There are a few items that the user must configure since there is no method for automatically determining the appropriate values.
DISA STIG requires all systems to have a bootloader username and password set. To accomplish this, first run grub2-mkpasswd-pbkdf2 to generate a hashed grub password. Once that is complete, place the following in the hieradata for the system(s) being managed:
simp_grub::admin: <grub_username>
simp_grub::password: <hashed_password>
The SIMP ISO installation will appropriately configure the disk per the DISA STIG requirements. Alternatively, the kickstart files provided as templates by the SIMP project can be used to kickstart a system.
If neither of these options are chosen, the user will need to set the partitions appropriately themselves.
DISA STIG requires that all security patches be applied to a system. SIMP makes no assumptions about the connectivity to a given set of repositories or the appropriateness of applying any given updates to your system.
That said, nightly updates are enabled via the simp::yum::schedule class and will update all packages to the latest version based on whatever repositories are present and configured on the system at that time.
Some checks that require scanning the entire filesystem (such as checking for incorrect permissions) would put a generally unacceptable load on the system in order to remediate at each run of Puppet. Users are encouraged to scan their systems regularly to find and address these kinds of issues.
If a suitable lightweight mechanism can be found to address this issue in the future, it will be added to the SIMP module space.
The DISA STIG benchmark indicates that no X11 packages should be installed if you do not require an actual graphical system display. Unfortunately there is no good method to determine exactly which packages are part of a required installation and which are needed by other applications as part of their dependency chain. As such, users should start with the default SIMP installation (no GUI) and
then use the simp-gnome and simp-gdm modules to add a GUI to their systemas required.
Given that there is no way to know where and/or if a syslog server may be present on the network, there are no remote syslog servers configured by default.
To bring your system into compliance, set the following via Hiera:
simp_options::syslog::log_servers:
- log.server.one
To set failover log servers, set the following via Hiera:
simp_options::syslog::failover_log_servers:
- failover.server.one
DISA Stig requires that repo_gpgcheck=1 be present in /etc/yum.conf. This could
have a negative impact on the functionality of OEL, RHEL, and CentOS yum
repositories. Often times after applying this parameter several repos will
begin to throw errors like the following in OEL/RHEL/Centos 7 systems:
https://[repo_location]/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
And errors like the following in OEL/RHEL/Centos 8 systems:
Error: Failed to download metadata for repo '[reponame]': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 404 for https://[repo_location]/repodata/repomd.xml.asc
To work around this issue, set the following via Hiera:
yum::config_options:
repo_gpgcheck: false
This will cause a failure in the scans for the system, however, the repositories should begin working as expected again.
Sicura
© copyright 2022