Some rules can be fine-tuned by changing their variables. However, the STIG benchmark provides some variables with phony parameters which must be customised so the hardening scripts can be properly applied and the audit can properly check them.
For additional information on variables, check the usg-variables(7) man page.
Rules that must be customised
The list of variables below contains a brief explanation of the variables which must be customised and what rules they are related to.
Rule id: var_audispd_remote_server
Title: Remote server for audispd to send audit records
Description: The setting for remote_server in /etc/audisp/audisp-remote.conf
Rules limitations
A few rules provided by the STIG profile require manual inspection and fix.
Rule id: auditd_offload_logs
Title: Offload audit Logs to External Media
Description: Offloading is a common process in information systems with limited audit storage capacity. NOTE: This script is not provided by default as different consumers have different needs.
Check if there is a script in the “/etc/cron.weekly” directory that offloads audit data:
# sudo ls /etc/cron.weekly
audit-offload
Rule id: auditd_audispd_configure_sufficiently_large_partition
Title: Configure a Sufficiently Large Partition for Audit Logs
Description: The rule requires a sufficiently large partition for storing at least one week’s worth of audit logs. As this is highly dependent on the end-user’s environment, the check and remediation for the rule are not implemented and must be performed manually.
Rule id: is_fips_mode_enabled
Title: Verify /proc/sys/crypto/fips_enabled exists
Description: This rule will verify if the system is in FIPS mode. A manual fix is required in case it is not. For more informations on how to run the system in FIPS-140 mode, please see https://ubuntu.com/security/certifications/docs/2204/fips
Rule id: install_endpoint_security_software
Title: Install an Endpoint Security Software
Description: This rule requires a third-party software to be installed. A manual fix is required if the software is not available.
Rule id: smartcard_pam_enabled
Title: Enable Smart Card Logins in PAM
Description: This rule requires that the pam_pkcs11.so module is added to the PAM authentication stack. Due to potential complexity of PAM configurations, and risk of lock-out, the automated remediation has been disabled.
Add the following to the top of the stack in /etc/pam.d/common-auth, replacing N with the correct number of jumps:
auth [success=N default=ignore] pam_pkcs11.so
e.g.
auth [success=3 default=ignore] pam_pkcs11.so
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
Rule id: grub2_password
Title: Set Boot Loader Password in grub2
Description: To prevent hard-coded passwords, automated remediation of this rule is not available. Remediation must be automated as a component of machine provisioning, or performed manually.
- Generate the password:
$ grub-mkpasswd-pbkdf2
- Add the following lines to
/etc/grub.d/40_custom:
set superusers="root"
password_pbkdf2 root GENERATED_PASSWORD
- Update grub
$ sudo update-grub
Rule id: check_ufw_active
Title: Verify ufw Active
Description: The UFW firewall should be enabled and active. The rule does not enable the firewall automatically to avoid lock-out.
To remediate, run:
$ ufw enable
Rule id: ufw_rate_limit
Title: ufw Must rate-limit network interfaces
Description: This rule requires that UFW is enabled and configured to rate-limit all services. The firewall is not configured and enabled automatically to avoid lock-out.
To remediate, determine all listening services and set the rate-limit:
$ ss -l46ut
$ ufw limit SERVICE_NAME
Rule id: encrypt_partitions
Title: Encrypt Partitions
Description: The system should be configured to prevent unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.
The rule presently does not perform this check and it must be done manually.
Rule id: account_temp_expire_date
Title: Assign Expiration Date to Temporary Accounts
Description: This rule is not automated as temporary accounts cannot be differentiated from regular accounts.
Rule id: temp_passwords_immediate_change
Title: Policy Requires Immediate Change of Temporary Passwords
Description: This rule is not automated as temporary accounts cannot be differentiated from regular accounts.
Rule id: sudo_group_restricted
Title: Ensure sudo group has only necessary members
Description: This rule is not automated because sudo users are unique to the end-user’s environment.
Verify only authorized users are in the sudo group:
$ grep sudo /etc/group
Rule id: ufw_only_required_services
Title: Only Allow Authorized Network Services in ufw
Description: This rule is not automated because the list of authorized network services is unique to the end-user’s environment.
Rule id: only_allow_dod_certs
Title: Only Allow DoD PKI-established CAs
Description: The rule is not automated. It requires that all certifications found in /etc/ssl/certs are approved by the AO.