5.2.5. HOWTO Enable STIG Mode on a SIMP System
Like everything in Puppet, STIG-mode only applies to those nodes that actively include the correct settings.
You have a fully functional SIMP system up and running per the instructions in Installation Options.
You are using the
You have a regular user named
stiguserthat will be used for remote access to your system and for escalation of privileges to
root. This is due to the fact that, by default, SIMP does not allow remote
188.8.131.52. Setting up Hiera
First, we need to create the file
The next few sections describe what should be added to this file to ensure that
STIG mode will be activated and that your user can properly login to the
stiguser to login
pam::access::users: stiguser: origins: - ALL
stiguser to escalate to
sudo::user_specifications: stiguser_su: user_list: - stiguser cmnd: - ALL # You should change this to 'true' for full STIG compliance # Ensure that you have a working password set first! passwd: false options: # Required for seamless root sudo commands role: unconfined_r
184.108.40.206.3. Configure selinux to allow
stiguser to run privileged commands
selinux::login_resources: stiguser: seuser: staff_u mls_range: "s0-s0:c0.c1023"
220.127.116.11.4. Place the system in STIG-enforcing mode
Now that you have ensured that
stiguser can access your system as well
as escalate to an administrative user without being blocked by SELinux, you are
ready to enable STIG-enforcing mode.
First, include the SIMP Compliance Engine backend in the hierarchy defined
in the environments hiera.yaml,
Place it under the hierarchy tag just before default:
--- version: 5 defaults: datadir: data data_hash: yaml_data hierarchy: ... - name: SIMP Compliance Engine lookup_key: compliance_markup::enforcement - name: General data paths: - "default.yaml" - "common.yaml" ...
Then add the following to the
stig.your.domain.yaml file that we
have been editing:
compliance_markup::enforcement: - disa_stig
18.104.22.168. Next Steps
22.214.171.124.1. Applying the changes
At this point, your system is ready to apply the STIG enforcement settings. To
begin enforcement, simply run puppet agent -t on the
node or wait for the next scheduled run of puppet.
126.96.36.199.2. Escalating privileges
Remote system access should work as you would expect but there is a new caveat
to how you would normally run
sudo to access the
Since the STIG requires that all users be in an SELinux context, you will need
to ensure that all administrative users are
staff_u users as we did above.
Once this is complete, you must tell
sudo what context you wish to
transition into when running commands.
The simplest invocation is as follows:
[stiguser@localhost ~]$ sudo su - root
For additional information see the vendor documentation on confined and unconfined users and/or Dan Walsh’s blog.