Security Technical Implementation Guides (STIGs) are configuration standards designed to protect Department of Defense (DoD) networks and systems by hardening hardware, software and devices running them. These STIGs play an essential role in preventing cybersecurity incidents while simultaneously keeping DoD agency networks resilient against external attacks.
DISA collaborates with vendors to develop STIGs that are both secure and functional. DISA has certified FileCloud for use on RHEL 8 so you can begin using it immediately.
Installation
DISA stig is a set of configuration standards developed specifically for Red Hat Enterprise Linux (RHEL), used by IT professionals working for government or defense agencies to protect systems against malicious activity. IT pros using it meet rigorous requirements designed to keep their systems safe. Stig software scans for compliance with Security Configuration Assessment and Mapping (SCAP) standard compliance, automatically remediating any violations found.
Defense Information System Agency (DISA) releases several Security Technical Implementation Guides (STIGs). Each one relates to specific pieces of software, routers and device hardware and is meant to make these commercially available products as secure as possible, thus decreasing risk and threats on DoD IT networks.
Each one comes with its own checklist of things to check and ensure are in place, with some needing more in-depth knowledge than others. With strict DoD regulations for IT use, these checklists must be followed and understood, even for experienced IT professionals.
DoD-compliant IT must prevent its hosts from responding to broadcast Internet Control Message Protocol (ICMP) echo messages, as these pings allow attackers to map networks more easily or be used for amplified attacks – where a small amount of data is sent out widely without authentication or confirmation from users. RHEL servers must additionally prevent the debug-shell systemd service from running; otherwise anyone with physical access could gain root privileges and perform commands without authentication or permission.
At its core, the SIG SCAP file entails over 200 rules which must be configured correctly in order to satisfy DoD Security Configuration Assessment and Mapping (SCAP) requirement. These cover everything from how an operating system is set up through to what services are enabled or disabled as well as audit logs kept on each machine.
IT professionals now have more ease in completing this process thanks to new updates to stig software, with several fixes added that address this process more smoothly. One such fix addresses an issue where invalid permissions were assigned to an audit directory – meeting the requirements of STIG Control V-230471 so only users with appropriate permissions can specify events to audit.
Configuration
Configuring DISA stig RHEL 8 requires both technical knowledge and experience, including understanding what each command does as well as having some proficiency with script writing. Navigating complex configuration files can also be tricky and dangerous if steps taken are incorrect; mistakes could result in an unauthorized change that leaves a system vulnerable to attacks.
After installation is complete, the next step should be configuring security settings using SCAP software package – either through command line installation or using its user-friendly graphical user interface – this software package enables you to perform compliance checks that determine if the system satisfies operational environment standards.
Each STIG must follow a series of rules in order to comply. These range from those related to risk severity (which could result in loss of life or mission failure) down to less-serious risks such as vulnerabilities, delays and inaccurate information. Compliance comes in three flavors – compliant, non-compliant and fully compliant.
An example DISA SIG RHEL 8 system must utilize FIPS-validated key exchange algorithms to protect its cryptographic modules, preventing unauthorized users from viewing and altering information. Furthermore, the system should also be configured to verify whether vendors’ software packages have not been altered during transit and thus protecting itself against spoofing that could result in malware installation and other threats.
Another requirement of an SSH server should be restricting remote logons without password authentication in order to reduce the opportunity for unauthorised personnel to gain control of a management session. Furthermore, this system must also send email notifications of unapproved configuration changes directly to designated personnel.
System Administrators must configure their systems to automatically terminate idle user sessions to prevent unauthorised individuals from taking advantage of long-idle sessions to steal credentials or information. Furthermore, systems must require re-authentication when using “sudo”, otherwise privilege escalation could happen unnoticed and compromise your system.
Security
Defense Information System Agency regulations set forth strict security requirements that any individual working on government systems and software must abide by, known as Security Technical Implementation Guides or STIGs for short. These checklists offer guidance on how to set up IT products like routers, servers and operating systems securely – these guides also aim at minimizing cybersecurity threats such as breach. There are hundreds of such guides created with specific pieces of software hardware or devices in mind – there’s even one designed just for routers!
Many Department of Defense (DoD) agencies use off-the-shelf IT products within their networks, and STIGs assist agencies in making sure these solutions are as secure as possible. Their goal is to reduce attacks or outages that might affect other federal networks connected to DoD networks, while simultaneously working to reduce vulnerabilities that could lead to breaches, hacking or other security issues by setting configuration standards that are much stricter than default settings from vendors.
DoD agencies looking to implement FileCloud as part of their IT solutions must first ensure it satisfies DISA’s Strategic Technology Implementation Guidance Guidelines (STIGS), otherwise they must look elsewhere for solutions which comply with DISA requirements.
All RHEL 8 installations must include an /etc/sudoers file containing a list of authorized “sudo” users, so that even users with lower privilege levels than root can still execute commands that are normally reserved for root accounts or other privileged system accounts – this ensures an attacker cannot gain access to your system by having lower access rights than root does.
As part of an additional security measure, users should ensure all operating system patches have been applied and up-to-date. Furthermore, they should set their operating system to display the Standard Mandatory DoD Notice and Consent Banner which informs users they are accessing a USG Information System solely for authorized United States Government use.
Maintenance
The Department of Defense (DoD) developed STIGs (System Technical Implementation Guidelines) as a safeguard to secure its computer systems against cybersecurity risks and vulnerabilities. A STIG serves as a checklist that offers instructions for configuring IT solutions securely, helping mitigate cyberattack risk. There are hundreds of these checklists for various software, routers, operating systems and IT products – each contains unique rules with specific tests in order to meet them; one test may simply involve inspecting configuration files while others require performing lengthy commands on remote systems.
One rule might require you to disable Trivial File Transfer Protocol (TFTP) servers unless they are required for operational support, given TFTP is a simple file transfer protocol used for sending files over networks and can easily be exploited by attackers. Another may ask that unprivileged users avoid kernel profiling; profiling can be used by malicious individuals to gather confidential data and alter existing files without authorization.
Revocation of certificates that authenticate remote servers is another standard rule, providing the means for verifying that their systems have not been compromised by third-parties and protecting from any possible attacks by only allowing legitimate data transfer over networks. This helps mitigate attacks while mitigating risks as only relevant information will travel over the network.
Other maintenance procedures of note include installing NIST FIPS-validated cryptography and disabling any graphical user interfaces on your RHEL 8 server – these steps must be undertaken to protect sensitive data in accordance with federal laws, Executive Orders, directives, policies or regulations.
The CIS Red Hat Enterprise Linux 8 STIG hardened image can assist with these maintenance procedures. Pre-hardened to industry-recognized security guidance and patched monthly, this image serves as an aid when maintaining RHEL 8 servers manually. You can download it directly from CIS website (but must first have an active account with them); alternatively you may install DISA’s SIG RHEL 8 template using YUM package manager.