SCAP Hardening CentOS 6


I just finished making my base Ansible role fully SCAP compliant (based on the DISA STIG I think). It doesn’t appear to have broken anything but I will need to test it thoroughly before I put it into production. I can tell that this configuration is going to make working with the systems more difficult. That’s OK though. I value security over convenience. I can see also that the automated CM tools make a big difference in this area. They make systems administration much easier on hardened systems.

Some of the biggest changes with this hardening are:

  • Locked down partition scheme (extensive use of noexec for example)
  • Strict password requirements
  • Increased auditing of changes that could affect security
  • Added kernel parameters (not as many as I had expected though)
  • Locked down SSH settings (no root login, etc.)

On a lighter note (server hardening doesn’t have many) it requires a login banner so I had the chance to add a very scary and official looking one. I hope the hackers are suitability impressed.

You can use the test suite I mentioned in a previous post to validate your compliance. It does seem to have issues. Despite being certain that I have implemented the guidelines correctly, it still marks some of tests ‘fail’. I suspect the compliance test code has some bugs. The two guidelines I expect to fail are the aide and rsyslog checks. I have replaced aide with OSSEC and may not use rsyslog as my primary logging client.

I hope to post my Ansible configuration soon. I will post it on github. I just need to figure out how to remove my local configuration details while still making it function correctly.

Update (May 2014): you can audit STIG compliance using serverspec with these tests I’ve uploaded to GitHub.

 



Categories: Security

Tags: , ,

Share Your Ideas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: