Steps for testing DISA STIG controls against Satellite 6

Security technical implementation guides (STIGs) provide a standardized set of security protocols for practically any system. From networks to servers and computers, STIGs are designed to enhance overall security and reduce vulnerabilities. But what happens when the guidelines vary across an enterprise? How do you apply these to a specific product without breaking it? Challenge accepted.

In my previous work, I implemented the RHEL 7 DISA STIG against a functioning Satellite server and found that it would break Satellite outright. Without knowing the exact cause for the functionality of Satellite to stop working, I would have to develop a methodology for figuring out what exactly caused it to fail.  After testing each DISA STIG line by line, I’ve documented the steps in an effort to save others time and prevent the need to start from scratch. When using the process outlined below, the security components are built in to begin with so to not break the product – in this case, Satellite 6 – in the future other products.

 

  1. For testing purposes, I created the below environment to test with.
    1. Virtual Box running below VM’s on a laptop
      1. RHEL 7.5 Disconnected Satellite 6.3
      2. RHEL 7.5 Disconnected External Capsule 6.3 Server
      3. RHEL 7.5 IDM Server on RHEL 7.5
      4. RHEL 7.5 Client
      5. RHEL 7.5 Repo Server
  2. Once the environment is base lined, clone or snapshot the Satellite server. Once known STIG checks are confirmed to break the system, you can quickly recover to a known good state instead of having to manually undo STIG settings. This ensures the repeatable testing process is legitimate, and the prep work is done ahead of time.
  3. Use security tools OpenSCAP and SCAP Workbench to create custom Red Hat Enterprise Linux 7 DISA STIG profiles to scan the system, report findings, and generate remediation scripts.  
    1. OpenSCAP is a command line tool that has the capability to scan systems. The tool can be used by anyone. It is a quick way to get a measure against the STIG.
    2. SCAP Workbench is a tool set that lets you manipulate and easily customize the STIG profiles.
  4. Utilizing the generated remediation scripts from SCAP Workbench, I had to test out each individual STIG check to see where it failed. With a script of over 20,000+ lines of bash code, I had to comment out every line to be able to test the code check-by-check against Satellite. With roughly 243 individual STIG checks I had to go through and uncomment each check at a time. I’ve listed some VI shortcuts below.
    1. Comment out every line:  
       %s/^/#/
    2. Delete the # at the start of every line:    
      %s/^#//
    3. Delete the # for a range of lines:  
      %580,740s/^#//
  5. Run a variety of tests, and see how Satellite behaves before and after the STIG is in place.
    1. Test cases such as Satellite software installation, Satellite software component functional testing, and product integrations with Red Hat products (i.e. Satellite to identity management), etc.
    2. Once you integrate with other tools (like IDM), you’ll need to test again to ensure that the STIG will not break the integrations.
    3. Baseline Environment via VM clones or snapshots
    4. Run STIG remediation script
    5. Disconnected Satellite Server Installation
    6. Organization created
    7. Location x2 created
    8. Manifest upload
    9. CDN changed to Repo Server
    10. RHEL 7Server Repo Enabled
    11. RHEL 7.5 Kick Start Enabled
    12. Product Sync
    13. Custom Product Created
    14. Test RPM uploaded to Custom Product
    15. Content View Created x2
    16. Life Cycle Configured x2
    17. Host Collection Created
    18. Activation Key Created
    19. Host Group Configured
    20. Operating System Configured
    21. Installation Medium Created
    22. Domain Configured
    23. Subnet Configured
    24. DHCP Configured
    25. IDM Integration for SSO/Kerberos based login
    26. Realm Capsule Configured
    27. Client Registration to Satellite
    28. Client Successfully Accessed repos from Satellite
    29. External Capsule Installation
    30. External Capsule Configured for dedicated Content View
    31. External Capsule Configured for dedicated Life Cycle
    32. External Capsule Content Sync
    33. Client Registration to External Capsule
    34. Client Successfully Access repos from Capsule
    35. Satellite & Capsule services restart

 

Results:

 

After going through this 5 step process, I have listed the OpenSCAP STIG checks that need to be disabled to allow the core set of Satellite features to function properly. You can disable these checks in SCAP Workbench and generate a clean remediation script to use to automate

 

Breaks Satellite  (Removed all FIPS related items regardless of it did not directly impact or Satellite to avoid confusion)

  • xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
  • xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
  • xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
  • xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
  • xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
  • xccdf_org.ssgproject.content_rule_sebool_fips_mode

 

Breaks IDM SSO / Kerberos Integration

  • xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
  • xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

 

Needed for TFTP Provided Provisioning Services

  • xccdf_org.ssgproject.content_rule_service_tftp_disabled
  • xccdf_org.ssgproject.content_rule_package_tftp-server_removed
  • xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode

 

Connect with Red Hat Services

Learn more about Red Hat Consulting
Learn more about Red Hat Training
Learn more about Red Hat Certification
Join the Red Hat Learning Community
Subscribe to the Training Newsletter
Follow Red Hat Services on Twitter
Follow Red Hat Open Innovation Labs on Twitter
Like Red Hat Services on Facebook
Watch Red Hat Training videos on YouTube
Follow Red Hat Certified Professionals on LinkedIn
Creative Commons License

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.