Skip to main content
Version: Atlas v3.9

RedHat Enterprise Linux 7 Puppet Module (rhel7stig)

Table of Contents

  1. Description
  2. Setup - Getting started with rhel7stig
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Support - Getting module updates

Description

This Puppet module applies security hardening to Red Hat Enterprise Linux (RHEL) 7 as documented in the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). See the CHANGELOG for the history of the module to include the current supported STIG release.

The module implements each STIG finding as a separate puppet class, enabling them to be enabled or disabled individually. Puppet classes for STIG findings are named after the vulnerability ID, beginning with a lower-case "v" followed by the ID number. All findings are enforced by default but can be disabled in hiera by using the 'exclude' parameter with an array of class names.

Setup

What rhel7stig affects

caution

The STIG checklist addresses MANY system components that can impact operational functionality. It is also highly likely that you are already using Puppet modules to maintain the system configuration. This module attempts to balance strict enforcement of the STIG while avoiding negative operational impacts and potential conflicts with other puppet resources. If you experience resource conflicts or would just prefer to manage some settings with other modules, just disable the classes from this module that are causing the conflict.

Major system components that will be modified:

  • Packages that are required by the STIG will be installed

  • Packages forbidden by the STIG will be removed

  • Kernel parameters and modules will be updated

  • PAM files will be updated

  • SSH files will be updated

  • The system audit configuration will be updated

  • AIDE will be installed and configured

  • SELinux will be set to "enforcing" mode with "targeted" policy

  • Users will be assigned to an SELinux role

  • FIPS mode will be enabled

  • If FIPS or SELinux changes require a reboot, the host will be rebooted at the end of the Puppet run

Beginning with rhel7stig

Add the module to an environment and assign it to nodes. It is recommended to target a few non-production systems at first to assess the impact to the systems and identify any conflicts with other puppet resources. When STIG findings are known to cause issues or conflict with existing Puppet content, disable them in hiera. The following hiera example disables a few of the STIG classes that are likely to have an operational impact. See the Reference for a complete list of classes to include descriptions and any optional parameters.

rhel7stig::exclude:
- v204444 # SELinux role assignments for users
- v204397 # Multifactor authentication is required for GUI logon
- v204429 # Require a password to use sudo
- v204579 # Terminate sessions after 15 minutes of inactivity
- v204587 # Terminate SSH connections after 10 minutes of inactivity

There are a few classes with required parameters, so the module will fail unless values are supplied. Ensure you set values for these:

# GRUB password hash (create with 'grub2-mkpasswd-pbkdf2') - This value is referenced by v204436, v204438, v204439, v204440
rhel7stig::grub_passwd_hash: grub.pbkdf2.sha512...<TRUNCATED>

# Central audit log server
rhel7stig::v204509::remote_server: '10.10.10.1'

# Central syslog server
rhel7stig::v204574::syslog_host: '10.10.10.1'

# SELinux user mappings are not mandatory, but if no mappings are provided all users (except root)
# will use the default mapping to SELinux 'user_u'
rhel7stig::v204444::admins:
'%wheel': 'sysadm_u'

Usage

Many of the STIG classes do not attempt to force a configuration change. Instead, they use facts to report on the compliance status. For example, if the '/home' path is not on a separate filesystem it makes no attempt to re-partition the system. Instead the discrepancy is noted with the logged event:

SECURITY WARNING! "/home" should be on a separate file system

Review the puppet output or reports and address the 'SECURITY WARNING' messages as needed by following this general process:

  1. Modify the build/deployment process to create separate file systems as required
  2. Define new or update existing puppet resources for security settings like mount options, DNS, and NTP servers, etc.
  3. Observe results of previous steps against remaining security warnings from later puppet runs
  4. Verify reported security warnings against collected facts and resources defined in the environment, correcting as needed.
  5. Finally, when unable to resolve findings due to operational requirements, disable the class in hiera to quiet the security warnings.
note

Many of the STIG puppet classes require data from custom facts produced by the "kgi-secfacts" module. Ensure this module is assigned to nodes to manage collection of the basic facts that support this STIG. See the Security Facts (secfacts) documentation for details.

Limitations

This module works with RedHat and CentOS 7 only.

  • Table of Contents
  • Description
  • Setup
  • Usage
  • Limitations
  • Table of Contents
  • Classes
    • rhel7stig
    • rhel7stig::v204392
    • rhel7stig::v204393
    • rhel7stig::v204394
    • rhel7stig::v204395
    • rhel7stig::v204396
    • rhel7stig::v204397
    • rhel7stig::v204398
    • rhel7stig::v204399
    • rhel7stig::v204400
    • rhel7stig::v204402
    • rhel7stig::v204403
    • rhel7stig::v204404
    • rhel7stig::v204405
    • rhel7stig::v204406
    • rhel7stig::v204407
    • rhel7stig::v204408
    • rhel7stig::v204409
    • rhel7stig::v204410
    • rhel7stig::v204411
    • rhel7stig::v204412
    • rhel7stig::v204413
    • rhel7stig::v204414
    • rhel7stig::v204415
    • rhel7stig::v204416
    • rhel7stig::v204417
    • rhel7stig::v204418
    • rhel7stig::v204419
    • rhel7stig::v204420
    • rhel7stig::v204421
    • rhel7stig::v204422
    • rhel7stig::v204423
    • rhel7stig::v204424
    • rhel7stig::v204425
    • rhel7stig::v204426
    • rhel7stig::v204427
    • rhel7stig::v204428
    • rhel7stig::v204429
    • rhel7stig::v204430
    • rhel7stig::v204431
    • rhel7stig::v204432
    • rhel7stig::v204433
    • rhel7stig::v204434
    • rhel7stig::v204435
    • rhel7stig::v204436
    • rhel7stig::v204437
    • rhel7stig::v204438
    • rhel7stig::v204439
    • rhel7stig::v204440
    • rhel7stig::v204441
    • rhel7stig::v204442
    • rhel7stig::v204443
    • rhel7stig::v204444
    • rhel7stig::v204445
    • rhel7stig::v204446
    • rhel7stig::v204447
    • rhel7stig::v204448
    • rhel7stig::v204449
    • rhel7stig::v204450
    • rhel7stig::v204451
    • rhel7stig::v204452
    • rhel7stig::v204455
    • rhel7stig::v204456
    • rhel7stig::v204457
    • rhel7stig::v204458
    • rhel7stig::v204459
    • rhel7stig::v204460
    • rhel7stig::v204461
    • rhel7stig::v204462
    • rhel7stig::v204463
    • rhel7stig::v204464
    • rhel7stig::v204466
    • rhel7stig::v204467
    • rhel7stig::v204468
    • rhel7stig::v204469
    • rhel7stig::v204470
    • rhel7stig::v204471
    • rhel7stig::v204472
    • rhel7stig::v204473
    • rhel7stig::v204474
    • rhel7stig::v204475
    • rhel7stig::v204476
    • rhel7stig::v204477
    • rhel7stig::v204478
    • rhel7stig::v204479
    • rhel7stig::v204480
    • rhel7stig::v204481
    • rhel7stig::v204482
    • rhel7stig::v204483
    • rhel7stig::v204486
    • rhel7stig::v204487
    • rhel7stig::v204488
    • rhel7stig::v204489
    • rhel7stig::v204490
    • rhel7stig::v204491
    • rhel7stig::v204492
    • rhel7stig::v204493
    • rhel7stig::v204494
    • rhel7stig::v204495
    • rhel7stig::v204496
    • rhel7stig::v204498
    • rhel7stig::v204499
    • rhel7stig::v204500
    • rhel7stig::v204501
    • rhel7stig::v204502
    • rhel7stig::v204503
    • rhel7stig::v204504
    • rhel7stig::v204506
    • rhel7stig::v204507
    • rhel7stig::v204508
    • rhel7stig::v204509
    • rhel7stig::v204510
    • rhel7stig::v204511
    • rhel7stig::v204512
    • rhel7stig::v204513
    • rhel7stig::v204514
    • rhel7stig::v204515
    • rhel7stig::v204516
    • rhel7stig::v204517
    • rhel7stig::v204518
    • rhel7stig::v204519
    • rhel7stig::v204520
    • rhel7stig::v204521
    • rhel7stig::v204522
    • rhel7stig::v204523
    • rhel7stig::v204524
    • rhel7stig::v204525
    • rhel7stig::v204526
    • rhel7stig::v204527
    • rhel7stig::v204528
    • rhel7stig::v204529
    • rhel7stig::v204530
    • rhel7stig::v204531
    • rhel7stig::v204532
    • rhel7stig::v204533
    • rhel7stig::v204534
    • rhel7stig::v204535
    • rhel7stig::v204536
    • rhel7stig::v204537
    • rhel7stig::v204538
    • rhel7stig::v204539
    • rhel7stig::v204540
    • rhel7stig::v204541
    • rhel7stig::v204542
    • rhel7stig::v204543
    • rhel7stig::v204544
    • rhel7stig::v204545
    • rhel7stig::v204546
    • rhel7stig::v204547
    • rhel7stig::v204548
    • rhel7stig::v204549
    • rhel7stig::v204550
    • rhel7stig::v204551
    • rhel7stig::v204552
    • rhel7stig::v204553
    • rhel7stig::v204554
    • rhel7stig::v204555
    • rhel7stig::v204556
    • rhel7stig::v204557
    • rhel7stig::v204558
    • rhel7stig::v204559
    • rhel7stig::v204560
    • rhel7stig::v204561
    • rhel7stig::v204562
    • rhel7stig::v204563
    • rhel7stig::v204564
    • rhel7stig::v204565
    • rhel7stig::v204566
    • rhel7stig::v204567
    • rhel7stig::v204568
    • rhel7stig::v204569
    • rhel7stig::v204570
    • rhel7stig::v204571
    • rhel7stig::v204572
    • rhel7stig::v204573
    • rhel7stig::v204574
    • rhel7stig::v204575
    • rhel7stig::v204576
    • rhel7stig::v204577
    • rhel7stig::v204578
    • rhel7stig::v204579
    • rhel7stig::v204580
    • rhel7stig::v204581
    • rhel7stig::v204582
    • rhel7stig::v204583
    • rhel7stig::v204584
    • rhel7stig::v204585
    • rhel7stig::v204586
    • rhel7stig::v204587
    • rhel7stig::v204588
    • rhel7stig::v204589
    • rhel7stig::v204590
    • rhel7stig::v204591
    • rhel7stig::v204592
    • rhel7stig::v204593
    • rhel7stig::v204594
    • rhel7stig::v204595
    • rhel7stig::v204596
    • rhel7stig::v204597
    • rhel7stig::v204598
    • rhel7stig::v204599
    • rhel7stig::v204600
    • rhel7stig::v204601
    • rhel7stig::v204602
    • rhel7stig::v204603
    • rhel7stig::v204604
    • rhel7stig::v204605
    • rhel7stig::v204606
    • rhel7stig::v204607
    • rhel7stig::v204608
    • rhel7stig::v204609
    • rhel7stig::v204610
    • rhel7stig::v204611
    • rhel7stig::v204612
    • rhel7stig::v204613
    • rhel7stig::v204614
    • rhel7stig::v204615
    • rhel7stig::v204616
    • rhel7stig::v204617
    • rhel7stig::v204618
    • rhel7stig::v204619
    • rhel7stig::v204620
    • rhel7stig::v204621
    • rhel7stig::v204622
    • rhel7stig::v204623
    • rhel7stig::v204624
    • rhel7stig::v204625
    • rhel7stig::v204626
    • rhel7stig::v204627
    • rhel7stig::v204628
    • rhel7stig::v204629
    • rhel7stig::v204630
    • rhel7stig::v204631
    • rhel7stig::v204632
    • rhel7stig::v204633
    • rhel7stig::v204634
    • rhel7stig::v214799
    • rhel7stig::v214800
    • rhel7stig::v214801
    • rhel7stig::v214937
    • rhel7stig::v219059
    • rhel7stig::v228563
    • rhel7stig::v228564
    • rhel7stig::v233307
    • rhel7stig::v237633
    • rhel7stig::v237634
    • rhel7stig::v237635
    • rhel7stig::v244557
    • rhel7stig::v244558
    • rhel7stig::v250312
    • rhel7stig::v250313
    • rhel7stig::v250313::ssh_admin_login: false
    • rhel7stig::v250314
    • rhel7stig::v251702
    • rhel7stig::v251703
    • rhel7stig::v251704
    • rhel7stig::v251705
  • Defined types
    • rhel7stig::audisp_remote_setting
    • rhel7stig::audispd_setting
    • rhel7stig::audit_rule
    • rhel7stig::auditd_setting
    • rhel7stig::dconf_lock
    • rhel7stig::dconf_setting
    • rhel7stig::resolv_conf
    • rhel7stig::sshd_rule
    • rhel7stig::sysctl_rule
  • Changelog