Skip to content

Commit d258a85

Browse files
author
mooreja
committed
modified: Readme
1 parent 579df11 commit d258a85

1 file changed

Lines changed: 27 additions & 22 deletions

File tree

Readme

Lines changed: 27 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,46 @@
1-
stig based system security lockdown
1+
stig based Ubuntu Server security lockdown
22
====
33

44
JAM
55
LMN Solutions
66
Version 0.9
7-
May 2014
7+
August 2014
88

9-
The scripts in this project are designed to secure Ubuntu 12.04. The scripts are based
10-
on the DISA unclassified STIG documentation for securing Redhat, as well as general DISA guidelines
11-
for applications and operating systems. They automate securing a system OS or database based on a
12-
review of the STIG documentation and guidelines.
9+
The scripts are based on the DISA unclassified STIG documentation for securing Redhat, as well as general DISA guidelines
10+
for unix, applications and operating systems. They automate securing an Ubuntu 12.3 and 12.4 OS based on a
11+
review of several STIG documents and guidelines.
1312

14-
The OS lockdown is designed and tested for Ubuntu 12.03 and 12.04 LTS.
15-
16-
The scripts are designed for the ROGUE JCTD project and decisions are based on that project.
17-
The scripts are compatible or configurable with other Ubuntu 12.03 or 12.04.
18-
19-
A Postgresql database script may eventually be written. PostGIS is the database of choice for the project
20-
and is part of the Geoserver distribution primarily for admin purposes but ROGUE is using this distribution
21-
database for an open distribution, single server distribution architecture.
13+
The intent of the script is to provide an open source STIG based lockdown of a systemi and is provided as is.
14+
It is a reference implementation for locking down an Ubuntu OS and could form the basis for a more formal
15+
implementation.
2216

2317
There are implementation specific considerations that are identified in the lockdown report. Adding the
2418
report with this distribution has not been decided yet.
2519

26-
The scripts only correct findings not found to be compliant with the DISA STIG or guides. If the OS out of the box
27-
meets the lockdown then no fix was scripted. A manual review was conducted of all CATI and CATII. CATIII items were not reviewed.
20+
The scripts only correct findings not found to be compliant with the DISA STIG and guides. It was also designed for
21+
the ROGUE project so checks are based on the project requirements and not the list checks. If the OS out of the box
22+
meets the lockdown then no fix was scripted unless the project added functionality that required a check.
23+
A manual review was conducted of CATI and CATII. CATIII items were not reviewed.
2824

2925
In some cases findings were considered "site specific issues" and are not addressed in the scripts, nor are findings deemed out of scope.
30-
An example of this is Postgres not using a FIPS compliant algorithm to secure passwords. The project these scripts are designed for
31-
will not address those issues.
26+
An example of this is logging on remote servers or saving logs for five years. These scripts will not address those issues.
27+
28+
The scripts will run successfully immediately after the OS is installed if system configuration is required, such as setting up the system
29+
domain so the mail server can be configured properly. Otherwise some reconfiguration may be required later.
30+
31+
Some notes on the installation of these lockdowns are provided in the GeoShape installation guide.
3232

3333
To Do:
3434

35-
A complete "To Do" list will be compiled later but for now this is what I am working on:
35+
- Output results to a report
36+
- Fix remainder of functions not checking for previous lockdown
37+
- Provide consistant result statements for the functions
3638

3739
Completed:
3840

39-
- Break all the rule lockdowns into separate functions and add a function call list to the top. This way the executed functions can be adjusted to testing / trouble shooting.
40-
- Better function checking instead of abrupt breaks.
41-
- Checks to see if a lockdown has been conducted before conducting the lockdown.
41+
- Tripwire installs with a configured template instead of the default. The previous template had syntax and duplicate policies. The new template fixes those issues.
42+
- Added new checks to several of the functions to check if these policies are already in place. Previously they just ran the check without any checking.
43+
- Break all the rule lockdowns into separate functions and add a function call list to the top. Functions can be adjusted for testing / trouble shooting / desired lockdowns.
4244
- Can reuse the script as a lockdown script. Before was designed for a fresh install only. It is now suitable for later use.
4345

4446
Still to do (some of them anyway):
@@ -48,3 +50,6 @@ Still to do (some of them anyway):
4850
out of the postgres application directory.
4951
- SV-760r6_rule. Remove postgres direct login. A decision still has to be made about the vagrant account.
5052

53+
Known bugs:
54+
55+
- /var/spool/cron/atjobs check is not correctly reading or setting the directory permission settings

0 commit comments

Comments
 (0)