Cyber Monitoring tools on ProxMox host?

V

voidindigo

Well-Known Member
Sep 18, 2018
31
5
48
57
Hello all,

My company is requiring installation of cybersecurity monitoring tools on our Linux systems, and there's been some question about the ProxMox servers I'm running. Currently I'm running two hosts in a cluster, I believe we're still at v5 but they are down at the moment. I don't have a problem upgrading them to v8 (probably a "backup / rebuild cluster / restore" kind of thing) as needed.

My question is, has anyone got experience running something like Carbon Black or CrowdStrike Falcon Server on the ProxMox host OS itself? Is that even possible?

Thanks
Scott
 
I would not install any security tools on V5 PVE, which was based Debian9/Strech. PVE5 was EoL 07/2020 and the underlying OS since 6/30/2022.
If you can even get a package for Deb9 from one of the modern providers, you risk being walked out of the building along with the servers :)

Jokes aside, after you reinstall or upgrade to PVE8, you should have no issues installing appropriate Debian client. There may be many "false positives", depending on the vendor. Just keep in mind to treat PVE as an appliance rather than standard multi-user Linux install.

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
Last edited:
Thanks for the reply, I had a pretty strong feeling it would require at least the upgrade before installing... I know it's a modified kernel, just wanted to know if there were any gotcha's to be aware of
 
Its Debian base with Ubuntu derived Kernel https://pve.proxmox.com/wiki/Proxmox_VE_Kernel#Proxmox_VE_8.x
You can find additions and patches here https://github.com/proxmox/pve-kernel

There will be extra open ports, there will be a root account that cant be disabled, I wouldnt call these "gotchas". Normal appliance artifacts.
Throw PVE in a VM of your corporate Hypervisor and run the scan there if you want to preview the results.

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
Last edited:
  • Like
Reactions: voidindigo and wbedard
Just FYI (anyone else that finds this) I did manage to backup the 5.X cluster and rebuild / restore an 8.0.3 cluster, then install both Carbon Black and CrowdStrike Falcon Server on the ProxMox hosts... and it's all running great.
 
  • Like
Reactions: Kingneutron and Winck
voidindigo said:
Just FYI (anyone else that finds this) I did manage to backup the 5.X cluster and rebuild / restore an 8.0.3 cluster, then install both Carbon Black and CrowdStrike Falcon Server on the ProxMox hosts... and it's all running great.
Click to expand...
Hi, thanks for your post. It's been almost a year since you deployed CrowdStrike on your PVE hosts. How's it going? We are interested in doing the same thing.
 
Hi, we're still running ProxMox 8.0.3 and having no problems at all. I haven't noticed any undue overhead or load caused by the CrowdStrike falcon-sensor service.
 
killmasta93 said:
currently running wazuh and using custom rules to monitor login or brute force
Click to expand...
I couldn't find any ruleset in internet for proxmox so I started creating my one. can you share your ruleset so I can add them to my model and share it publicly in github for other to use as well?
I have still some kinks and this is early test, I am adding few check per time so I can evaluate what works best.
YAML: 
policy:
  id: cis-proxmox
  file: cis-proxmox.yml
  name: CIS Proxmox VE Baseline
  description: >
    Security Configuration Assessment baseline for Proxmox VE nodes
    based on CIS Debian Linux Benchmark, adapted for Proxmox VE
    architecture and UFW firewall usage.
  references:
    - CIS Debian Linux Benchmark v1.0
    - Proxmox VE Security Guide
    - GDPR Art. 32
    - ISO/IEC 27001
  platform: linux

requirements:
  title: Proxmox VE environment check
  description: Ensure this system is a Proxmox VE host
  condition: any
  rules:
    - "c:command -v pveversion"
    - "c:dpkg -l proxmox-ve"
    - "f:/etc/pve"



checks:

  # ------------------------------------------------------------
  # ACCOUNT AND AUTHENTICATION
  # ------------------------------------------------------------

  - id: 91001
    title: Ensure no local user accounts have empty passwords
    description: >
      Ensures that no human user accounts (UID >= 1000)
      have empty password fields in /etc/shadow.
    condition: all
    rules:
      - "c:awk -F: '($2 == \"\" && $3 >= 1000 && $1 != \"nobody\"){print $1}' /etc/shadow | wc -l -> r:^0$"
    compliance:
      - cis: "5.4.1"
      - iso27001: "A.9.2.4"

  - id: 91002
    title: Ensure human user accounts use shadowed passwords
    description: >
      Ensures that human user accounts (UID >= 1000)
      use shadowed passwords.
    condition: all
    rules:
      - "c:awk -F: '($2 != \"x\" && $3 >= 1000 && $1 !~ /^(nobody|pve)$/){print $1}' /etc/passwd | wc -l -> r:^0$"
    compliance:
      - cis: "5.4.2"
      - iso27001: "A.9.2.4"

  # ------------------------------------------------------------
  # FILE PERMISSIONS
  # ------------------------------------------------------------

  - id: 91010
    title: Ensure permissions on /etc/passwd are configured
    condition: all
    rules:
      - "c:stat -c \"%a %U %G\" /etc/passwd -> r:^644 root root$"
    compliance:
      - cis: "6.1.2"

  - id: 91011
    title: Ensure permissions on /etc/shadow are configured
    condition: all
    rules:
      - "c:stat -c \"%a %U %G\" /etc/shadow -> r:^640 root shadow$"
    compliance:
      - cis: "6.1.3"

  - id: 91012
    title: Ensure permissions on /etc/group are configured
    condition: all
    rules:
      - "c:stat -c \"%a %U %G\" /etc/group -> r:^644 root root$"
    compliance:
      - cis: "6.1.4"

  - id: 91013
    title: Ensure permissions on /etc/gshadow are configured
    condition: all
    rules:
      - "c:stat -c \"%a %U %G\" /etc/gshadow -> r:^640 root shadow$"
    compliance:
      - cis: "6.1.5"

  # ------------------------------------------------------------
  # SSH HARDENING (PROXMOX-SAFE)
  # ------------------------------------------------------------

  - id: 91020
    title: Ensure SSH root login is disabled
    description: >
      Root login over SSH should be disabled.
      Proxmox access must be performed via sudo or web UI.
    condition: all
    rules:
      - "f:/etc/ssh/sshd_config -> r:^PermitRootLogin no"
    compliance:
      - cis: "5.2.8"

  - id: 91021
    title: Ensure SSH password authentication is disabled
    condition: all
    rules:
      - "f:/etc/ssh/sshd_config -> r:^PasswordAuthentication no"
    compliance:
      - cis: "5.2.9"

  - id: 91022
    title: Ensure SSH MaxAuthTries is limited
    condition: all
    rules:
      - "f:/etc/ssh/sshd_config -> r:^MaxAuthTries [1-4]"
    compliance:
      - cis: "5.2.7"

  # ------------------------------------------------------------
  # FIREWALL (UFW)
  # ------------------------------------------------------------

  - id: 91030
    title: Ensure UFW is installed
    condition: all
    rules:
      - "c:command -v ufw -> r:.+"
    compliance:
      - cis: "4.2.1"

  - id: 91031
    title: Ensure UFW is enabled
    condition: all
    rules:
      - "c:ufw status | grep -q \"Status: active\""
    compliance:
      - cis: "4.2.2"

  - id: 91032
    title: Ensure UFW default deny inbound policy
    condition: all
    rules:
      - "c:ufw status verbose | grep -q \"Default: deny (incoming)\""
    compliance:
      - cis: "4.2.7"

  # ------------------------------------------------------------
  # LOGGING
  # ------------------------------------------------------------

  - id: 91040
    title: Ensure rsyslog is installed
    condition: all
    rules:
      - "c:command -v rsyslogd -> r:.+"
    compliance:
      - cis: "4.2.3"

  - id: 91041
    title: Ensure rsyslog service is enabled
    condition: all
    rules:
      - "c:systemctl is-enabled rsyslog -> r:^enabled$"
    compliance:
      - cis: "4.2.3"

  # ------------------------------------------------------------
  # PROXMOX-SPECIFIC
  # ------------------------------------------------------------

  - id: 91050
    title: Ensure Proxmox VE version command is available
    condition: all
    rules:
      - "c:pveversion -> r:pve-manager"
    compliance:
      - proxmox: "baseline"
 
You must log in or register to reply here.
Top Bottom