In some organizations, Linux systems are audited for security compliance by an external auditor. Remediating the findings and making the systems compliant used to be a matter of manually applying changes or running monolithic scripts. Today, remediation can be fully automated with Ansible, and security compliance can be checked before the auditor arrives with OpenSCAP. Below, we’ll see how to do this for Red Hat Enterprise Linux 6.
Security Technical Implementation Guides
If you have done Linux security hardening in the past, you may be familiar with the CIS Security Benchmarks. These are human-readable documents with information about each security vulnerability, commands to check if the system is configured correctly, and commands to set the right configuration if it is not.
The Security Technical Implementation Guides (STIG) published by the Defense Information Systems Agency (DISA) contain similar information in machine-readable format. There is a graphical utility to view the STIG content, and an OpenSCAP policy to audit a system against the list of vulnerabilities.
On a Linux system, download the RHEL 6 STIG from http://iase.disa.mil/stigs/os/unix-linux/ and extract the ZIP archive. Download the STIG Viewer from http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx
The viewer comes as a JAR file. Trying to run it with java-1.8.0-openjdk-126.96.36.199-1.b14.fc24 on Fedora 24 fails with the following error:
Error: JavaFX runtime components are missing, and are required to run this application
Until https://bugzilla.redhat.com/show_bug.cgi?id=1145303 is fixed, we’ll have to use the Oracle JRE to run the STIG viewer. Download the Linux x64 TAR.GZ from http://www.oracle.com/technetwork/java/javase/downloads/index.html, as root extract it to a directory under /usr/local and then run the STIG viewer with your own account:
export JAVA_HOME=/usr/local/jre1.8.0_101 $JAVA_HOME/bin/java -jar STIGViewer_2.3.jar &amp;
Use File – Import STIG to import the XML file from the extracted STIG ZIP file.
Vulnerabilities are divided into three severities (CAT I to III), which can be filtered in the lower left. The same filter box allows you to only show vulnerabilities that contain a string like xinetd.
There also is a Web-based STIG viewer available at https://stigviewer.com/stig/red_hat_enterprise_linux_6/
To audit our RHEL 6 system against the STIG vulnerabilities, we use the OpenSCAP tool and the the OpenSCAP security guide provided by Red Hat:
yum install openscap openscap-utils scap-security-guide oscap xccdf eval \ --profile stig-rhel6-server-upstream \ --results /tmp/oscap-results.xml \ --report /tmp/oscap-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Copy the output /tmp/oscap-results.html to your desktop and open it with a browser. The list can be filtered to exclude passed tests, and clicking on a vulnerability shows more information about it.
Save a copy of the HTML file so you can rerun oscap after applying the STIG remediation rules and compare the output.
Ansible Remediation Playbook
Most of the STIG vulnerabilities can be automatically fixed by the Ansible playbook from https://github.com/MindPointGroup/RHEL6-STIG. Clone the Git repository on a system that can connect to the target RHEL 6 systems via SSH. The repository defines an Ansible role, and should be put into a roles directory.
mkdir roles cd roles git clone https://github.com/MindPointGroup/RHEL6-STIG.git
The repository contains the remediation tasks, but no playbook to execute them. A simple playbook can be created by putting this into stig.yml on the same directory level as the roles directory:
--- - name: Apply STIG hosts: all become: yes roles: - role: RHEL6-STIG rhel6stig_cat3: yes rhel6stig_cat2: yes rhel6stig_other: yes
Create an Ansible inventory file listing the hosts you want to apply the changes to. Note that the playbook modifies configuration settings on these hosts and might break installed applications and system services. For example, you will no longer be able to log in as root via SSH (STIG V-38613).
Apply the playbook to all hosts in the inventory file with
ansible-playbook -i hosts stig.yml
This will take a while to complete. Once Ansible is done, re-run the oscap command shown above and you should see a higher compliance score and less failed OpenSCAP rules.
Not all STIG vulnerabilities can be remediated automatically. The file roles/RHEL6-STIG/tasks/not_automated.yml lists of some of those that are skipped.
The playbook can be customized by changing the variables defined in roles/RHEL6-STIG/defaults/main.yml, or by editing the tasks in roles/RHEL6-STIG/tasks/cat1.yml, cat2.yml and cat3.yml.
Given the number of tasks in the playbook, checking the output on the command line can be a bit overwhelming. Importing the playbook into Ansible Tower is easy though, and gives you a nice graphical overview when you run the playbook: