4.11.2. HOWTO Enable STIG Mode on a SIMP System¶
Enabling STIG mode in SIMP involves using The SIMP Compliance Engine to apply the STIG-specific SIMP compliance profile.
Like everything in Puppet, STIG-mode only applies to those nodes that actively include the correct settings.
4.11.2.1. Assumptions¶
- You have a fully functional SIMP system up and running per the instructions in Installation Options.
- The FQDN of your node is
stig.your.domain
and that you only want to enable STIG mode for this node. You can use Hiera to enable it for all nodes if you so choose. - You are using the
production
Puppet Environment - You have a regular user named
stiguser
that will be used for remote access to your system and for escalation of privileges toroot
. This is due to the fact that, by default, SIMP does not allow remoteroot
access.
4.11.2.2. Setting up Hiera¶
First, we need to create the file
/etc/puppetlabs/code/environments/production/data/hosts/stig.your.domain.yaml
.
The next few sections describe what should be added to this file to ensure that
STIG mode will be activated and that your user can properly login to the
system.
4.11.2.2.1. Allowing stiguser
to login¶
pam::access::users:
stiguser:
origins:
- ALL
4.11.2.2.2. Allow stiguser
to escalate to root
¶
sudo::user_specifications:
stiguser_su:
user_list:
- stiguser
cmnd:
- ALL
passwd: false
4.11.2.2.3. Configure selinux to allow stiguser
to run privileged commands¶
selinux::login_resources:
stiguser:
seuser: staff_u
mls_range: "s0-s0:c0.c1023"
4.11.2.2.4. Place the system in STIG-enforcing mode¶
Now that you have ensured that stiguser
can access your system as well
as escalate to an administrative user without being blocked by SELinux, you are
ready to enable STIG-enforcing mode.
First, include the SIMP Compliance Engine backend in the hierarchy defined in the environments hiera.yaml, /etc/puppetlabs/code/environments/production/hiera.yaml. Place it under the hierarchy tag just before default:
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
...
- name: SIMP Compliance Engine
lookup_key: compliance_markup::enforcement
- name: General data
paths:
- "default.yaml"
- "common.yaml"
...
Then add the following to the stig.your.domain.yaml
file that we
have been editing:
compliance_markup::enforcement:
- disa_stig
4.11.2.3. Next Steps¶
4.11.2.3.1. Applying the changes¶
At this point, your system is ready to apply the STIG enforcement settings. To
begin enforcement, simply run puppet agent -t
on the stig.your.domain
node or wait for the next scheduled run of puppet
.
4.11.2.3.2. Escalating privileges¶
Remote system access should work as you would expect but there is a new caveat
to how you would normally run sudo
to access the root
account.
Since the STIG requires that all users be in an SELinux context, you will need
to ensure that all administrative users are staff_u
users as we did above.
Once this is complete, you must tell sudo
what context you wish to
transition into when running commands.
The simplest invocation is as follows:
[stiguser@localhost ~]$ sudo -r unconfined_r su - root
For additional information see the vendor documentation on confined and unconfined users and/or Dan Walsh’s blog.