Security technical implementation guides (STIGs) provide a standardized set of security protocols for practically any system. From networks to servers and computers, STIGs are designed to enhance overall security and reduce vulnerabilities. But what happens when the guidelines vary across an enterprise? How do you apply these to a specific product without breaking it? Challenge accepted.
In my previous work, I implemented the RHEL 7 DISA STIG against a functioning Satellite server and found that it would break Satellite outright. Without knowing the exact cause for the functionality of Satellite to stop working, I would have to develop a methodology for figuring out what exactly caused it to fail. After testing each DISA STIG line by line, I’ve documented the steps in an effort to save others time and prevent the need to start from scratch. When using the process outlined below, the security components are built in to begin with so to not break the product - in this case, Satellite 6 - in the future other products.
- For testing purposes, I created the below environment to test with.
- Virtual Box running below VM's on a laptop
- RHEL 7.5 Disconnected Satellite 6.3
- RHEL 7.5 Disconnected External Capsule 6.3 Server
- RHEL 7.5 IDM Server on RHEL 7.5
- RHEL 7.5 Client
- RHEL 7.5 Repo Server
- Virtual Box running below VM's on a laptop
- Once the environment is base lined, clone or snapshot the Satellite server. Once known STIG checks are confirmed to break the system, you can quickly recover to a known good state instead of having to manually undo STIG settings. This ensures the repeatable testing process is legitimate, and the prep work is done ahead of time.
- Use security tools OpenSCAP and SCAP Workbench to create custom Red Hat Enterprise Linux 7 DISA STIG profiles to scan the system, report findings, and generate remediation scripts.
- OpenSCAP is a command line tool that has the capability to scan systems. The tool can be used by anyone. It is a quick way to get a measure against the STIG.
- SCAP Workbench is a tool set that lets you manipulate and easily customize the STIG profiles.
- Utilizing the generated remediation scripts from SCAP Workbench, I had to test out each individual STIG check to see where it failed. With a script of over 20,000+ lines of bash code, I had to comment out every line to be able to test the code check-by-check against Satellite. With roughly 243 individual STIG checks I had to go through and uncomment each check at a time. I’ve listed some VI shortcuts below.
- Comment out every line:
%s/^/#/
- Delete the # at the start of every line:
%s/^#//
- Delete the # for a range of lines:
%580,740s/^#//
- Comment out every line:
- Run a variety of tests, and see how Satellite behaves before and after the STIG is in place.
- Test cases such as Satellite software installation, Satellite software component functional testing, and product integrations with Red Hat products (i.e. Satellite to identity management), etc.
- Once you integrate with other tools (like IDM), you’ll need to test again to ensure that the STIG will not break the integrations.
- Baseline Environment via VM clones or snapshots
- Run STIG remediation script
- Disconnected Satellite Server Installation
- Organization created
- Location x2 created
- Manifest upload
- CDN changed to Repo Server
- RHEL 7Server Repo Enabled
- RHEL 7.5 Kick Start Enabled
- Product Sync
- Custom Product Created
- Test RPM uploaded to Custom Product
- Content View Created x2
- Life Cycle Configured x2
- Host Collection Created
- Activation Key Created
- Host Group Configured
- Operating System Configured
- Installation Medium Created
- Domain Configured
- Subnet Configured
- DHCP Configured
- IDM Integration for SSO/Kerberos based login
- Realm Capsule Configured
- Client Registration to Satellite
- Client Successfully Accessed repos from Satellite
- External Capsule Installation
- External Capsule Configured for dedicated Content View
- External Capsule Configured for dedicated Life Cycle
- External Capsule Content Sync
- Client Registration to External Capsule
- Client Successfully Access repos from Capsule
- Satellite & Capsule services restart
Results:
After going through this 5 step process, I have listed the OpenSCAP STIG checks that need to be disabled to allow the core set of Satellite features to function properly. You can disable these checks in SCAP Workbench and generate a clean remediation script to use to automate
Breaks Satellite (Removed all FIPS related items regardless of it did not directly impact or Satellite to avoid confusion)
- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
- xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
- xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
- xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
- xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
- xccdf_org.ssgproject.content_rule_sebool_fips_mode
Breaks IDM SSO / Kerberos Integration
- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Needed for TFTP Provided Provisioning Services
- xccdf_org.ssgproject.content_rule_service_tftp_disabled
- xccdf_org.ssgproject.content_rule_package_tftp-server_removed
- xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
Connect with Red Hat Services
Learn more about Red Hat Consulting
Learn more about Red Hat Training
Learn more about Red Hat Certification
Join the Red Hat Learning Community
Subscribe to the Training Newsletter
Follow Red Hat Services on Twitter
Follow Red Hat Open Innovation Labs on Twitter
Like Red Hat Services on Facebook
Watch Red Hat Training videos on YouTube
Follow Red Hat Certified Professionals on LinkedIn
Sull'autore
Ricerca per canale
Automazione
Le ultime novità sulla piattaforma di automazione che riguardano la tecnologia, i team e gli ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Servizi cloud
Maggiori informazioni sul nostro portafoglio di servizi cloud gestiti
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Risorse per sviluppatori
- Supporto clienti
- Calcola il valore delle soluzioni Red Hat
- Red Hat Ecosystem Catalog
- Trova un partner
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit