Sys Maintenance: DISA STIG

Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.

RSA NetWitness Platform version 11.3.1 supports all Audit Rules in the DISA STIG Control Group. RSA will expand its support of STIG rules in future NetWitness Platform versions.

This section includes the following topics.

How STIG Limits Account Access

NetWitness Passwords

Generate the OpenSCAP Report

Manage STIG Controls Script (manage-stig-controls)

Rules List

Exceptions to STIG Compliance

IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.

How STIG Limits Account Access

The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:

• Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
• Applies auditing and logging of user actions on the host.

NetWitness Passwords

RSA NetWitness Platform requires passwords that are STIG compliant.

Generate the OpenSCAP Report

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.

Disable Rules in OpenSCAP Report that Hang the Report

There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:

sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.

For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.

Install OpenSCAP

You must

1. SSH to the host.
2. Create a centos-Base.repo file under /etc/yum.repos.d directory.
   The following example shows the contents of the centos-Base.repo file.

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

3. Execute the following commands.

   yum install openscap-scanner

   yum install scap-security-guide

For fresh installs, the OpenSCAP report is on the Image.

Sample Report

The following report is a sample section from an OpenSCAP report.

Report Fields

                                                                                                                

Create the OpenSCAP Report

The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.

Create Report in HTML Only

To create an OpenSCAP report in HTML only:

1. SSH to the host.

2. Submit the following command:

   mkdir -p /opt/rsa/openscap

3. Submit the following command for report upgrades only:

   sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

4. Submit the following command:
   oscap xccdf eval --profile "stig" --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
   

5. Report will be available under following location:

   /opt/rsa/openscap/

Create Report in XML Only

To create an OpenSCAP report in xml only:

1. SSH to the host.

2. Submit the following command:

   mkdir -p /opt/rsa/openscap

3. Submit the following command for report upgrades only:

   sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

4. Submit the following command:

   oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

5. Report will be available under following location:
   /opt/rsa/openscap/
   

Create Report in Both XML and HTML

To create an OpenSCAP report in both xml and html:

1. SSH to the host.

2. Submit the following command:

   mkdir -p /opt/rsa/openscap

3. Submit the following command for report upgrades only:

   sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

4. Submit the following command:

   oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

5. Report will be available under following location:
   /opt/rsa/openscap/
   

Manage STIG Controls Script (manage-stig-controls)

You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.

To manage STIG controls for a host:

1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
2. Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
3. Reboot the host.

Commands

                               

Control Groups

You use the ID as an argument for the control group or groups.

                                                         

Other Arguments