Documente Academic
Documente Profesional
Documente Cultură
Copyright 2012 VT iDirect, Inc. All rights reserved. Reproduction in whole or in part without permission is
prohibited. Information contained herein is subject to change without notice. The specifications and information
regarding the products in this document are subject to change without notice. All statements, information, and
recommendations in this document are believed to be accurate, but are presented without warranty of any kind,
express, or implied. Users must take full responsibility for their application of any products. Trademarks, brand
names and products mentioned in this document are the property of their respective owners. All such references
are used strictly in an editorial fashion with no intent to convey any affiliation with the name or the product's
rightful owner.
ii
Revision History
The following table shows all revisions for this document. If you do not have the revision that
applies to your release, or you are not sure, please contact iDirect.
Revision
Date Released
Who Updated?
03/27/2012
JVespoli
iii
Contents
7. STIG Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8. PDIs Not Enforced by iDirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9. Explanation of Specific Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1 CAT I Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.2 CAT II Open Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
iv
Purpose
The STIG User Guide provides instructions for implementing compliance with the
recommendations specified in the UNIX Security Technical Implementation Guide (STIG) on
iDirect hub servers such as the NMS servers and protocol processor blades.
iDirect strives to produce documentation that is technically accurate, easy to use, and helpful
to our customers. Your feedback is welcomed! Send your comments to techpubs@idirect.net.
Intended Audience
The STIG User Guide is intended for UNIX system administrators responsible for implementing
the STIG feature on their iDirect UNIX servers.
Logs Directory
STIG Exceptions
Document Conventions
This section illustrates and describes the conventions used throughout the user guide.
Convention Description
Example
Blue
Courier
font
Courier
font
Bold
Trebuchet
font
vi
Blue
Trebuchet
font
Bold italic
Trebuchet
font
Used to emphasize
information for the user, such
as in notes.
Note:
Red italic
Trebuchet
font
network outage.
Security Technical Implementation Guides (STIGs) are checklists of recommended settings for
various computer platforms. They define configuration standards for DOD Information
Assurance (IA) and IA-enabled systems. The STIGs can be found at the Web site of the
Information Assurance Support Environment (IASE), http://iase.disa.mil/. This document
describes the iDirect STIG feature for compliance with the STIG recommendations applicable
to the Linux operating environment deployed on iDirect hub servers. It contains the following
major sections:
Note:
1.
This version of the STIG User Guide applies only to iDirect hub servers running
iDX Release 3.1.
Results of the STIG installation are written to log files, which you can then examine to verify
that the changes were properly applied to the system. The procedure for installing the
package on your hub servers is contained in Installing the STIG package on page2. The
format of the log files is specified in Logs Directory on page3.
In addition to the STIG recommendations that are automatically applied by the scripts, iDirect
supports a number of manual configuration changes to meet additional STIG
recommendations. Instructions for manually applying these additional changes are contained
in Performing Manual Updates on page4.
Some STIG recommendations are either not applicable to the iDirect system or are the direct
responsibility of your Security Administrator (SA). These recommendations are listed in the
section PDIs Not Enforced by iDirect on page6.
2.
Note:
Note:
If you installed your iDirect release using a security enhanced Kickstart option (for
example, SE-NMS or SE-Protocol Processor) then the STIG package was automatically
installed and the STIG scripts were automatically executed during the installation.
You can upgrade a non-STIG server to a STIG server by executing the idsUpdate script
with the --harden and --force options. For example:
mkdir -p /media/cdrom
mount /dev/cdrom /media/cdrom
/media/cdrom/iDirect/install/idsUpdate --harden --force
eject
You can upgrade a server with STIG already installed by the executing the idsUpdate
script with the --harden option. The --force option is not required.
Note:
When using the --force option, the --harden option is also required.
Note:
In order to remain STIG compliant you should pass the --harden option to
idsUpdate whenever you upgrade to a new iDirect release.
Note:
3.
4.
Once you have run the STIG scripts or performed the manual updates
documented on page page 4, you must reboot the server.
Logs Directory
Results of the iDirect STIG scripts are written to the following directory:
/opt/stig/logs/
Each time you run the iDirect STIG scripts, the results are logged in a new file in that
directory with the name:
<Timestamp>.log
where <Timestamp> is the date and time that the STIG scripts were executed.
The STIG log files contain detailed output for each PDI fixed by the iDirect STIG scripts,
including all changes made to the system.
5.
For example, if a script modifies the file /etc/ssh/sshd_config, the backup of that file is
written to the following directory:
/opt/stig/bak/etc/ssh/sshd_config.<Timestamp>
where <Timestamp> represents the date and time that the file was backed up.
6.
There are some open findings that cannot be addressed on iDirect servers. See
STIG Exceptions on page6 for a list of PDIs associated with these findings.
Follow the procedures in this section to make your server compliant with the specified PDIs.
Each procedure consists of one or more PDIs and the steps required to modify the server
configuration to comply with those PDIs.
Note:
After you have made these changes, be sure to reboot your server.
Procedure 2: LNX00140
(LNX00140: CAT I) The GRUB boot-loader does not use an MD5 encrypted password.
Follow these steps to comply with the above PDI:
1. From the command line, enter the following command:
grub-md5-crypt
2. When prompted, enter the password to obtain the password hash. Sample output is shown
here:
Password: <passwd>
Retype password: <passwd>
$1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31
3. Add the password hash to the grub configuration file /boot/grub/grub.conf as shown in
the example below:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$aKQ1L/$Hc0lGPZcI/MoWSc0Tcag31
title Red Hat Enterprise Linux Server (2.6.18-164.6.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-164.6.1.el5 ro root=LABEL=/
initrd /initrd-2.6.18-164.6.1.el5.img
Procedure 3: GEN001260
(GEN001260: CAT II) System log file permissions are more permissive than 640.
Follow the steps below to comply with the above PDI:
1. Find all files with permissions greater than 640 in the directory /var/log:
find /var/log -perm /137 -ls
2. For every log file found in Step 1 (after determining that the log file's permissions can be
safely changed) modify the file permissions using the following command:
chmod 640 <log file name>
Where <log file name> is the name of the log file.
Note:
Due to the fact that log files can be created from many different processes that
are not under iDirects control, iDirect cannot ensure 100% automated
compliance with GEN001260. Upon execution, to the extent possible, the
iDirect STIG hardening scripts set the permissions on existing log files properly
and change the configuration options for future log files to comply with this
PDI. However, there is no guarantee that new log files, rotated log files, or log
configuration options will have or maintain the proper permissions. See the
UNIX Security Checklist for more details.
STIG Exceptions
7.
STIG Exceptions
iDirect servers are not compliant with the PDIs listed in this section. Complying with the PDIs
in this list will interfere with the normal operations of iDirect networks. For complete
definitions of these PDIs, see the UNIX Security Technical Implementation Guide.
Note:
iDirect does not support customer updates of any Operating System installed
software. For example, customer upgrades to openssl or any other software
package are not supported.
Table 1. List of UNIX STIG PDIs Not Supported on iDirect Servers
PDI Exceptions
Description
GEN000120
Vendor Recommended and Security Patches are not installed or are out-ofdate.
GEN000760
GEN001560*
GEN006640
*GEN001560 is an exception only on the NMS server, not on the protocol processor
blades.
8.
9.
9.1
Vulnerable Systems:
OpenSSH 1.2, 1.2.1 - 1.2.3
the system. RHEL4 does not appear to have any fixes, so this will be a finding. Execute
uname -a to determine the kernel version. RHEL5 does have a kernel update for the CIFS
vulnerability. If the kernel version is less than 2.6.18-128.1.14.el5, this is a finding.
The kernel version we provide is greater than 2.6.18-128.1.14.el5.
9.2
10
Description
GEN000020
GEN000040
The UNIX host is not configured to require a password when booted to single-user
mode and is not documented.
GEN000060
The UNIX host cannot be configured to require a password when booted to singleuser mode and is not located in a controlled access area.
GEN000460
After three consecutive unsuccessful login attempts the account is not disabled.
GEN000480
The login delay between login prompts after a failed login is set to less than four
seconds.
GEN000540
GEN000580
GEN000600
A password does not contain at least one upper case and one lower case character.
GEN000620
GEN000640
GEN000700
GEN000800
GEN000820
GEN000980
The root account can be directly logged into from other than the system console.
GEN001260
GEN001280
GEN001880
GEN002560
GEN002680
GEN002700
GEN002720
The audit system is not configured to audit failed attempts to access files and
programs.
GEN002740
The audit system is not configured to audit files and programs deleted by the user.
GEN002760
The audit system is not configured to audit all administrative, privileged, and
security actions.
GEN002960
Access to the cron utility is not controlled via the cron.allow and/or cron.deny files.
GEN003080
Crontab files are more permissive than 600 (700 on some linux systems).
GEN003320
Description
GEN003600
GEN004000
GEN004540
GEN004560
The O Smtp greeting in sendmail.cf, or equivalent, has not been changed to mask
the version.
GEN004640
GEN005320
GEN005360
The snmpd.conf file is not owned by root and group owned by sys or the application.
GEN005400
GEN005540
Encrypted communications are not configured for IP filtering and logon warning
banners.
GEN006620
The access control program is not configured to grant and deny system access to
specific hosts.
LNX00320
Special privilege accounts, such as shutdown and halt have not been deleted.
LNX00440
LNX00520
11