Add initial stig state

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2025-12-06 09:12:45 +01:00 · 2024-01-15 21:17:17 -05:00
parent 790f5171a6
commit a73d78300a
14 changed files with 245216 additions and 9 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -65,6 +65,7 @@ base:
    - soctopus.adv_soctopus
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig

  '*_sensor':
    - healthcheck.sensor
@@ -80,6 +81,8 @@ base:
    - suricata.adv_suricata
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license

  '*_eval':
    - secrets
@@ -180,6 +183,7 @@ base:
    - suricata.adv_suricata
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig

  '*_heavynode':
    - elasticsearch.auth
@@ -222,6 +226,8 @@ base:
    - redis.adv_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license

  '*_receiver':
    - logstash.nodes
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -102,7 +102,8 @@
          'utility',
          'schedule',
          'soctopus',
-          'docker_clean'
+          'docker_clean',
+          'stig'
          ],
      'so-managersearch': [
          'salt.master',
@@ -123,7 +124,8 @@
          'utility',
          'schedule',
          'soctopus',
-          'docker_clean'
+          'docker_clean',
+          'stig'
          ],
      'so-searchnode': [
          'ssl',
@@ -131,7 +133,8 @@
          'telegraf',
          'firewall',
          'schedule',
-          'docker_clean'
+          'docker_clean',
+          'stig'
          ],
      'so-standalone': [
          'salt.master',
@@ -156,7 +159,8 @@
          'schedule',
          'soctopus',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
+          'stig'
          ],
      'so-sensor': [
          'ssl',
@@ -168,7 +172,8 @@
          'healthcheck',
          'schedule',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
+          'stig'
          ],
      'so-fleet': [
          'ssl',
--- a/salt/stig/defaults.yaml
+++ b/salt/stig/defaults.yaml
@@ -0,0 +1,3 @@
+stig:
+  enabled: False
+  run_interval: 12
--- a/salt/stig/disabled.sls
+++ b/salt/stig/disabled.sls
@@ -0,0 +1,15 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+stig_remediate_schedule:
+  schedule.absent
+
+remove_stig_script:
+  file.absent:
+    - name: /usr/sbin/so-stig
+{% endif %}
--- a/salt/stig/enabled.sls
+++ b/salt/stig/enabled.sls
@@ -0,0 +1,82 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
+{%   if 'stig' in salt['pillar.get']('features', []) %}
+oscap_packages:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - openscap
+      - openscap-scanner
+      - scap-security-guide
+
+make_some_dirs:
+  file.directory:
+    - name: /opt/so/log/stig
+    - user: socore
+    - group: socore
+    - makedirs: True
+
+make_more_dir:
+  file.directory:
+    - name: /opt/so/conf/stig
+    - user: socore
+    - group: socore
+    - makedirs: True
+
+update_stig_profile:
+  file.managed:
+    - name: /opt/so/conf/stig/sos-oscap.xml
+    - source: salt://stig/files/sos-oscap.xml
+    - user: socore
+    - group: socore
+    - mode: 0644
+
+update_remediation_script:
+  file.managed:
+    - name: /usr/sbin/so-stig
+    - source: salt://stig/files/so-stig
+    - user: socore
+    - group: socore
+    - mode: 0755
+    - template: jinja
+
+remove_old_stig_log:
+  file.absent:
+    - name: /opt/so/log/stig/stig-remediate.log
+
+run_remediation_script:
+  cmd.run:
+    - name: so-stig > /opt/so/log/stig/stig-remediate.log
+    - hide_output: True
+    - success_retcodes:
+      - 0
+      - 2
+
+{%   else %}
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "The application of STIGs is a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+{%   endif %}
+
+{% else %}
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/stig/files/so-stig
+++ b/salt/stig/files/so-stig
@@ -0,0 +1,88 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+#
+# Note: Per the Elastic License 2.0, the second limitation states:
+#
+#   "You may not move, change, disable, or circumvent the license key functionality
+#    in the software, and you may not remove or obscure any functionality in the
+#    software that is protected by the license key."
+
+stig_conf=/opt/so/conf/stig
+stig_log=/opt/so/log/stig
+
+. /usr/sbin/so-common
+
+logCmd() {
+	cmd=$1
+	echo "Executing command: $cmd"
+	$cmd
+}
+
+apply_stigs(){
+    if [ ! -f $stig_log/pre-oscap-report.html ]; then
+        echo "Running an OSCAP eval before modifying system for the first time"
+        oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
+    fi
+    echo "Manually applying STIGs not remediated by OSCAP"
+    echo "Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction"
+    if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then
+        sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf
+        logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf"
+    fi
+
+
+    echo "Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"
+    if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then
+        echo "ctrl-alt-del.target is already masked"
+    else
+        echo "Redirecting ctrl-alt-del.target symlink to /dev/null"
+        logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target"
+    fi
+
+    echo "Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords"
+    sed -i 's/ nullok//g' /etc/pam.d/password-auth
+    sed -i 's/ nullok//g' /etc/pam.d/system-auth
+
+    echo "Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"
+    if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then
+        sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+        logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config"
+    else
+        logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config"
+    fi
+
+    echo "Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377"
+    if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then
+        sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
+        logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config"
+    else
+        logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config"
+    fi
+    if is_manager_node; then
+        echo "Setting localpkg_gpgcheck=1 OSCAP rule id: xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages"
+        if [ ! -f /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja ]; then
+            logCmd "cp /opt/so/saltstack/default/salt/repo/client/files/oracle/yum.conf.jinja /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja"
+        fi
+        if ! grep -q "^localpkg_gpgcheck=1$" /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja; then
+            echo 'localpkg_gpgcheck=1' >> /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja
+            logCmd "grep localpkg_gpgcheck /opt/so/saltstack/local/salt/repo/client/files/oracle/yum.conf.jinja"
+        fi
+    fi
+
+    echo "Running custom OSCAP profile to remediate applicable STIGs"
+    logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
+
+    echo "Running OSCAP scan to verify application of STIGs"
+    oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
+}
+
+if is_feature_enabled "stig" >/dev/null 2>&1; then
+    echo -e "---------------------\nApplying STIGs\n---------------------"
+    apply_stigs
+else
+    echo "The application of STIGs is a feature supported only for customers with a valid license. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a license to enable this feature."
+fi
--- a/salt/stig/files/sos-oscap.xml
+++ b/salt/stig/files/sos-oscap.xml
--- a/salt/stig/init.sls
+++ b/salt/stig/init.sls
@@ -0,0 +1,16 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'stig/map.jinja' import STIGMERGED %}
+
+include:
+{% if STIGMERGED.enabled %}
+  - stig.schedule
+{%   if not salt['schedule.is_enabled'](name="stig_remediate_schedule") %}
+  - stig.enabled
+{%   endif %}
+{% else %}
+  - stig.disabled
+{% endif %}
--- a/salt/stig/license.sls
+++ b/salt/stig/license.sls
--- a/salt/stig/map.jinja
+++ b/salt/stig/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'stig/defaults.yaml' as STIGDEFAULTS with context %}
+{% set STIGMERGED = salt['pillar.get']('stig', STIGDEFAULTS.stig, merge=True) %}
--- a/salt/stig/schedule.sls
+++ b/salt/stig/schedule.sls
@@ -0,0 +1,24 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'stig/map.jinja' import STIGMERGED %}
+{%   if 'stig' in salt['pillar.get']('features', []) %}
+stig_remediate_schedule:
+  schedule.present:
+    - function: state.apply
+    - job_args:
+      - stig.enabled
+    - hours: {{ STIGMERGED.run_interval }}
+    - maxrunning: 1
+    - enabled: true
+{%   else %}
+{{sls}}_no_license_detected:
+  test.fail_without_changes:
+    - name: {{sls}}_no_license_detected
+    - comment:
+      - "The application of STIGs is a feature supported only for customers with a valid license.
+      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com
+      for more information about purchasing a license to enable this feature."
+{%   endif %}
--- a/salt/stig/soc_stig.yaml
+++ b/salt/stig/soc_stig.yaml
@@ -0,0 +1,11 @@
+stig:
+  enabled:
+    description: You can enable or disable the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible.
+    forcedType: bool
+    advanced: True
+  run_interval:
+    description: The interval in hours between OSCAP remediate executions.
+    forcedType: int
+    regex: ^([1-9][0-9]{0,2})$
+    regexFailureMessage: The value must be an integer between 1 and 999.
+    advanced: True
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,5 +1,5 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

@@ -46,6 +46,7 @@ base:
    - zeek
    - strelka
    - elasticfleet.install_agent_grid
+    - stig

  '*_eval and G@saltversion:{{saltversion}}':
    - match: compound
@@ -110,6 +111,7 @@ base:
    - soctopus
    - playbook
    - elasticfleet
+    - stig

  '*_standalone and G@saltversion:{{saltversion}}':
    - match: compound
@@ -128,7 +130,7 @@ base:
    - sensoroni
    - telegraf
    - idstools
-    - suricata.manager    
+    - suricata.manager
    - healthcheck
    - mysql
    - elasticsearch
@@ -146,6 +148,7 @@ base:
    - soctopus
    - playbook
    - elasticfleet
+    - stig

  '*_searchnode and G@saltversion:{{saltversion}}':
    - match: compound
@@ -157,6 +160,7 @@ base:
    - elasticsearch
    - logstash
    - elasticfleet.install_agent_grid
+    - stig

  '*_managersearch and G@saltversion:{{saltversion}}':
    - match: compound
@@ -187,6 +191,7 @@ base:
    - soctopus
    - playbook
    - elasticfleet
+    - stig

  '*_heavynode and G@saltversion:{{saltversion}}':
    - match: compound
@@ -206,7 +211,7 @@ base:
    - zeek
    - elasticfleet.install_agent_grid
    - elasticagent
-  
+
  '*_import and G@saltversion:{{saltversion}}':
    - match: compound
    - salt.master
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1413,7 +1413,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports

-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc soctopus docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert global;do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc soctopus docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global;do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls