Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.
RSA NetWitness Platform version 11.3.1 supports all Audit Rules in the DISA STIG Control Group. RSA will expand its support of STIG rules in future NetWitness Platform versions.
This section includes the following topics.
How STIG Limits Account Access
Manage STIG Controls Script (manage-stig-controls)
IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.
How STIG Limits Account Access
The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:
- Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
- Applies auditing and logging of user actions on the host.
NetWitness Passwords
RSA NetWitness Platform requires passwords that are STIG compliant.
Generate the OpenSCAP Report
Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.
Disable Rules in OpenSCAP Report that Hang the Report
There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:
sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.
For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.
Install OpenSCAP
You must
- SSH to the host.
- Create a centos-Base.repo file under /etc/yum.repos.d directory.
The following example shows the contents of the centos-Base.repo file.
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
- Execute the following commands.
yum install openscap-scanner
yum install scap-security-guide
For fresh installs, the OpenSCAP report is on the Image.
Sample Report
The following report is a sample section from an OpenSCAP report.
Report Fields
Section | Field | Description |
---|---|---|
Introduction - Test Result | Result ID | The Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results. |
Profile | XCCDF profile under which the report results are categorized. | |
Start time | When the report started. | |
End time | When the report ended. | |
Benchmark | XCCDF benchmark | |
Benchmark version | Version number of the benchmark. | |
Introduction - Score | system | XCCDF scoring method. |
score | Score attained after running the report. | |
max | Highest score attainable. | |
% | Score attained after running the report as a percentage. | |
bar | Not Applicable. | |
Results overview - Rule Results Summary | pass | Passed rule check. |
fixed | Rule check that failed previously is now fixed. | |
fail | Failed rule check. | |
error | Could not perform rule check. | |
not selected | This check was not applicable to your NetWitness Platform deployment. | |
not checked | Rule could not be checked. There are several reasons why a rule cannot be checked. For example, the rule check requires a check engine not supported by the OpenSCAP report. | |
not applicable | Rule check does not apply to your NetWitness Platform deployment. | |
informational | Rule checks for informational purposes only (no action required for fail). | |
unknown | Report was able to check the rule. Run steps manually as described in the report to check the rule. | |
total | Total number of rules checked. | |
Exceptions | Title | Name of rule being checked. |
Result | Valid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown. Note: Results values are defined the Results overview - Rule Results Summary. |
Create the OpenSCAP Report
The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.
Create Report in HTML Only
To create an OpenSCAP report in HTML only:
- SSH to the host.
-
Submit the following command:
mkdir -p /opt/rsa/openscap
-
Submit the following command for report upgrades only:
sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Submit the following command:
oscap xccdf eval --profile "stig" --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml -
Report will be available under following location:
/opt/rsa/openscap/
Create Report in XML Only
To create an OpenSCAP report in xml only:
- SSH to the host.
-
Submit the following command:
mkdir -p /opt/rsa/openscap
-
Submit the following command for report upgrades only:
sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Submit the following command:
oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Report will be available under following location:
/opt/rsa/openscap/
Create Report in Both XML and HTML
To create an OpenSCAP report in both xml and html:
- SSH to the host.
-
Submit the following command:
mkdir -p /opt/rsa/openscap
-
Submit the following command for report upgrades only:
sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Submit the following command:
oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Report will be available under following location:
/opt/rsa/openscap/
Manage STIG Controls Script (manage-stig-controls)
You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.
To manage STIG controls for a host:
- SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
- Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
- Reboot the host.
Commands
Command | Description |
---|---|
--enable-all-controls | Enables all STIG controls. For example: manage-stig-controls --enable-all-controls |
--disable-all-controls | Disables all STIG controls. For example: manage-stig-controls --disable-all-controls |
--enable-default-controls | Enables all STIG Controls except ssh-prevent-root and fips-kernel. For example: manage-stig-controls --enable-default-controls |
--enable-control-groups <IDs> | Enables (comma delimited) list of STIG Control GroupIDs. For example: manage-stig-controls --enable-control-groups '1, 2, 3' |
--disable-control-groups <IDs> | Disables (comma delimited) list of STIG Control Group IDs For example: manage-stig-controls --disable-control-groups '1, 2, 3' |
Control Groups
You use the ID as an argument for the control group or groups.
ID | Group | Description | Specified by Default |
---|---|---|---|
1 | ssh-prevent-root | Prevent root login through SSH. | no |
2 | ssh | SSH STIG configuration. | yes |
3 | fips-kernel | FIPS Kernel configuration | no |
4 | auth | Authentication STIG configuration | yes |
5 | audit | Audit STIG configuration | yes |
6 | packages | RPM Package STIG configuration | yes |
7 | services | Services STIG configuration | yes |
Other Arguments
Argument | Description |
---|---|
--host-all | Apply STIG configuration to all hosts. For example: manage-stig-controls --host-all |