LME/blob/main/docs/markdown/logging-guidance/cloud.md

specifically rules for the podman LME network's interface:

ufw route allow in on eth0 out on podman1 to any port 443,1514,1515,5601,8220,9200 proto tcp
ufw route allow in on podman1

the podman1 name maybe different on your server, the cloud docs discuss how to determine what it is created as for your server.

@GRRLjay
Copy link
Author

GRRLjay commented Dec 2, 2024

I will test these rules and see if they are sufficient to let LME get installed. That's the problem I was having, it wouldn't install properly with ufw enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: 🆕 Product Backlog
Development

No branches or pull requests

3 participants