Sys Maintenance: Configure STIG Hardening for New 10.6 Installation

Document created by RSA Information Design and Development on May 12, 2016Last modified by RSA Information Design and Development on May 12, 2016
Version 2Show Document
  • View in full screen mode
 
  

These instructions describe how to configure hosts in new 10.6 Security Analytics installations. 

Read Before You Run the STIG Script

Please read the following caution statement before you run the STIG hardening script.

Caution: After you run the STIG hardening script, you cannot revert to an unhardened state without performing a build stick on the host. If you want to revert, you must re-image the host and you will lose all of your data. Contact Customer Care to get instructions on how to build stick the host.

Apply the STIG Hardening Script

Complete the following procedure to apply the STIG hardening to a new host:

  1. Log on to the host using a normal user account. 

Caution: STIG blocks super user access to a host through SSH. You must log on using a normal user account. The STIG script (Aqueduct-STIG.sh) creates the nwadmin account when you run it logged on with the root password. The password for this account must be at least fourteen characters long and include numbers, letters, and at least one special character. You should change the passwords, including root, every 90 days to avoid expiration and lockout of these passwords. If you are completely locked out, you will need the root password to access the host in single user mode.

In addition, the script adds the nwadmin account to the /etc/sudoers file.

  1. Check for locks on the account:
    pam_tally2 --user=<username>
  2. Unlock the account, if required:
    pam_tally2 --user=<username> --reset
  1. Run the superuser command. You have three options:
    • Run the sudo <command>.
    • Run su and provide the root password.
    • Run sudo su and provide your user password.
    You can add more user accounts to the /etc/sudoers file as needed.
  2. Go to the /opt/rsa/AqueductSTIG/ directory and run the STIG hardening script:
    ./Aqueduct-STIG.sh

Caution: After you run the STIG hardening script you must change all the passwords on the system, including the root password, using the superuser credentials. STIG also applies the SHA512 algorithm to all passwords. This means that when you change all the passwords, they must be STIG compliant and conform to the STIG complex password requirements.

The script prompts you to change nwadmin password. 

  1. Enter new password.
  2. Change all the passwords on the system, including the root password, using the superuser credentials:
    1. Log on to the host using the root credentials.
    2. Change all the passwords on the system.
  3. Restart the host.

(Conditional) Post-STIG Application Task - If You Use Malware Analysis, Update SELinux Parameter

If you use Security Analytics Malware Analysis, you must enable Malware Analysis to communicate with other Security Analytics services.  To do this, update the SELINUX parameter in the /etc/selinux/config file to the following value.

SELINUX=disabled

You are here: DISA STIG Hardening Guide > Procedures > Configure STIG Hardening for New 10.6 Installation

Attachments

    Outcomes