wandored / stig Goto Github PK

stig based Ubuntu Server security lockdown
====

JAM
LMN Solutions
Version 0.9
August 2014

The scripts are based on the DISA unclassified STIG documentation for securing Redhat, as well as general DISA guidelines 
for unix, applications and operating systems.  They automate securing an Ubuntu 12.3 and 12.4 OS based on a 
review of several STIG documents and guidelines.

The intent of the script is to provide an open source STIG based lockdown of a systemi and is provided as is. 
It is a reference implementation for locking down an Ubuntu OS and could form the basis for a more formal 
implementation.  

There are implementation specific considerations that are identified in the lockdown report. Adding the 
report with this distribution has not been decided yet.

The scripts only correct findings not found to be compliant with the DISA STIG and guides. It was also designed for 
the ROGUE project so checks are based on the project requirements and not the list checks.  If the OS out of the box
meets the lockdown then no fix was scripted unless the project added functionality that required a check. 
A manual review was conducted of CATI and CATII.  CATIII items were not reviewed. 

In some cases findings were considered "site specific issues" and are not addressed in the scripts, nor are findings deemed out of scope. 
An example of this is logging on remote servers or saving logs for five years. These scripts will not address those issues.

The scripts will run successfully immediately after the OS is installed if system configuration is required, such as setting up the system
domain so the mail server can be configured properly.  Otherwise some reconfiguration may be required later.

Some notes on the installation of these lockdowns are provided in the GeoShape installation guide.

To Do:

- Output results to a report
- Fix remainder of functions not checking for previous lockdown
- Provide consistant result statements for the functions

Completed: 

- Tripwire installs with a configured template instead of the default.  The previous template had syntax and duplicate policies. The new template fixes those issues.
- Added new checks to several of the functions to check if these policies are already in place.  Previously they just ran the check without any checking. 
- Break all the rule lockdowns into separate functions and add a function call list to the top.  Functions can be adjusted for testing / trouble shooting / desired lockdowns.
- Can reuse the script as a lockdown script.  Before was designed for a fresh install only. It is now suitable for later use.

Still to do (some of them anyway):

- SV-26307r1. Do a check for ntp crypto servers and not a default unclass assumption response.
- SV-27203r1_rule. Check to see if the postgres is used as a application account, user or both.  If not strictly an application account move the user home 
  out of the postgres application directory.
- SV-760r6_rule. Remove postgres direct login. A decision still has to be made about the vagrant account.

Known bugs:

- /var/spool/cron/atjobs check is not correctly reading or setting the directory permission settings