Steps for testing DISA STIG controls against Satellite 6

Security technical implementation guides (STIGs) provide a standardized set of security protocols for practically any system. From networks to servers and computers, STIGs are designed to enhance overall security and reduce vulnerabilities. But what happens when the guidelines vary across an enterprise? How do you apply these to a specific product without breaking it? Challenge accepted.

In my previous work, I implemented the RHEL 7 DISA STIG against a functioning Satellite server and found that it would break Satellite outright. Without knowing the exact cause for the functionality of Satellite to stop working, I would have to develop a methodology for figuring out what exactly caused it to fail.  After testing each DISA STIG line by line, I’ve documented the steps in an effort to save others time and prevent the need to start from scratch. When using the process outlined below, the security components are built in to begin with so to not break the product - in this case, Satellite 6 - in the future other products.

1. For testing purposes, I created the below environment to test with.
   1. Virtual Box running below VM's on a laptop
      1. RHEL 7.5 Disconnected Satellite 6.3
      2. RHEL 7.5 Disconnected External Capsule 6.3 Server
      3. RHEL 7.5 IDM Server on RHEL 7.5
      4. RHEL 7.5 Client
      5. RHEL 7.5 Repo Server
2. Once the environment is base lined, clone or snapshot the Satellite server. Once known STIG checks are confirmed to break the system, you can quickly recover to a known good state instead of having to manually undo STIG settings. This ensures the repeatable testing process is legitimate, and the prep work is done ahead of time.
3. Use security tools OpenSCAP and SCAP Workbench to create custom Red Hat Enterprise Linux 7 DISA STIG profiles to scan the system, report findings, and generate remediation scripts.  
   1. OpenSCAP is a command line tool that has the capability to scan systems. The tool can be used by anyone. It is a quick way to get a measure against the STIG.
   2. SCAP Workbench is a tool set that lets you manipulate and easily customize the STIG profiles.
4. Utilizing the generated remediation scripts from SCAP Workbench, I had to test out each individual STIG check to see where it failed. With a script of over 20,000+ lines of bash code, I had to comment out every line to be able to test the code check-by-check against Satellite. With roughly 243 individual STIG checks I had to go through and uncomment each check at a time. I’ve listed some VI shortcuts below.
   1. Comment out every line:  
      

       %s/^/#/

   2. Delete the # at the start of every line:    
      

      %s/^#//

   3. Delete the # for a range of lines:  
      

      %580,740s/^#//

5. Run a variety of tests, and see how Satellite behaves before and after the STIG is in place.
   1. Test cases such as Satellite software installation, Satellite software component functional testing, and product integrations with Red Hat products (i.e. Satellite to identity management), etc.
   2. Once you integrate with other tools (like IDM), you’ll need to test again to ensure that the STIG will not break the integrations.
   3. Baseline Environment via VM clones or snapshots
   4. Run STIG remediation script
   5. Disconnected Satellite Server Installation
   6. Organization created
   7. Location x2 created
   8. Manifest upload
   9. CDN changed to Repo Server
   10. RHEL 7Server Repo Enabled
   11. RHEL 7.5 Kick Start Enabled
   12. Product Sync
   13. Custom Product Created
   14. Test RPM uploaded to Custom Product
   15. Content View Created x2
   16. Life Cycle Configured x2
   17. Host Collection Created
   18. Activation Key Created
   19. Host Group Configured
   20. Operating System Configured
   21. Installation Medium Created
   22. Domain Configured
   23. Subnet Configured
   24. DHCP Configured
   25. IDM Integration for SSO/Kerberos based login
   26. Realm Capsule Configured
   27. Client Registration to Satellite
   28. Client Successfully Accessed repos from Satellite
   29. External Capsule Installation
   30. External Capsule Configured for dedicated Content View
   31. External Capsule Configured for dedicated Life Cycle
   32. External Capsule Content Sync
   33. Client Registration to External Capsule
   34. Client Successfully Access repos from Capsule
   35. Satellite & Capsule services restart

Results:

After going through this 5 step process, I have listed the OpenSCAP STIG checks that need to be disabled to allow the core set of Satellite features to function properly. You can disable these checks in SCAP Workbench and generate a clean remediation script to use to automate

Breaks Satellite  (Removed all FIPS related items regardless of it did not directly impact or Satellite to avoid confusion)

• xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
• xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
• xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
• xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
• xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
• xccdf_org.ssgproject.content_rule_sebool_fips_mode

Breaks IDM SSO / Kerberos Integration

• xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
• xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Needed for TFTP Provided Provisioning Services

• xccdf_org.ssgproject.content_rule_service_tftp_disabled
• xccdf_org.ssgproject.content_rule_package_tftp-server_removed
• xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode

Connect with Red Hat Services

Learn more about Red Hat Consulting
Learn more about Red Hat Training
Learn more about Red Hat Certification
Join the Red Hat Learning Community
Subscribe to the Training Newsletter
Follow Red Hat Services on Twitter
Follow Red Hat Open Innovation Labs on Twitter
Like Red Hat Services on Facebook
Watch Red Hat Training videos on YouTube
Follow Red Hat Certified Professionals on LinkedIn