Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Sys Maintenance: DISA STIG

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Jan 13, 2021
Version 89Show Document
  • View in full screen mode
 

Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.

RSA NetWitness Platform version 11.3.1 supports all Audit Rules in the DISA STIG Control Group. RSA will expand its support of STIG rules in future NetWitness Platform versions.

This section includes the following topics.

How STIG Limits Account Access

NetWitness Passwords

Generate the OpenSCAP Report

Manage STIG Controls Script (manage-stig-controls)

Rules List

Exceptions to STIG Compliance

IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.

How STIG Limits Account Access

The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:

  • Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
  • Applies auditing and logging of user actions on the host.

NetWitness Passwords

RSA NetWitness Platform requires passwords that are STIG compliant.

Generate the OpenSCAP Report

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.

Disable Rules in OpenSCAP Report that Hang the Report

There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:

sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.

For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.

Install OpenSCAP

You must

  1. SSH to the host.
  2. Create a centos-Base.repo file under /etc/yum.repos.d directory.
    The following example shows the contents of the centos-Base.repo file.

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

  1. Execute the following commands.

    yum install openscap-scanner

    yum install scap-security-guide

For fresh installs, the OpenSCAP report is on the Image.

Sample Report

The following report is a sample section from an OpenSCAP report.

OpenSCAP report section sample

Report Fields

                                                                                                                
SectionFieldDescription
Introduction - Test ResultResult IDThe Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results. 
ProfileXCCDF profile under which the report results are categorized.
Start timeWhen the report started.
End timeWhen the report ended.
BenchmarkXCCDF benchmark
Benchmark versionVersion number of the benchmark.
Introduction - ScoresystemXCCDF scoring method.
scoreScore attained after running the report.
maxHighest score attainable.
%Score attained after running the report as a percentage.
barNot Applicable.
Results overview - Rule Results SummarypassPassed rule check.
fixedRule check that failed previously is now fixed.
failFailed rule check.
errorCould not perform rule check.
not selectedThis check was not applicable to your NetWitness Platform deployment.
not checkedRule could not be checked. There are several reasons why a rule cannot be checked.  For example, the rule check requires a check engine not supported by the OpenSCAP report.
not applicableRule check does not apply to your NetWitness Platform deployment.
informationalRule checks for informational purposes only (no action required for fail).
unknownReport was able to check the rule. Run steps manually as described in the report to check the rule.
totalTotal number of rules checked.
ExceptionsTitleName of rule being checked.
ResultValid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown.

Note: Results values are defined the Results overview - Rule Results Summary.

Create the OpenSCAP Report

The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.

Create Report in HTML Only

To create an OpenSCAP report in HTML only:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:
    oscap xccdf eval --profile "stig" --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Report will be available under following location:

    /opt/rsa/openscap/

Create Report in XML Only

To create an OpenSCAP report in xml only:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Report will be available under following location:
    /opt/rsa/openscap/

Create Report in Both XML and HTML

To create an OpenSCAP report in both xml and html:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Report will be available under following location:
    /opt/rsa/openscap/

Manage STIG Controls Script (manage-stig-controls)

You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.

To manage STIG controls for a host:

  1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
  2. Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
  3. Reboot the host.

Commands

                               
CommandDescription
--enable-all-controls

Enables all STIG controls. For example:

manage-stig-controls --enable-all-controls

--disable-all-controls Disables all STIG controls. For example:

manage-stig-controls --disable-all-controls

--enable-default-controls Enables all STIG Controls except ssh-prevent-root and fips-kernel. For example:

manage-stig-controls --enable-default-controls

--enable-control-groups <IDs> Enables (comma delimited) list of STIG Control GroupIDs. For example:
manage-stig-controls --enable-control-groups '1, 2, 3'

--disable-control-groups <IDs>

Disables (comma delimited) list of STIG Control Group IDs For example:

manage-stig-controls --disable-control-groups '1, 2, 3'

Control Groups

You use the ID as an argument for the control group or groups.

                                                         
IDGroupDescriptionSpecified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration.yes

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configurationyes

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configurationyes

7

services

Services STIG configuration

yes

Other Arguments

                                   
ArgumentDescription
--host-all

Apply STIG configuration to all hosts. For example:

manage-stig-controls --host-all