Standards Security Compliance settings

The SSMC 3.7 and later releases provide various settings that help comply with industry standard security requirements. The settings must be configured by ssmcadmin, the only admin user account with necessary privileges. All the controls are available from and executed using the following interfaces:

Security configuration utility (config_security.sh script)
Application configuration file (ssmc.properties application configuration )
Web Administrator Console GUI

Security configuration utility

Starting with 3.7 release, a configuration utility script is available, which helps you to configure various industry standards security features in SSMC. The script is at /ssmc/bin/config_security.sh and can be accessed using the appliance bash shell. Only a ssmcadmin user can execute the script through sudo permission grants.

There is also an associated configuration file /ssmc/bin/config_security.sh, where a ssmcadmin user can set the various security configuration values. The config_security.shscript reads the settings and updates the system configuration files. The script also restarts the required services for the settings to take effect.

Syntax

sudo /ssmc/bin/config_security.sh  -o <operation> -a <action> [-f]

Where

operation

Specifies the security operation to be executed. A mandatory parameter.

The operations help to configure an SSMC security feature or perform a sealed or abstracted operation which is sensitive from the general bash shell.

The supported set of operations are:

`ssh_service_network`	`host_access_log`
`webserver_service_network`	`tcp_access_log`
`session_lock`	`shell_session_idle_timeout`
`unlock_ssmcaudituser`	`configure_jetty_ssl_context`
`config_failedlogin_delay`	`dump_active_sessions`
`session_log`	`verbose_shell_session_logs`
`sudo_password`	`configure_ntp`
`host_access`	`set_file_permission`
`long_password_policy`	`fips_mode`
`cnsa_mode_appliance`	`remote_syslog_appliance`
`delete_archive_logs`

-a <action>

Specifies the action to be performed on an operation. A mandatory parameter with values such as [enable | disable | set | reset | status].

For more information on the action verbs, see the usage help of config_security.shscript for any given operation.

Hint: Omit the action argument while executing an operation to display usage help stating acceptable values for action.

-f option

[Optional] Enables a quiet operation by suppressing any user interactive questions. The user response is assumed and the operation is executed.

For example: To restart the service after a configuration update, the command always interacts and waits for user response from the console input. However, when -f option is used, the script does not wait for user input, instead restarts automatically with an assumed affirmative.

NOTE:

The security configuration operations except file_permission are completely reversible. The file_permission operation is irreversible and cannot be undone once executed.
Use the status action to query the enablement status of a security configuration.
sudo /ssmc/bin/config_security.sh –o <operation> -a status

Application configuration file

The following properties in ssmc.properties file affect standards security compliance:


#security.max.active.ui.sessions = 100

#security.max.active.ui.per.user.sessions = 50

#ssmc.smtps.enabled=false

#ssmc.secure.tls.only=false

#server.session.timeout=15

#server.absolute.session.timeout=60

#ssmc.management.notification.disable=false

#ssmc.tls.trustManager.enabled=false

Web Administrator Console GUI

You can configure the standards compliance settings using the following options in SSMC Administrator Console:

SSMC Banner Message ( Admin Console > Preferences)
SSMC FIPS 140-2 Toggle Switch ( Admin Console > Preferences)