SecHard

2.11. Cluster

Minimum Resource Requirements:

Requirement

Description

Requirement

Description

Platform Requirement

Vmware ESXi 5.0 or higher Hyper-V

Operating System

Ubuntu 20.04 LTS (Ready Template)

Processor

Core 8 or above (up to 1000 devices)

Memory

16 GB or higher (up to 1000 devices)

Storage

750 GB or above (up to 2500 devices)

Recommended Resource Requirements;

Requirement

Description

Requirement

Description

Platform Requirement

Vmware ESXi 5.0 or higher Hyper-V

Operating System

Ubuntu 20.04 LTS (Ready Template)

Processor

Core 16 or above (up to 2500 devices)

Memory

24 GB or higher (up to 2500 devices)

Storage

750 GB or above (up to 2500 devices)

Port Access List

The list of ports that need to be allowed for SECHARD to manage its network devices and retrieve information is as follows:

From SecHard to Devices

 

Port

Protocol

Description

Container Name

22(SSH)

TCP

It is used to control network devices and Linux operating systems.

Console

23(Telnet)

TCP

It is used to connect to network devices.

Console

25(SMTP)

TCP

It is used for sending emails.

Agent

53(DNS)

UDP

DNS is used for domain name resolution.

Winrm_Api

88(Kerberos)

UDP - TCP

It is used for Kerberos communication. - It needs to be opened towards Domain Controller Servers.

Winrm_Api

123(NTP)

UDP

It is used for time synchronization.

All Linux Servers

161(SNMP)

UDP

It is used to gather information from network devices.

SNMP Exporter

162(SNMP-Trap)

UDP

It is used for notifications from network devices.

SNMP Exporter

389(LDAP)

TCP

It is used for AD, RADIUS, and TACACS integration. - It should be opened towards Domain Controller Servers.

Agent

443(API)

TCP

It is used for environments with support for virtualization, cloud systems, etc. API.

Agent

445(SMBv3)

TCP

It is used to send and receive files to Windows operating systems.

Agent

636(LDAPS)

TCP

AD, RADIUS, and TACACS integration is utilized. - It needs to be opened towards Domain Controller Servers.

Agent

3389(RDP)

TCP

Windows servers are used for remote desktop connections via Remote Desktop.

Remote Gateway Server

5985(WinRM)

TCP

Windows operating systems are used to remotely control with WinRM.

Winrm_Api

5986(WinRM)

TCP

Windows operating systems are used to remotely control with WinRM.

Winrm_Api

9100(Node_Exporter)

TCP

It is used to monitor Linux operating systems.

Agent

9182(WMI_Exporter)

TCP

It is used to monitor Windows operating systems.

Agent

Ping (echo)

ICMP

The attached tool is used to perform ping checks on all devices.

All Linux Servers

From Devices to SecHard

 

Port

Protocol

Description

Container Name

49(Tacacs)

TCP

It is used for TACACS query.

TACACS

69(TFTP)

UDP

The network devices are used for Firmware Upgrade.

TFTP

443(HTTPS)

TCP

It is used for web GUI access.

Web

514(Syslog)

UDP

It is used for Syslog notifications coming from network devices.

Syslog

1645(Radius)

UDP

It is used for the Radius Auth query.

RADIUS

1646(Radius)

UDP

It is used for the Radius Acc query.

RADIUS

Between Nodes

Port

Protocol

112(VRRP)

TCP - UDP

2377(Docker Swarm)

TCP

7946(Docker Swarm)

TCP - UDP

4789(Docker Swarm)

UDP

24007(GlusterFS)

TCP - UDP

24008(GlusterFS)

TCP - UDP

49152(GlusterFS)

TCP - UDP

27017(MongoDB)

TCP

27018(MondoDB)

TCP

27019(MongoDB)

TCP

6379(Redis)

TCP

26379(Redis)

TCP - UDP

SecHard Container, Vulnerability and Exploitation List Update Needs;

From Sechard to the Internet

 

URL

Direction

Protocol / Port

Description

Sechard ->Internet

TCP 443

The container is used for updates within Sechard.

Sechard ->Internet

TCP 443

It is used to update weakness lists within Sechard.

Sechard ->Internet

TCP 443

It is used to pull patch information for Windows operating systems.

Sechard ->Internet

TCP 443

It is used to update the exploitation (MITRE) lists within Sechard.

Account Authorization Requirements;

Requirements

Description

Access method

Linux Operating System - Only Audit

The user is a member of the sudo group in Linux / Active Directory.

SSH

Linux İşletim Sistemi - Audit + Remediation + Rollback

A Linux user / AD user with root privileges.

SSH

Windows Operating System (Not Domain member - Server / Client) - Only Audit

An AD User who is a member of the WinRM group is required (winrm configSDDL default - read + execute).

WinRM (Kerberos, NTLM, Cert)

Windows Operating System (Not Domain member - Server / Client) - Audit + Remediation + Rollback

A member of the Local Administrators group is required for an AD User.

WinRM (Kerberos, NTLM, Cert)

Windows Operating System (Not Domain member - Server / Client) - Only Audit

A Local User that is a member of the WinRM group is required (winrm configSDDL default - read + execute).

WinRM (NTLM, Basic)

Windows Operating System (Not Domain member - Server / Client) - Audit + Remediation + Rollback

A Local User is required to be a member of the Local Administrators group

WinRM (NTLM, Basic)

Windows Domain Controller - Only Audit

A member of the WinRM group requires an AD User (winrm configSDDL default - read + execute)

WinRM (Kerberos, NTLM, Cert)

Windows Domain Controller - Audit + Remediation + Rollback

A member of the Administrators / Domain Administrators group requires an AD User.

WinRM (Kerberos, NTLM, Cert)

Network Devices - Only Audit

Monitoring, Read Only User, etc. requires a user with limited permissions.(switches require permission to run sh run)

SSH

Network Devices - Audit + Remediation + Rollback

A user with permissions such as admin, super_user, Super_admin, sysadmin etc. is required.

SSH

SQL Database - Only Audit

serveradmin 

DB Connection

SQL Database - Audit + Remediation + Rollback

sysadmin / Control Server

DB Connection

MondoDB Database - Only Audit

dbAdmin

DB Connection

MondoDB Database - Audit + Remediation + Rollback

dbAdmin

DB Connection

Oracle Database - Only Audit

Audit_Admin

DB Connection

Oracle Database - Audit + Remediation + Rollback

DBA

DB Connection

PostgreSQL Database - Only Audit

dbuser

DB Connection

PostgreSQL Database - Audit + Remediation + Rollback

superuser

DB Connection

Other Resources - Only Audit

Monitoring, Read Only User, etc. requires a user with limited permissions.

Native Protocol

Other Resources  Audit + Remediation + Rollback

A user with permissions such as admin, super_user, Super_admin, sysadmin, root, administrator, etc. is required.

Native Protocol

How To Enable WinRM with Domain Group Policy for PowerShell Remoting

How do I configure and troubleshoot WinRM?

SecHard