An Approach to Building & Maintaining a STIG'D RHEL Server
22
An Approach to Building & Maintaining a STIG’D RHEL Server Red Hat Satellite Server Forge.mil (https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki) Kickstart Puppet Tresys CLIP Aaron Prayther [email protected] 843 218 2178 Mil‐OSS WG2 2 ND ‐5 TH AUGUST 2010 – WASHINGTON D.C.
-
Upload
joshua-l-davis -
Category
Technology
-
view
1.546 -
download
5
description
Aaron Prayther LCE
Transcript of An Approach to Building & Maintaining a STIG'D RHEL Server
An Approach to Building & Maintaining a STIG’D RHEL Server
Red Hat Satellite ServerForge.mil (https://software.forge.mil/sf/go/wiki3316
SPAWAR Linux Management Wiki)KickstartPuppet
Tresys CLIP
Aaron [email protected] 218 2178 Mil‐OSS WG2
2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
1)Checklist 2)Relation 3)Application 4)Assessment 5)Maintenance
SatelliteForge.mil
Reporting?SRROval
Satellite
KickstartYUMPuppet
IAVACVE
RED HAT
UNIX Security Checklist
12
34
5
2
Creating a more manageable and reproducible STIG’D RHEL server
• There are some tools to help STIG a box• There is an image that can be copied• Nothing that is very reproducible over the long term• We can create STIG’D servers and maintain them.• The infrastructure, Satellite Server, is not a STIG compliant server in the environment I work in
• Google: “STIG” – The Stig is the name given to the racing driver character on the BBC Television show Top Gear.
– Security Technical Implementation Guides
3
1. UNIX Security ChecklistIs there an easier or better way?
SatelliteForge.mil
Reporting?SRROval
Satellite
KickstartYUMPuppet
IAVACVE
RED HAT
UNIX Security Checklist
4
Unix Security Checklist (634 GEN, UNIX & IAVA items)
5
2. IAVA / CVE / Red Hat Security AdvisoryA way to relate IAVA to patches
SatelliteForge.mil
Reporting?SRROval
Satellite
KickstartYUMPuppet
UNIX Security Checklist
IAVACVE
RED HAT
6
Satellite Flags Errata
7
Satellite references CVE
8
3. Kickstart, YUM & Puppet“Applying”
SatelliteForge.mil
Reporting?SRROval
Satellite
IAVACVE
RED HAT
UNIX Security Checklist
KickstartYUMPuppet
9
Apply the Checklist
10
Tresys CLIP Puppet content
11
class lnx00160 {
## (LNX00160: CAT II) (Previously ‐ L074) The SA will ensure the grub.conf
## file has permissions of 600, or more restrictive.
file { "/boot/grub/grub.conf": mode => 600 }
}
4. Satellite & Forge.milCustom software repositories
SatelliteForge.mil
KickstartPuppet
IAVACVE
RED HAT
UNIX Security Checklist
Reporting?SRROval
Satellite
12
Assessment
13
Confirm ongoing compliance
• Oval seems to have a lot of potential– Evaluating Oval and how to integrate
• Evaluating using SRR scripts in a cron job
• Satellite does a pretty good job of reporting on CVE’s
• Would ultimately want to have a way of just getting the interesting information for hundreds (thousands) of servers
14
5. ReportingConfirm compliancy through life of server
Reporting?SRROval
Satellite
KickstartYUMPuppet
IAVACVE
RED HAT
UNIX Security Checklist
SatelliteForge.mil
15
Maintain
16
Automating provisioning & maintenance is an evolutionary process…
• Long messy kickstart file but a good source of information
• Need to finish a “baseline” and modify build process accordingly
• Need to move the vast majority of the kickstart content to puppet server
• Disclaimers out of the way…
17
What it does today
• It does build a consistent server from scratch (you can reverse engineer the entire build process and know every configuration change made)
• This is not an image• It utilizes controlled software repositories in Satellite so that you can have a release process.
• It does setup the ability to manage compliance over the life cycle of the server
• It has backups, centralized audit and log server functionality
18
Use Forge.mil to collaborate
• https://software.forge.mil/sf/go/wiki3316SPAWAR Linux Management Wiki
• This brief is located there
• Some instructions on howto use what is available today are there.
• Contacts are being added so you know who to consult with about different pieces, like Red Hat Satellite Server
19
Forge.mil / Satellite
20
Summary
• Build a reproducible RHEL server, bare metal or virtual.
• Build process results in something very close to a STIG compliant (IA will say it’s compliant) RHEL server
• The beginnings, of a server life cycle that maintains & confirms compliance
• Currently functioning at a single project level in an R&D environment
21
References• https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux
Management Wiki• spawar‐[email protected] SPAWAR Linux
Management Discussion email• https://software.forge.mil/sf/discussion/do/listTopics/proje
cts.dodbastile/discussion.spawar_linux_managmentSPAWAR Linux Management Discussion page
• https://software.forge.mil/sf/docman/do/listDocuments/projects.dodbastile/docman.root.spawarlinuxmanagementSPAWAR Linux Management Documents
• https://software.forge.mil/sf/docman/do/downloadDocument/projects.dodbastile/docman.root.spawarlinuxmanagement/doc7520 SPAWAR Linux Management this brief
Aaron [email protected] 218 2178
22
