Add stig state

pillar/top.sls

@@ -65,6 +65,7 @@ base:
     - soctopus.adv_soctopus
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
 
   '*_sensor':
     - healthcheck.sensor
@@ -80,6 +81,8 @@ base:
     - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license
 
   '*_eval':
     - secrets
@@ -180,6 +183,7 @@ base:
     - suricata.adv_suricata
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
 
   '*_heavynode':
     - elasticsearch.auth
@@ -222,6 +226,8 @@ base:
     - redis.adv_redis
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license
 
   '*_receiver':
     - logstash.nodes

salt/allowed_states.map.jinja

@@ -102,7 +102,8 @@
           'utility',
           'schedule',
           'soctopus',
-          'docker_clean'
+          'docker_clean',
+          'stig'
           ],
       'so-managersearch': [
           'salt.master',
@@ -123,15 +124,17 @@
           'utility',
           'schedule',
           'soctopus',
-          'docker_clean'
+          'docker_clean',
+          'stig'
           ],
       'so-searchnode': [
           'ssl',
           'nginx',
           'telegraf',
           'firewall',
           'schedule',
-          'docker_clean'
+          'docker_clean',
+          'stig'
           ],
       'so-standalone': [
           'salt.master',
@@ -156,7 +159,8 @@
           'schedule',
           'soctopus',
           'tcpreplay',
-          'docker_clean'
+          'docker_clean',
+          'stig'
           ],
       'so-sensor': [
           'ssl',
@@ -168,7 +172,8 @@
           'healthcheck',
           'schedule',
           'tcpreplay',
-          'docker_clean'
+          'docker_clean',
+          'stig'
           ],
       'so-fleet': [
           'ssl',

salt/common/tools/sbin/so-common-status-check

@@ -8,6 +8,7 @@
 import sys
 import subprocess
 import os
+import json
 
 sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
 import salt.config
@@ -36,17 +37,62 @@ def check_needs_restarted():
   with open(outfile, 'w') as f:
     f.write(val)
 
+def check_for_fips():
+    os = __grains__['os']
+    fips = False
+    # Only checking fully supported OS
+    if os == 'OEL':
+        try:
+            result = subprocess.run(['fips-mode-setup', '--is-enabled'], check=True, stdout=subprocess.PIPE)
+            fips = result.returncode == 0
+        except FileNotFoundError:
+            with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+                contents = f.read()
+                if '1' in contents:
+                    fips = True
+                else:
+                    fips = False
+        return fips
+
+def check_for_luks():
+    os = __grains__['os']
+    luks = False
+    # Only checking fully supported OS
+    if os == 'OEL':
+        result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
+        data = json.loads(result.stdout)
+        for device in data['blockdevices']:
+            if 'children' in device:
+                for gc in device['children']:
+                    if 'children' in gc:
+                        try:
+                            result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], check=True, stdout=subprocess.PIPE)
+                            luks = result.returncode == 0
+                        except FileNotFoundError:
+                            for ggc in gc['children']:
+                                if 'crypt' in ggc['type']:
+                                    luks = True
+            if luks:
+                break
+        return luks
+
+def check_features():
+    fips = check_for_fips()
+    luks = check_for_luks()
+    with open('/opt/so/log/sostatus/features-check.log', 'w') as f:
+       f.write("featuresdetected fips={},luks={}".format(fips,luks))
+
 def fail(msg):
   print(msg, file=sys.stderr)
   sys.exit(1)
 
-
 def main():
   proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
   if proc.stdout.strip() != "0":
     fail("This program must be run as root")
 
   check_needs_restarted()
+  check_features()
 
 if __name__ == "__main__":
   main()

salt/repo/client/files/oracle/yum.conf.jinja

@@ -7,6 +7,7 @@ logfile=/var/log/yum.log
 exactarch=1
 obsoletes=1
 gpgcheck=1
+localpkg_gpgcheck=1
 plugins=1
 installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum

salt/stig/defaults.yaml

@@ -0,0 +1,3 @@
+stig:
+  enabled: False
+  run_interval: 12

salt/stig/disabled.sls

@@ -0,0 +1,15 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+stig_remediate_schedule:
+  schedule.absent
+
+remove_stig_script:
+  file.absent:
+    - name: /usr/sbin/so-stig
+{% endif %}

salt/stig/enabled.sls

@@ -0,0 +1,82 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
+{%   if 'stig' in salt['pillar.get']('features', []) %}
+oscap_packages:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - openscap
+      - openscap-scanner
+      - scap-security-guide
+
+make_some_dirs:
+  file.directory:
+    - name: /opt/so/log/stig
+    - user: socore
+    - group: socore
+    - makedirs: True
+
+make_more_dir:
+  file.directory:
+    - name: /opt/so/conf/stig
+    - user: socore
+    - group: socore
+    - makedirs: True
+
+update_stig_profile:
+  file.managed:
+    - name: /opt/so/conf/stig/sos-oscap.xml
+    - source: salt://stig/files/sos-oscap.xml
+    - user: socore
+    - group: socore
+    - mode: 0644
+
+update_remediation_script:
+  file.managed:
+    - name: /usr/sbin/so-stig
+    - source: salt://stig/files/so-stig
+    - user: socore
+    - group: socore
+    - mode: 0755
+    - template: jinja
+
+remove_old_stig_log:
+  file.absent:
+    - name: /opt/so/log/stig/stig-remediate.log
+
+run_remediation_script:
+  cmd.run:
+    - name: so-stig > /opt/so/log/stig/stig-remediate.log
+    - hide_output: True
+    - success_retcodes:
+      - 0
+      - 2
+
+{%   else %}
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "The application of STIGs is a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+{%   endif %}
+
+{% else %}
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/stig/files/so-stig

@@ -0,0 +1,77 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+stig_conf=/opt/so/conf/stig
+stig_log=/opt/so/log/stig
+
+. /usr/sbin/so-common
+
+logCmd() {
+	cmd=$1
+	echo "Executing command: $cmd"
+	$cmd
+}
+
+apply_stigs(){
+    if [ ! -f $stig_log/pre-oscap-report.html ]; then
+        oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
+    fi
+
+    echo -e "\nRunning custom OSCAP profile to remediate applicable STIGs\n"
+    logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
+
+    # Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
+    if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then
+        sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf
+        logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf"
+    fi
+
+    # Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
+    if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then
+        echo "ctrl-alt-del.target is already masked"
+    else
+        echo "Redirecting ctrl-alt-del.target symlink to /dev/null"
+        logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target"
+    fi
+
+    # Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords
+    sed -i 's/ nullok//g' /etc/pam.d/password-auth
+    sed -i 's/ nullok//g' /etc/pam.d/system-auth
+
+    # Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+    if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then
+        sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+        logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config"
+    else
+        logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config"
+    fi
+
+    # Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377
+    if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then
+        sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
+        logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config"
+    else
+        logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config"
+    fi
+
+
+    echo "Running OSCAP scan to verify application of STIGs"
+    oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml > /dev/null 2>&1
+}
+
+if is_feature_enabled "stig" >/dev/null 2>&1; then
+    echo -e "---------------------\nApplying STIGs\n---------------------"
+    apply_stigs
+else
+    echo "The application of STIGs is a feature supported only for customers with a valid license. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a license to enable this feature."
+fi