Strategy on AWS is compliant with the Center for Information Security (CIS) Benchmarks, which are outlined here:
https://www.cisecurity.org/cis-benchmarks/
Ensure nodev option set on /dev/shm partition
Ensure nosuid option set on /dev/shm partition
Ensure noexec option set on /dev/shm partition
Ensure gpgcheck is globally activated
Ensure AIDE is installed
Ensure permissions on bootloader config are enabled
Ensure authentication required for single-user mode
Ensure interactive boot is not enabled
Ensure core dumps are restricted
Ensure CUPS is not enabled
Ensure mail transfer agent is configured for local-only mode
Ensure telnet client is not installed
Ensure IPv6 is disabled
Ensure DCCP is disabled
Ensure SCTP is disabled
Ensure RDS is disabled
Ensure TIPC is disabled
Ensure loopback traffic is configured
Ensure permissions on all logfiles are configured
Ensure syslog-ng default file permissions configured
Ensure access to the su command is restricted
Ensure permissions on /etc/crontab are configured
Ensure permissions on /etc/cron.hourly are configured
Ensure permissions on /etc/cron.daily are configured
Ensure permissions on /etc/cron.weekly are configured
Ensure permissions on /etc/cron.monthly are configured
Ensure permissions on /etc/cron.d are configured
Ensure at/cron is restricted to authorized users
Ensure permissions on /etc/ssh/sshd_config are configured
Ensure SSH Protocol is set to 2
Ensure SSH LogLevel is set to INFO
Ensure SSH MaxAuthTries is set to 4 or less
Ensure SSH IgnoreRhosts is enabled
Ensure SSH HostbasedAuthentication is disabled
Ensure SSH PermitUserEnvironment is disabled
Ensure only approved MAC algorithms are used
Ensure SSH Idle Timeout Interval is configured
Ensure SSH LoginGraceTime is set to one minute or less
Ensure SSH access is limited
Ensure SSH warning banner is configured
Ensure default user shell timeout is 900 seconds or less
Ensure SELinux is not disabled in bootloader configuration
Ensure auditing for processes that start prior to auditd is enabled
Ensure session initiation information is collected
Ensure discretionary access control permission modification events are collected
Ensure unsuccessful unauthorized file access attempts are collected
Ensure use of privileged commands is collected
Ensure successful file system mounts are collected
Ensure file deletion events by users are collected
Ensure changes to system administration scope (sudoers) is collected
Ensure the audit configuration is immutable
Ensure system is disabled when audit logs are full
Ensure audit logs are not automatically deleted
SSH access has now been limited. By default, only “ec2-user” (the default service account created by AWS) and “mstr” (the unified user created by Strategy) can SSH into the Platform Instance. By default, no other users can SSH into the instance. If a new user is created which needs SSH access, the username will need to be added to the AllowUsers field in /etc/ssh/ssh_config. After restarting sshd, the new user will be able to log in, provided it has a password (as blank-password login is denied).
The telnet client has been removed from the platform instance. As the telnet client is often used simply to test connectivity to other hosts and diagnose network issues, a better alternative would be to use the nc tool. Running nc -z (host) (port) will accomplish the goal of attempting to connect to a given host at a given port.
IPv6 has been disabled by default. If IPv6 on the instance is needed, the IPv6-related values in /etc/sysctl.conf and /etc/modprobe.d/CIS.conf can be modified to re-enable it.
SELinux has now been set to “permissive”. In permissive mode, SELinux makes a log of any activity that would have blocked if it was in “enforcing” mode. These logs all appear in /var/log/audit/audit.log. These messages are helpful for crafting SELinux policies were they to be enabled, but if they are not desired, SELinux can be disabled by modifying /etc/selinux/config.
MicroStrategy also recommends that customers adhere to the following Security Best Practices to secure their MicroStrategy on AWS OS'.
KB482996
