Skip to content

Commit

Permalink
intermediate STIG content push for backup
Browse files Browse the repository at this point in the history
  • Loading branch information
@sounix000
sounix000 committed Jan 25, 2024
1 parent 95156df commit 33b546d
Show file tree
Hide file tree
Showing 6 changed files with 236 additions and 0 deletions.
Binary file added stig/images/src/png/scap-workbench-profile-disa-stig.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added stig/images/src/png/scap-workbench-profile-stig-customize.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added stig/images/src/png/scap-workbench-select-content-to-load.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added stig/images/src/png/scap-workbench-select-rule.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added stig/images/src/png/scap-workbench-tailor-file-save.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
236 changes: 236 additions & 0 deletions stig/xml/article_stig.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,242 @@
</sect3>
</sect2>
</sect1>
<sect1 xml:id="stig-custom-tailoring">
<title>Applying a tailored &stiga; profile</title>

<para>
The standard or default &stiga; profile is sufficient for most
deployments. In addition, you can create and apply <emphasis>tailoring
files</emphasis> to tailor SCAP content and change its behaviour without
directly modifying the standard configurations.
</para>

<para>
The following sections provide examples of creating tailoring files using
either SCAP Workbench or the <command>autotailor</command> command-line
utility, and then applying the tailoring file using the
<command>ssg-apply</command> command-line utility.
</para>

<tip>
<title>Generalized tailoring</title>
<para>
Although the following sections provide example of tailoring for
&stiga; profile, you use similar procedure for tailoring other profiles
that are valid for your target system.
</para>
</tip>

<sect2 xml:id="stig-create-tailoring">
<title>Creating tailoring files</title>
<para>
Tailoring files are XML files containing information about the
deviation from the standard SCAP content for a profile. You create a
tailoring file when you override certain default rules of a standard
profile, and save that information along with necessary metadata as an
XML file. Once created, you can apply the tailoring file using a
suitable program such as the <command>ssg-apply</command> utility.
</para>
<para>
&suse; recommends using any one of the following methods of creating a
tailoring file:
</para>
<itemizedlist>
<listitem>
<para>
Manually, using the SCAP Workbench. This method is best suited when
you are unsure of the rules that you want to override in the
standard content of a profile, and would prefer the convenience of
a graphical software.
</para>
</listitem>
<listitem>
<para>
Automatically, using the <command>autotailor</command> command-line
tool which is bundled with the <package>openscap-utils</package>
package. This method is best suited when you sure of all the
information that you need to create a tailoring file.
</para>
</listitem>
</itemizedlist>
<sect3 xml:id="stig-create-tailoring-scap-workbench">
<title>Creating tailoring files using SCAP Workbench</title>
<para>
This section provides an example procedure for creating a tailoring
file based on the standard &stiga; profile, using the SCAP Workbench
graphical software. You can use a similar procedure to create
tailoring files for any other valid profile.
</para>
<para>
As a prerequisite, ensure that you have installed the necessary
packages, as described in the section
<link
xlink:href="https://documentation.suse.com/compliance/all/html/SLES-openscap/index.html#openscap-installation"></link>.
</para>
<procedure>
<step>
<para>
Start SCAP Workbench by invoking it on the terminal:
</para>
<screen>&prompt.user;<command>scap-workbench</command></screen>
</step>
<step>
<para>
Depending on whether you are using &sle; 15 or &sle; 12, select
either <guilabel>SLe15</guilabel> or <guilabel>SLe12</guilabel>
from the <guimenu>Select content to load</guimenu> drop-down
list. In this example procedure, we select
<guilabel>SLe15</guilabel>.
</para>
</step>
<step>
<para>
In the next window titled <guilabel>Guide to the Secure
Configuation of SUSE Linux Enterprise 15</guilabel>, perform the
following steps:
</para>
<substeps>
<step>
<para>
From the <guimenu>Profile</guimenu> drop-down list, select
the profile that you want to customize. In this example, we
select <guilabel>DISA &stiga; for SUSE Linux Enterprise 15
(242)</guilabel>. The number within parenthesis at the end of
the profile name represents the number of rules that comprise
your selected profile. For example, DISA &stiga; for SUSE
Linux Enterprise 15 has 242 rules.
</para>
</step>
<step>
<para>
<emphasis>Optionally</emphasis>, if your target is a remote
system, select the <guimenu>Remote Machine (over
SSH)</guimenu> and provide necessary infomation.
</para>
<para>
In this example procedure, we assume that the target system
is your <guimenu>Local Machine</guimenu>.
</para>
</step>
<step>
<para>
Click <guimenu>Customize</guimenu>, edit the <guilabel>New
Profile ID</guilabel> field if necessary, and click
<guimenu>OK</guimenu>. The default <guilabel>New Profile
ID</guilabel> provided by SCAP Workbench for the selected
profile is
<literal>xccdf_org.ssgproject.content_profile_stig_customized</literal>.
</para>
</step>
</substeps>
</step>
<step>
<para>
In the next window titled <guilabel>Customizing "DISA STIG for
SUSE Linux Enterprise 15 [CUSTOMIZED]"&dash;SCAP
Workbench</guilabel>, perform the following steps:
</para>
<substeps>
<step>
<para>
Override the default rules by selecting or deselecting them.
For example, we select the checkbox adjacent to the rule
<guilabel>Limit Users' SSH Access</guilabel> to further
harden the target system's access over SSH. You can select or
deselect multiple such rules.
</para>
<tip>
<title>When unsure, read the rule's description</title>
<para>
Before selecting or deselecting the checkbox adjacent to
the rule, you can click the rule and read the
<guilabel>Description</guilabel> provide at the right pane
of the window.
</para>
</tip>
</step>
<step>
<para>
When you are sure about the override of rules, click
<guimenu>OK</guimenu>.
</para>
</step>
</substeps>
</step>
<step>
<para>
On returning to the <emphasis>home</emphasis> window of SCAP
Workbench, notice that the <guilabel>Customization</guilabel>
field has changed to <guilabel>(unsaved changes)</guilabel>.
</para>
<para>
Using the menu at the top left of the window, save the
customization by clicking
<menuchoice><guimenu>File</guimenu><guimenu>Save Customization
Only</guimenu></menuchoice>.
</para>
<para>
When saved, the <guilabel>Customization</guilabel> field displays
the path to the tailoring file.
</para>
</step>
<step>
<para>
<emphasis>Optionally</emphasis>, inspect the tailoring file by
opening it with a text editor of your choice. Based on the
example override of rules, the tailoring file contains the
following information.
</para>
<screen><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
<xccdf:benchmark href="/tmp/scap-workbench-sbgnfq/ssg-sle15-ds.xml"/>
<xccdf:version time="2024-01-25T07:21:34">1</xccdf:version>
<xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig_customized" extends="xccdf_org.ssgproject.content_profile_stig">
<xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">DISA STIG for SUSE Linux Enterprise 15 [CUSTOMIZED]</xccdf:title>
<xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains configuration checks that align to the
DISA STIG for SUSE Linux Enterprise 15 V1R4.</xccdf:description>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" selected="true"/>
</xccdf:Profile>
</xccdf:Tailoring>]]></screen>
</step>
</procedure>
</sect3>
<sect3 xml:id="stig-create-taloring-autotailor">
<title>Creating tailoring files using <command>autotailor</command></title>
<para>
There might be deployments where installing a graphical software such
as SCAP Workbench is not suitable. In even more sensitive
deployments, the customization of a remote target machine over SSH
from a client machine running SCAP Workbench might also not be an
option.
</para>
<para>
In such situations, the <command>autotailor</command> command-line
tool that comes bundled with the <package>openscap-utils</package> is
a suitable choice. However, you must be sure of all information
necessary for creating the tailoring file.
</para>
<para>
To create a tailoring file with <command>autotailor</command>, use
the following syntax:
</para>
<screen>&prompt.user;autotailor \
--select <replaceable>RULE_ID</replaceable> --unselect <replaceable>RULE_ID</replaceable> --var-value <replaceable>VAR=VALUE</replaceable> \
--output <replaceable>TAILORING_FILE</replaceable> --new_profile_id <replaceable>NEW_PROFILE_ID</replaceable> \
<replaceable>DS_FILENAME</replaceable> <replaceable>BASE_PROFILE_ID</replaceable>
</screen>
</sect3>
</sect2>

<sect2 xml:id="stig-apply-tailoring">
<title>Applying tailoring file</title>
<para></para>
<sect3 xml:id="stig-apply-tailoring-autotailor">
<title>Applying tailoring file using <command>ssg-apply</command></title>
<para></para>
</sect3>
</sect2>
</sect1>
<sect1 xml:id="stig-viewer">
<title>Working with checklists in &stigviewer;</title>

Expand Down

0 comments on commit 33b546d

Please sign in to comment.