[SGVLUG] Hardening RedHat

[Sean O'Donnell via SGVLUG]

Years ago I had to work on a project that required our systems to 
STIG-compliant. We were doing OEM Linux Systems Integration based on RHEL4.

The fun part (for me) was re-branding the isolinux/pxelinux installation 
splash screens and making options for installing the system with/without 
STIG hardening via kickstart automation. The kickstart automation 
scripting was also a lot of fun, as well.

The Kickstart configs were pretty much hardware-specific for a select 
few models of Dell and HP servers. There was also a lot of custom 
iptables configuration scripts, as some of these 'servers' were actually 
used as routers by the customers.

That was about a decade ago, but I do miss that project, and learned a lot.

Hearing someone mention STIG brought back some memories.

</nostalgia>

On 9/7/18 9:21 AM, Scott Packard via SGVLUG wrote:
> I've gotten into hardening RHEL6 and RHEL7 lately.
> I've never seen that discussed on the list.
>
> It comes with a tool from www.open-scap.org 
> <http://www.open-scap.org>; unfortunately for my work
> I have to put that aside and get a (download restricted) tool from 
> iase.disa.mil <http://iase.disa.mil>.
> The tool is restricted, but the content the tool uses is not.
> To download the content, you'd select STIGs, STIGs Master List (A to 
> Z), and
> look on the 2nd page for the Red Hat Benchmark .zip file appropriate 
> for the
> OS version.
>
> I haven't compared content to see if they are similar; I believe they 
> would be though.
> https://www.open-scap.org/getting-started/ has a tutorial on how to 
> get started.
>
> You basically cycle through scanning a host, looking at the results, 
> and follow
> mostly well-written steps to apply hardening, and scan again.
>
> I say mostly because there are some security features that it just 
> wants to see on
> but doesn't care how badly you shoot yourself in the foot with.
>
> Those features are where the learning curve (and pain) are.
>
> - iptables (netfilter), configured as deny by default, allow by 
> explicit rule.  Having
> INPUT, OUTPUT, and FORWARD configured to DROP is different from most
> examples you can google, and where you start to realize you can't 
> admin by cookbook.
>
> - SELinux (mandatory access control) set to enforcing
> Here I'm still learning how to look for problems, correct them, how to 
> test if the
> correction is loaded, how to unload a policy, whether or not I need a 
> reboot, etc.
> For instance, I work with Centrify tools to make a host join a Windows 
> domain,
> and use their tools for centrally managing automounts. One of their 
> perl scripts
> was denied access to a auto.home.lck file.  I looked at their 
> knowledgebase and
> found a KB with a .te file that was supposed to correct the denial, 
> but when I compiled
> the file and applied the profile I still saw a denial.
> I'm not sure it was the 'exactly right' thing to do, but I changed the 
> .te file to allow
> ioctl rather than just { read write }, because the error message I was 
> seeing was
> ioctl was being denied, and that stopped the error messages from 
> appearing.
>
> - aide  (tool to scan a host and record a db of it's config, then 
> daily scan and report
> any changes)
>
> I don't think anybody gets into this area of RedHat unless they have a 
> job requirement
> for it.  In my case, it's gov't. contractor work.  It seems the 
> payment card industry
> uses this, with their own ruleset.  But, the tools are all there, and 
> it does make it
> easier for the security folks to push their requirements and to verify 
> they've been met.
>
> Regards, Scott Packard
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20180911/0a0e551b/attachment.html>