The Security Technical Implementation Guides (STIGs) are the configuration standards for secure installation and maintenance of computer software and hardware introduced by Defense Information Systems Agency (DISA) in support of the United States Department of Defense (DoD). The guides include recommended administrative processes to reduce exploitation possibility. STIG scanning software is used to implement and validate proper configuration.
Verify that your Linux host comply with the STIG recommendations. For example:
The system must not permit interactive boot. To disable the ability
forusers toperform interactive startups, edit the file
/etc/sysconfig/init
. Add or correct the line:
PROMPT=no
The PROMPT
option allows the console user to perform an
interactive system startup, in which it is possible to select
the set of services which are started on boot.
All rsyslog-generated log files must be owned by root
and have
mode 0600
or less permissive. The log files generated by rsyslog
contain valuable information regarding system configuration, user
authentication, and other such information. Log files should be
protected from unauthorized access. The owner of all log files
written by rsyslog
should be root
.
The system must set a maximum audit log file size. The total
storage foraudit log files must be large enough to retain log
informationover the period required. This is a function of the
maximum logfile size and the number of logs retained. Determine the
amount of audit data (in megabytes - at least 6 Mb) that should be
retained ineach log file. Edit the file /etc/audit/auditd.conf
.
Add or modify the following line, substituting the correct value for
[STOREMB]
:
max_log_file = [STOREMB]
The audit system must be configured to audit successful file system mounts.
The unauthorized exportation of data to external media could result in an
informationleak where classified information, Privacy Act information,
and intellectual property could be lost. An audit trail should be created
each time afilesystem is mounted to help identify and guard against
informationloss. At a minimum, the audit system should collect media
exportationevents for all users and root. Add the following to
/etc/audit/audit.rules
, setting ARCH
to either b32
or b64
as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=ARCH -S mount -F auid=0 -k export
The SSH daemon must set a timeout interval on idle sessions. Causing
idle users to be automatically logged out guards against compromises
one system leading trivially to compromises on another. SSH allows
administrators to set an idle timeout interval. After this interval has
passed, theidle user will be automatically logged out. To set an idle
timeout interval, edit the following line in /etc/ssh/sshd_config
as follows:
ClientAliveInterval <INTERVAL>
The timeout interval is given in seconds. To have a timeout of 15 minutes, set the interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
The SSH daemon must not permit user environment settings. SSH environment
options potentially allow users to bypass access restriction in some
configurations. To ensure users are not able to present environment
options to the SSH daemon, add or correct the following line in
/etc/ssh/sshd_config
:
PermitUserEnvironment no
The SNMP service must not use a default password. Presence of the
default SNMP password enables querying of different system aspects
and could result in unauthorized knowledge of the system. Edit
/etc/snmp/snmpd.conf
, remove default community string public
.
Upon doing that, restart the SNMP service.
The system default umask for the bash shell and in /etc/profile
must be 077
.
The umask
value influences the permissions assigned to files when they are
created. A misconfigured umask value could result in files with
excessive permissions that can be read and/or written to by unauthorized
users.
To ensure the default umask for users of the Bash shell is set
properly, add or correct the umask
setting in /etc/bashrc
to read
as follows:
umask 077
To ensure the default umask controlled by /etc/profile
is set
properly, add or correct the umask
setting in /etc/profile
to
read as follows:
umask 077
Auditing must be enabled at boot by setting a kernel parameter.
Each process on the system carries an auditable
flag which
indicates whether its activities can be audited. Although auditd
takes care of enabling this for all processes which launch after it does,
adding the kernel argument ensures it is set for every process during boot.
To ensure all processes can be audited, even those which start prior to the
audit daemon, add the argument audit=1
to the kernel line in
/etc/grub.conf
as follows:
kernel/vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1.
The Bluetooth kernel module must be disabled preventing the kernel from
loading thekernel module provides an additional safeguard against its
activation. The kernel’s module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to the appropriate
/etc/modprobe.d
configuration file to prevent the loading of the
Bluetooth module:
install net-pf-31 /bin/false install bluetooth /bin/false
Use the openstack-ansible-security
role to provide host security
hardening for OpenStack environments deployed with Openstack-Ansible.