Applied DISA STiG security profile, but not all settings are made

Latest response

I have a brand new server that was built using the RedHat security profile that applies the DISA STiGs. I assumed it would apply all of the required settings except for the partitioning which I applied myself or it wouldn't go any further in the installation.

When I scanned the machine after it was finished installing using Nessus, it came back with over 150 failures. Some of those are easily explained, like McAfee is not installed and there is no host integrity solution installed. Some basic settings like requiring a local user's password history to be set to 5 did not get set.

Am I missing something or do I need to go back and apply all of the settings manually.

Mike

Responses

There are numerous "false positives" with any given stig checker.

Without being able to evaluate your results, and your system (do not share here, some groups' scores, specific findings are not allowed to be shared, see your security office for your corporation), it would be rather tough to determine what specifically was the issue.

When we scan our systems, we evaluate each item, then determine if it's "failure" for any given requirement is actually correct, or if it is incorrect. We have for instance various systems where we have 93.94% compliance (not using NESSUS in our case), and of this score there are about 10 false-positives.

We use a different product we are mandated by our corporation to use other than NESSUS. In principle, it requires actually going down in the weeds of each and every requirement.

We have scripts we produced for every STIG requirement and our stig scripts apply the requirement if it is not there, and if it is there, it does not re-apply it. If stig requirements get applied twice (such as Ciphers in /etc/ssh/sshd_config, for example) it also triggers a false positive (and not saying this is what happened in your case, but something to be aware of).

We got tired of this being a manual process and wrote our own scripts (described above). STIG implementation ought to be handled cautiously, and this is a rather obvious statement, however, there are some stigs that will cause some needed thing on your system to not function. Many will read this and assign the obvious humor of "STIGS break your system" and in principle, I'd agree (because they haven't done it properly). However, our systems are easily over 90% compliant (generally much higher than that) and our systems function properly because we've taken the time to implement our stigs properly, so our systems actually function.

There is generally not an easy way, use caution, good luck

Regards

RJ