SSMC 设备配置

过程
  1. 为 SSMC 设置 CA 签名的证书。
  2. ssmc.properties 中配置以下属性并保存该文件: 
    security.max.active.ui.sessions=50
security.max.active.ui.per.user.sessions=1
ssmc.smtps.enabled=true
ssmc.secure.tls.only=true
server.session.timeout=10
server.absolute.session.timeout=60
ssmc.management.notification.disable=true
ssmc.tls.trustmanager.enabled=true
  3. /ssmc/conf/security_config.properties 中设置以下属性并保存该文件。需要您输入内容的属性以尖括号 < > 括起来: 
    ssmc.sshd.service.network=ens192               #eth1 if hyper-v
ssmc.webserver.service.network=ens160          #eth0 if hyper-v
ssmc.shell.session.inactivity.timeout=300
ssmc.ntp.DnsOrIP=<NTP Host DNS or IP>
ssmc.inbound.hosts.allow=<IPs of inbound whitelisted hosts>
ssmc.outbound.hosts.allow=<IPs of whitelisted outbound hosts on any network>

ssmc.rsyslog.server.host=<rsyslog server ip>
ssmc.rsyslog.server.port=<rsyslog server port> #6514
ssmc.rsyslog.server.protocol=tcp
ssmc.rsyslog.server.tls-enabled=1

ssmc.rsyslog.cert.caroot=</home/ssmcadmin/rsyslog/ca.pem>
ssmc.rsyslog.cert.clientcert=</home/ssmcadmin/rsyslog/client.pem>
ssmc.rsyslog.cert.clientkey=</home/ssmcadmin/rsyslog/client.key>
ssmc.rsyslog.server.permittedPeers=”<remote logging host name>”
ssmc.rsyslog.server.device=ens192             #eth1 if hyper-v
ssmc.rsyslog.queue.maxdiskspace=1
ssmc.rsyslog.smtp.alert=true
ssmc.rsyslog.smtp.server=<smtp server ip>
ssmc.rsyslog.smtp.port=<smtp port>
ssmc.rsyslog.smtp.recipient=<comma separated recipient email address list>
ssmc.rsyslog.smtp.notify-interval=5
ssmc.rsyslog.smtp.mailFrom=<ssmcadmin@ssmc.com>
  4. 按给定顺序运行以下命令(为服务重新启动选择 no): 
    sudo /ssmc/bin/config_security.sh -o set_file_permission
sudo /ssmc/bin/config_security.sh -o cnsa_mode_appliance -a enable
sudo /ssmc/bin/config_security.sh -o session_log -a enable
sudo /ssmc/bin/config_security.sh -o ssh_service_network -a set
sudo /ssmc/bin/config_security.sh -o webserver_service_network -a set
sudo /ssmc/bin/config_security.sh -o session_lock -a enable
sudo /ssmc/bin/config_security.sh -o shell_session_idle_timeout -a set
sudo /ssmc/bin/config_security.sh -o remote_syslog_appliance -a set
sudo /ssmc/bin/config_security.sh -o host_access -a set
sudo /ssmc/bin/config_security.sh -o http_access_log -a enable
sudo /ssmc/bin/config_security.sh -o tcp_access_log -a enable
sudo /ssmc/bin/config_security.sh -o long_password_policy -a enable
sudo /ssmc/bin/config_security.sh -o config_failedlogin_delay -a enable
sudo /ssmc/bin/config_security.sh -o sudo_password -a enable
sudo /ssmc/bin/config_security.sh -o verbose_shell_session_logs -a enable
sudo /ssmc/bin/config_security.sh -o configure_ntp -a set
sudo /ssmc/bin/config_security.sh -o fips_mode -a enable
    注意: 确保成功完成所有操作。重新检查您的配置并重新运行,直到成功完成上述的每个操作。
  5. 使用 TUI 菜单选项 3 以重新引导设备。

这会完成设置 SSMC 以符合标准安全要求所需的所有配置。