An Approach to Building & Maintaining a STIG'D RHEL Server
-
Upload
joshua-l-davis -
Category
Technology
-
view
1.546 -
download
5
description
Transcript of An Approach to Building & Maintaining a STIG'D RHEL Server
![Page 1: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/1.jpg)
An Approach to Building & Maintaining a STIG’D RHEL Server
Red Hat Satellite ServerForge.mil (https://software.forge.mil/sf/go/wiki3316
SPAWAR Linux Management Wiki)KickstartPuppet
Tresys CLIP
Aaron [email protected] 218 2178 Mil‐OSS WG2
2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
![Page 2: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/2.jpg)
1)Checklist 2)Relation 3)Application 4)Assessment 5)Maintenance
SatelliteForge.mil
Reporting?SRROval
Satellite
KickstartYUMPuppet
IAVACVE
RED HAT
UNIX Security Checklist
12
34
5
2
![Page 3: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/3.jpg)
Creating a more manageable and reproducible STIG’D RHEL server
• There are some tools to help STIG a box• There is an image that can be copied• Nothing that is very reproducible over the long term• We can create STIG’D servers and maintain them.• The infrastructure, Satellite Server, is not a STIG compliant server in the environment I work in
• Google: “STIG” – The Stig is the name given to the racing driver character on the BBC Television show Top Gear.
– Security Technical Implementation Guides
3
![Page 4: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/4.jpg)
1. UNIX Security ChecklistIs there an easier or better way?
SatelliteForge.mil
Reporting?SRROval
Satellite
KickstartYUMPuppet
IAVACVE
RED HAT
UNIX Security Checklist
4
![Page 5: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/5.jpg)
Unix Security Checklist (634 GEN, UNIX & IAVA items)
5
![Page 6: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/6.jpg)
2. IAVA / CVE / Red Hat Security AdvisoryA way to relate IAVA to patches
SatelliteForge.mil
Reporting?SRROval
Satellite
KickstartYUMPuppet
UNIX Security Checklist
IAVACVE
RED HAT
6
![Page 7: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/7.jpg)
Satellite Flags Errata
7
![Page 8: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/8.jpg)
Satellite references CVE
8
![Page 9: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/9.jpg)
3. Kickstart, YUM & Puppet“Applying”
SatelliteForge.mil
Reporting?SRROval
Satellite
IAVACVE
RED HAT
UNIX Security Checklist
KickstartYUMPuppet
9
![Page 10: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/10.jpg)
Apply the Checklist
10
![Page 11: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/11.jpg)
Tresys CLIP Puppet content
11
class lnx00160 {
## (LNX00160: CAT II) (Previously ‐ L074) The SA will ensure the grub.conf
## file has permissions of 600, or more restrictive.
file { "/boot/grub/grub.conf": mode => 600 }
}
![Page 12: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/12.jpg)
4. Satellite & Forge.milCustom software repositories
SatelliteForge.mil
KickstartPuppet
IAVACVE
RED HAT
UNIX Security Checklist
Reporting?SRROval
Satellite
12
![Page 13: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/13.jpg)
Assessment
13
![Page 14: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/14.jpg)
Confirm ongoing compliance
• Oval seems to have a lot of potential– Evaluating Oval and how to integrate
• Evaluating using SRR scripts in a cron job
• Satellite does a pretty good job of reporting on CVE’s
• Would ultimately want to have a way of just getting the interesting information for hundreds (thousands) of servers
14
![Page 15: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/15.jpg)
5. ReportingConfirm compliancy through life of server
Reporting?SRROval
Satellite
KickstartYUMPuppet
IAVACVE
RED HAT
UNIX Security Checklist
SatelliteForge.mil
15
![Page 16: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/16.jpg)
Maintain
16
![Page 17: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/17.jpg)
Automating provisioning & maintenance is an evolutionary process…
• Long messy kickstart file but a good source of information
• Need to finish a “baseline” and modify build process accordingly
• Need to move the vast majority of the kickstart content to puppet server
• Disclaimers out of the way…
17
![Page 18: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/18.jpg)
What it does today
• It does build a consistent server from scratch (you can reverse engineer the entire build process and know every configuration change made)
• This is not an image• It utilizes controlled software repositories in Satellite so that you can have a release process.
• It does setup the ability to manage compliance over the life cycle of the server
• It has backups, centralized audit and log server functionality
18
![Page 19: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/19.jpg)
Use Forge.mil to collaborate
• https://software.forge.mil/sf/go/wiki3316SPAWAR Linux Management Wiki
• This brief is located there
• Some instructions on howto use what is available today are there.
• Contacts are being added so you know who to consult with about different pieces, like Red Hat Satellite Server
19
![Page 20: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/20.jpg)
Forge.mil / Satellite
20
![Page 21: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/21.jpg)
Summary
• Build a reproducible RHEL server, bare metal or virtual.
• Build process results in something very close to a STIG compliant (IA will say it’s compliant) RHEL server
• The beginnings, of a server life cycle that maintains & confirms compliance
• Currently functioning at a single project level in an R&D environment
21
![Page 22: An Approach to Building & Maintaining a STIG'D RHEL Server](https://reader031.fdocuments.us/reader031/viewer/2022013118/547cec655906b552378b45b9/html5/thumbnails/22.jpg)
References• https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux
Management Wiki• spawar‐[email protected] SPAWAR Linux
Management Discussion email• https://software.forge.mil/sf/discussion/do/listTopics/proje
cts.dodbastile/discussion.spawar_linux_managmentSPAWAR Linux Management Discussion page
• https://software.forge.mil/sf/docman/do/listDocuments/projects.dodbastile/docman.root.spawarlinuxmanagementSPAWAR Linux Management Documents
• https://software.forge.mil/sf/docman/do/downloadDocument/projects.dodbastile/docman.root.spawarlinuxmanagement/doc7520 SPAWAR Linux Management this brief
Aaron [email protected] 218 2178
22