5

I am deploying systems that must be configured using the Red Hat 6 (v1r2) Security Technical Implementation Guide(STIG) published by the Defense Information Systems Agency (DISA). Link to site.

I've started developing a Kickstart file to automate many of these settings based on other KS files I've found via Google.

Does anyone have any advice, additional tools, or other resources that will help?

I do not need to use Kickstart, it just seemed like the easiest way to get started. I'm looking for any resources: playbooks for Ansible, basic shell scripts, etc.

0xSheepdog
  • 2,742
  • 1
  • 20
  • 31
  • This question may still be valid, but the general state of Red Hat Enterprise Linux has changed considerably since RHEL6 and the DISA STIG for RHEL6 v1r2. I would suggest anyone finding this question/answers today consider looking into the OSCAP Policy configuration that is now built into the Anconda installer for Enterprise Linux: https://rhelblog.redhat.com/2015/10/27/configuring-and-applying-scap-policies-during-installation/ – 0xSheepdog Mar 18 '19 at 15:30

4 Answers4

3

I have some scripts that are probably still "beta" from a project on GitHub by the RedHatGov organization (Red Hat, Inc. government sector employees).

https://github.com/RedHatGov

While their project is not complete, nor universally applicable, it is a great start and I plan on forking, contributing, and requesting pulls for the projects.

Frank Cavvigia of Red Hat has also made this script publicly available (by forking the code from other projects such as Aqueduct), which will modify a RHEL 6.4 .iso with many settings and requirements for DISA STIG compliance. This creates a new .ISO you can burn and use to install a system with many compliant options from the get-go.

http://people.redhat.com/fcaviggi/stig-fix/

I have tested this script, with minor modifications, on CentOS 6.5 and it has been somewhat successful. Someday when I get it cleaned up I will document and share my findings/changes.

Community
  • 1
0xSheepdog
  • 2,742
  • 1
  • 20
  • 31
  • I do not know the validity of the statement "by forking the code from other projects such as Aqueduct". They are not my words, it was an edit added by another user. I have no idea where precisely Frank Cavvigia got the code, and it's not really relevant to this Q&A site in my humble opinion. Open Source acknowledgement is important, but I don't know if this one is correct, true, or false. **shrug** – 0xSheepdog May 20 '14 at 18:18
3

The code was my spin from the following projects into an integrated "best-effort" - the scripts from Aqueduct, USGCB, etc. were tuned to RHEL 5 - I had to make a lot of modification to make it all work for RHEL 6 - so it is a fork in that sense. Anyway, I've merged and unified the code from the projects listed in the README of the stig-fix-el6 project:

https://github.com/RedHatGov/stig-fix-el6/blob/master/README

Eventually, this code will become oboslete as RHEL 7 will be integrating the remediation scripts from the SCAP Security Guide (SSG) into Anaconda.

http://myopensourcelife.com/2013/09/08/scap-and-remediation/

I plan to pare down the scripts just to the kickstart portion for RHEL 7 and to distribute the hardened configruations from the installation at that point.

Frank Caviggia
  • 31
  • 2
2

I have a couple of projects that address both kickstart automation via the anaconda API; jaks (just another kickstart script) and stigadm which while in the early stages of development aims to be a standard OSS SCAP/STIG validation & remediation project for UNIX/Linux operating systems.

jas-
  • 858
  • 5
  • 8
1

This Ansible role does exactly what you ask. First download the role to your machine:

# ansible-galaxy install https://github.com/MindPointGroup/RHEL6-STIG,devel

Then create a small playbook called harden.yml:

---
hosts: 127.0.0.1
  roles:
    - { role: RHEL6-STIG,
      rhel6stig_cat1: true, 
      rhel6stig_cat2: true, 
      rhel6stig_cat3: true }

Then apply the role:

# ansible-playbook harden.yml
bbaassssiiee
  • 244
  • 1
  • 7