Add initial stig state

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>

salt/stig/files/so-stig

@@ -0,0 +1,88 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+stig_conf=/opt/so/conf/stig
+stig_log=/opt/so/log/stig
+
+. /usr/sbin/so-common
+
+logCmd() {
+	cmd=$1
+	echo "Executing command: $cmd"
+	$cmd
+}
+
+apply_stigs(){
+    if [ ! -f $stig_log/pre-oscap-report.html ]; then
+        echo "Running an OSCAP eval before modifying system for the first time"
+        oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
+    fi
+    echo "Manually applying STIGs not remediated by OSCAP"
+    echo "Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction"
+    if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then
+        sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf
+        logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf"
+    fi
+
+
+    echo "Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"
+    if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then
+        echo "ctrl-alt-del.target is already masked"
+    else
+        echo "Redirecting ctrl-alt-del.target symlink to /dev/null"
+        logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target"
+    fi
+
+    echo "Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords"
+    sed -i 's/ nullok//g' /etc/pam.d/password-auth
+    sed -i 's/ nullok//g' /etc/pam.d/system-auth
+
+    echo "Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"
+    if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then
+        sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+        logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config"
+    else
+        logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config"
+    fi
+
+    echo "Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377"
+    if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then
+        sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
+        logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config"
+    else
+        logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config"
+    fi
+    if is_manager_node; then
+        echo "Setting localpkg_gpgcheck=1 OSCAP rule id: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages"
+        if [ ! -f /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja ]; then
+            logCmd "cp /opt/so/saltstack/default/salt/repo/client/files/oracle/yum.conf.jinja /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja"
+        fi
+        if ! grep -q "^localpkg_gpgcheck=1$" /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja; then
+            echo 'localpkg_gpgcheck=1' >> /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja
+            logCmd "grep localpkg_gpgcheck /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja"
+        fi
+    fi
+
+    echo "Running custom OSCAP profile to remediate applicable STIGs"
+    logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
+
+    echo "Running OSCAP scan to verify application of STIGs"
+    oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
+}
+
+if is_feature_enabled "stig" >/dev/null 2>&1; then
+    echo -e "---------------------\nApplying STIGs\n---------------------"
+    apply_stigs
+else
+    echo "The application of STIGs is a feature supported only for customers with a valid license. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a license to enable this feature."
+fi