+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
An Approach to Building & Maintaining a STIG'D RHEL Server
1. An Approach to Building &
Maintaining a STIG’D RHEL Server
Red Hat Satellite Server
Forge.mil (https://software.forge.mil/sf/go/wiki3316
SPAWAR Linux Management Wiki)
Kickstart
Puppet
Tresys CLIP
Aaron Prayther
aprayther@lce.com
843 218 2178 Mil‐OSS WG2
2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
3. Creating a more manageable and
reproducible STIG’D RHEL server
• There are some tools to help STIG a box
• There is an image that can be copied
• Nothing that is very reproducible over the long term
• We can create STIG’D servers and maintain them.
• The infrastructure, Satellite Server, is not a STIG
compliant server in the environment I work in
• Google: “STIG”
– The Stig is the name given to the racing driver character on
the BBC Television show Top Gear.
– Security Technical Implementation Guides
3
6. 2. IAVA / CVE / Red Hat Security Advisory
A way to relate IAVA to patches
UNIX
Security
Checklist
IAVA
CVE
RED HAT Kickstart
YUM
Puppet Reporting?
SRR
Oval
Satellite Satellite
Forge.mil
6
11. Tresys CLIP Puppet content
class lnx00160 {
## (LNX00160: CAT II) (Previously ‐ L074)
The SA will ensure the grub.conf
## file has permissions of 600, or more
restrictive.
file { "/boot/grub/grub.conf": mode => 600
}
}
11
14. Confirm ongoing compliance
• Oval seems to have a lot of potential
– Evaluating Oval and how to integrate
• Evaluating using SRR scripts in a cron job
• Satellite does a pretty good job of reporting
on CVE’s
• Would ultimately want to have a way of just
getting the interesting information for
hundreds (thousands) of servers
14
17. Automating provisioning & maintenance is
an evolutionary process…
• Long messy kickstart file but a good
source of information
• Need to finish a “baseline” and modify
build process accordingly
• Need to move the vast majority of the
kickstart content to puppet server
• Disclaimers out of the way…
17
18. What it does today
• It does build a consistent server from scratch (you
can reverse engineer the entire build process and
know every configuration change made)
• This is not an image
• It utilizes controlled software repositories in
Satellite so that you can have a release process.
• It does setup the ability to manage compliance
over the life cycle of the server
• It has backups, centralized audit and log server
functionality
18
19. Use Forge.mil to collaborate
• https://software.forge.mil/sf/go/wiki3316
SPAWAR Linux Management Wiki
• This brief is located there
• Some instructions on howto use what is
available today are there.
• Contacts are being added so you know who to
consult with about different pieces, like Red
Hat Satellite Server
19
21. Summary
• Build a reproducible RHEL server, bare metal
or virtual.
• Build process results in something very close
to a STIG compliant (IA will say it’s compliant)
RHEL server
• The beginnings, of a server life cycle that
maintains & confirms compliance
• Currently functioning at a single project level
in an R&D environment
21
22. References
• https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux
Management Wiki
• spawar‐dodbastile@software.Forge.mil SPAWAR Linux
Management Discussion email
• https://software.forge.mil/sf/discussion/do/listTopics/proje
cts.dodbastile/discussion.spawar_linux_managment
SPAWAR Linux Management Discussion page
• https://software.forge.mil/sf/docman/do/listDocuments/pr
ojects.dodbastile/docman.root.spawarlinuxmanagement
SPAWAR Linux Management Documents
• https://software.forge.mil/sf/docman/do/downloadDocum
ent/projects.dodbastile/docman.root.spawarlinuxmanage
ment/doc7520 SPAWAR Linux Management this brief
Aaron Prayther
aprayther@lce.com
843 218 2178
22