During a recent PCI DSS 3.2 audit the QSA made a couple of observations and also required remediation for the following ...
- Access via SSH to the CDE must go through a bastion host so that the devices used by administrators to access the environment can remain out of scope.
- When using SUDO to elevate privileges a password must be typed manually. The use of NOPASSWD in the sudoers file should not be used for that admin group (wheel in our case).
I'm having a difficult time justifying the above in relationship to actually being more secure. While I may comply to satisfy the QSA I do so with trepidation.
A little background ...
- All SSH access to the CDE is done through OpenVPN (on the firewall) using public keys and passphrases. Two-factor authentication is also required (Google Auth) to establish the VPN connection.
- All user accounts in the CDE (only three) do NOT have passwords. The SSH daemon is configured to NOT allow password authentication.
- SUDO is configured to allow the wheel group (CentOS 7) the ability to sudo without a password (because a password does not exist for users in the wheel group).
- All servers in the CDE are hardened exactly the same using Ansible for Orchestration.
- Splunk collects all logs from all servers.
Bastion Host: In my mind, a bastion host is old technology and does not offer any more security than going to each server directly. The bastion host then becomes a central point of attack. SSH Agents on the clients can easily be configured to proxy through the bastion host transparently so it would offer no additional security. Implementing a bastion host for the sole purpose of keeping our laptops out of scope seems trivial. In reality, the firewall that provides the OpenVPN server and that enforces two-factor authentication is hardened better than what I could do with a bastion host. The firewall insures that only properly authenticated VPN users can connect to SSH. The firewall also enforces session timeouts and also logs all access to the central log collector (along with each server being accessed).
SUDO: I know there are ways to configure sudo to escalate privileges using SSH keys instead of passwords but that seems like a lot of work to just accomplish the same thing as the NOPASSWD option. Typing a password to access sudo seems like a step backward and would allow a snooper or keylogger access (knowing that they would also need my private key and passphrase to even gain access).
It seems to me that adequate controls are in place to insure only authorized administrators have access and that what they do is logged centrally. The Firewall itself is like a bastion host and prevents anything malicious from leaking through to a CDE server (since SSH is the only protocol allowed).
Does anyone have any thoughts on this.