I’m looking to see if someone could provide me with IdentityNow Hardening Standards documentation. Does something like this exist?

Thank You

Hi Tom,
Thank you for the post. Could you please raise a support ticket with Sailpoint or contact your CSM for the same? There should be able to help you with the document you have asked for

Rakesh it was Submitted CS0274438

Please do share with us if you hear anything from Support side

Rakesh, I will share the response.

Here is the response from Sailpoint:Is it possible to disable certain certain crypto policies / ciphers from the sshd_config on our VAs

For those who can’t see the service now article, here are the contents.

Problem

Our internal security scan detected that we should disable certain HMAC/UMAC Cryptographic policies/ciphers. We can do that by editing either the /etc/ssh/sshd_config or /etc/sailpoint/sshd_config. However, we don’t have root access to the VAs.

There’s a template file in the /etc/sailpoint path that we can use as well, but both of the files cannot be edited by us, since we don’t have root access.

Diagnosis

From a security standpoint, our Virtual Appliances are encapsulated in a fashion where we don’t provide root access. So you won’t be able to access the etc/ssh/sshd_config or /etc/sailpoint/sshd_config directories and neither would the access to edit/deprecate any keys be present via the /etc/sailpoint path.

Solution

1. As per the MACs that are listed, we would suggest you to follow our VA hardening process which is as below:

   a. create file ~/.ssh/authorized_keys and upload ssh public key there. Ensure that you have access to the corresponding private key or you will be locked out.
   b. sudo ln -sf /etc/sailpoint/sshd_config /etc/ssh/sshd_config
   c. sudo ln -sf /etc/sailpoint/moduli /etc/ssh/moduli
   d. reboot the VA

2. Once you’ve followed the aforementioned process you should be able to login using ssh keys.

Also, if there is a restriction on the use of ssh keys, we would like to suggest that we are still working on a solution where you can use customized sshd config as per your requirements, with this you would be able to deprecate whatever ciphers you need and also you can opt for whether to login using authorized ssh keys or without it.