[SGVLUG] Hardening RedHat
Sean O'Donnell via SGVLUG
sgvlug at sgvlug.net
Tue Sep 11 15:03:50 PDT 2018
Years ago I had to work on a project that required our systems to
STIG-compliant. We were doing OEM Linux Systems Integration based on RHEL4.
The fun part (for me) was re-branding the isolinux/pxelinux installation
splash screens and making options for installing the system with/without
STIG hardening via kickstart automation. The kickstart automation
scripting was also a lot of fun, as well.
The Kickstart configs were pretty much hardware-specific for a select
few models of Dell and HP servers. There was also a lot of custom
iptables configuration scripts, as some of these 'servers' were actually
used as routers by the customers.
That was about a decade ago, but I do miss that project, and learned a lot.
Hearing someone mention STIG brought back some memories.
</nostalgia>
On 9/7/18 9:21 AM, Scott Packard via SGVLUG wrote:
> I've gotten into hardening RHEL6 and RHEL7 lately.
> I've never seen that discussed on the list.
>
> It comes with a tool from www.open-scap.org
> <http://www.open-scap.org>; unfortunately for my work
> I have to put that aside and get a (download restricted) tool from
> iase.disa.mil <http://iase.disa.mil>.
> The tool is restricted, but the content the tool uses is not.
> To download the content, you'd select STIGs, STIGs Master List (A to
> Z), and
> look on the 2nd page for the Red Hat Benchmark .zip file appropriate
> for the
> OS version.
>
> I haven't compared content to see if they are similar; I believe they
> would be though.
> https://www.open-scap.org/getting-started/ has a tutorial on how to
> get started.
>
> You basically cycle through scanning a host, looking at the results,
> and follow
> mostly well-written steps to apply hardening, and scan again.
>
> I say mostly because there are some security features that it just
> wants to see on
> but doesn't care how badly you shoot yourself in the foot with.
>
> Those features are where the learning curve (and pain) are.
>
> - iptables (netfilter), configured as deny by default, allow by
> explicit rule. Having
> INPUT, OUTPUT, and FORWARD configured to DROP is different from most
> examples you can google, and where you start to realize you can't
> admin by cookbook.
>
> - SELinux (mandatory access control) set to enforcing
> Here I'm still learning how to look for problems, correct them, how to
> test if the
> correction is loaded, how to unload a policy, whether or not I need a
> reboot, etc.
> For instance, I work with Centrify tools to make a host join a Windows
> domain,
> and use their tools for centrally managing automounts. One of their
> perl scripts
> was denied access to a auto.home.lck file. I looked at their
> knowledgebase and
> found a KB with a .te file that was supposed to correct the denial,
> but when I compiled
> the file and applied the profile I still saw a denial.
> I'm not sure it was the 'exactly right' thing to do, but I changed the
> .te file to allow
> ioctl rather than just { read write }, because the error message I was
> seeing was
> ioctl was being denied, and that stopped the error messages from
> appearing.
>
> - aide (tool to scan a host and record a db of it's config, then
> daily scan and report
> any changes)
>
> I don't think anybody gets into this area of RedHat unless they have a
> job requirement
> for it. In my case, it's gov't. contractor work. It seems the
> payment card industry
> uses this, with their own ruleset. But, the tools are all there, and
> it does make it
> easier for the security folks to push their requirements and to verify
> they've been met.
>
> Regards, Scott Packard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20180911/0a0e551b/attachment.html>
More information about the SGVLUG
mailing list