[Clip] DISA STIG SRR Scripts

Tue Sep 8 20:54:31 CDT 2009

I concur with Eric's assessment.  Some elements in my own testing of RHEL systems
by the latest DISA SRR don't pass due to code that isn't right, or checking the
wrong thing.  Remember, DISA has a small crew working the SRR maintenance, and
they don't have their hands on all of the various OS's, and versions, and
architectures (and time!) to test all the combinations.  I really do think they
are doing the best they can do, though.

The DISA SRR's are one good host-based tool for assessing the state of a system
at one moment in time.  lynis (from rootkit.nl) is another, as well as the Center
for Internet Security's CIS-CAT.  Red Hat too, has a slowly up and coming tool in
the works called sectool.  Finally, SECSCN is another tool, within DoD, that has
a shrinking budget and tech group to support it, but it does a few things
decently for HBA.   I typically run them all against a system and compare items I
know to be fixed/addressed, with what other tools tell me.  The blend of using
them (and comparing against each other) all in the short run is quite a bit of
work, but once you are familiar with a few run-thru's the level of effort drops
off.

Now, I've not yet tried system building/hardeing with CLIP, but plan on getting
to it.

One thing to keep track of, from the SRR point of view, is balancing the forced
manual review items with their automated checks.  DISA, and DoD, have the blended
perspective and intent of total system assessment (thus the combination of a
STIG, Checklist and SRR).  This means reviewing and empirically addressing their
manual-review items is an essential piece of the total system assessment.  But,
when investigating them, you'll likely find that most of them are geared exactly
to stuff that should be manually checked, which tends to mean they are not
viewable from within the RHEL 5.3 (or other OS) environment.  Thus I recommend
you focus on all the elements that are addressable and assessable from within the
OS in order to get the system/OS to 'pass'.  This is the approach I take.
Basically, when the end user wants the total assessment, I do it all...... but
short of that, I use the automated checks of the SRR (and a tailored version of
the Review-Report script) to totally focus on automated HBA of systems.

R,
-Joe Wulf, CISSP, RHCT, VCP, USN(RET)
 Senior IA Engineer
 ProSync Technology Group, LLC
 www.prosync.com <http://www.prosync.com/> 

  _____  

From: clip-bounces at oss.tresys.com [mailto:clip-bounces at oss.tresys.com] On Behalf
Of Eric Gearhart
Sent: Tuesday, September 08, 2009 19:46
To: clip at oss.tresys.com
Subject: Re: [Clip] DISA STIG SRR Scripts

On Tue, Sep 8, 2009 at 10:25 AM, Bryan Schneiders <bschneiders at woti.com> wrote:

How often are the CLIP releases tested against the DISA STIG System Readiness
Review scripts?
http://iase.disa.mil/stigs/SRR/unix.html

Bryan, 

I used the CLIP rpms as as starting off point, but I did have to script in
several fixes in order to get a clean Unix SRR. Sometimes the Unix SRR looks in
the wrong place as well, for example some of the PAM settings are in
/etc/pam.d/system-auth and that file is included from other PAM files... the SRR
script wasn't expecting that to be the case. That's just one example off the top
of my head

Here's a small sample of fixes I happen to have open in Notepad right now that
I've implemented on the boxes we are DIACAPing:

find /usr/share/man  -type f -print | xargs -n 1 chmod -w
find /usr/share/info -type f -print | xargs -n 1 chmod -w

find /var/log -type f | grep -v acpid | xargs -n 1 chmod 640

chmod 740 /home/*/.login
chmod 740 /home/*/.cshrc
chmod 740 /home/*/.logout
chmod 740 /home/*/.profile
chmod 740 /home/*/.bash_profile
chmod 740 /home/*/.bashrc
chmod 740 /home/*/.bash_logout
chmod 740 /home/*/.env
chmod 740 /home/*/.dispatch
chmod 740 /home/*/.emacs
chmod 740 /home/*/.exrc

perl -i -pe 's/#ClientAliveInterval 0/ClientAliveInterval 60/g'
/etc/ssh/sshd_config
perl -i -pe 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g'
/etc/ssh/sshd_config

perl -i -pe 's/minlen=12/minlen=14/g'  /etc/pam.d/system-auth

chmod 700  /etc/cron.daily/cups

chmod 640 /selinux/member
chmod 640 /selinux/user
chmod 640 /selinux/relabel
chmod 640 /selinux/create
chmod 640 /selinux/access
chmod 640 /selinux/context

--
Eric 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/clip/attachments/20090908/85e466a2/attachment.html 