Revision $Id: webjob-disa-srr-unix.base,v 1.15 2009/06/23 19:11:29 klm Exp $ Purpose This recipe demonstrates how to run DISA's UNIX Security Readiness Review Scripts (SRRs) within a WebJob framework. Information about SRRs and Security Technical Implementation Guides (STIGs) is available here: http://iase.disa.mil/stigs/ The following paragraphs, quoted from the above URL, provide some basic background information about STIGs and SRRs. "The STIGs and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems." "A Security Checklist (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security." "Security Readiness Review Scripts (SRRs) test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk." Motivation The current SRR process, as we understand it, is inefficient because it requires a significant amount of labor to run SRR scripts, aggregate output, and disseminate findings/results to the folks who need them. We believe that the efficiency and effectiveness of this process can be greatly improved by retrofitting SRR tar balls to run within a WebJob framework. This is because a WebJob framework can reduce the amount labor required to run SRR scripts on hundreds or even thousands of systems; it can automatically aggregate output according to your needs and preferences; and findings/results can be easily and securely shared or disseminated. Requirements Cooking with this recipe requires an operational WebJob server. If you do not have one of those, refer to the instructions provided in the README.INSTALL file that comes with the source distribution. The latest source distribution is available here: http://sourceforge.net/project/showfiles.php?group_id=40788 The server must be running UNIX and have basic system utilities, Apache, WebJob (1.8.0 or higher), and PaD installed. Note: PaD tools are included in the WebJob distribution. Each client must be running UNIX and have basic system utilities (including tar and uuencode) and WebJob (1.8.0 or higher) installed. Each client must also have at least 50 MB of space in the WebJob temporary directory. This space is required to hold the SRR tar ball and any output produced by running the SRR scripts. The commands presented throughout this recipe were designed to be executed within a Bourne shell (i.e., sh or bash). Time to Implement Assuming that you have satisfied all the requirements/prerequisites, this recipe should take less than one hour to implement. Plan on 1-3 hours for testing. Solution The solution is to repackage DISA's UNIX SRR tar ball as a PaD file and configure WebJob clients to download and execute that PaD file on a periodic or as needed basis. The following steps describe how to implement this solution. 1. Setup the WebJob server. a. Set WEBJOB_ROOT, WEBJOB_CLIENT, and WEBJOB_COMMANDS as appropriate for your server. If you want the SRR scripts to be bound to a particular client, set WEBJOB_CLIENT as appropriate before running the following commands. # export WEBJOB_ROOT="/var/webjob" # export WEBJOB_CLIENT="common" # export WEBJOB_COMMANDS="${WEBJOB_ROOT}/profiles/${WEBJOB_CLIENT}/commands" Next, set SRR_DIR_NAME, SRR_TAR_FILE, and SRR_PAD_FILE as shown here. # export SRR_DIR_NAME="disa_srr_unix" # export SRR_TAR_FILE="${SRR_DIR_NAME}.tgz" # export SRR_PAD_FILE="${SRR_TAR_FILE}.pad" Finally, set CURRENT_SRR_TAR_FILE and CURRENT_SRR_DIR_NAME. # export CURRENT_SRR_TAR_FILE="unix_51-15_april_09.tar.gz" # export CURRENT_SRR_DIR_NAME="Script.April" b. Download DISA's current UNIX SRR from following location: http://iase.disa.mil/stigs/SRR/unix.html If your server has wget installed, you can download the current tar ball and MD5 hash file as follows: # wget http://iase.disa.mil/stigs/SRR/${CURRENT_SRR_TAR_FILE} # wget http://iase.disa.mil/stigs/SRR/${CURRENT_SRR_TAR_FILE}.md5 WARNING: SRR tar balls are not digitally signed. This means you have no way to verify their origin and whether they've been tampered with, and that should make you uneasy about running SRR scripts -- especially since you must run them as root. However, the tar balls are now accompanied by corresponding MD5 hash files, so you can and should perform basic integrity checks as shown here: # webjob -h -t md5 ${CURRENT_SRR_TAR_FILE} 4b9aff553f12b9674bec56d4029d5e12 # cat ${CURRENT_SRR_TAR_FILE}.md5 4b9aff553f12b9674bec56d4029d5e12 UNIX_51-15April09.tar.gz If you want to ensure that the files are safe or have not been tampered with, you'll need to review them manually. Next, unpack the tar ball it in a suitable work area and rename as shown here: # tar -zxf ${CURRENT_SRR_TAR_FILE} # mv ${CURRENT_SRR_DIR_NAME} ${SRR_DIR_NAME} NOTE: The directory created when you untar the SRR tar ball will have a name that matches the following format: Script. where is the full name of the month in which the tar ball was released. Renaming this directory with a standard name makes this recipe easier to follow. More importantly, it makes it much easier to deploy and run new SRR tar balls in the future. For example, suppose that you decide to periodically run SRRs via webjob by setting up a monthly cron job on each client. Imagine having to change hundreds of crontab entries just because the name of the next SRR tar ball changed. With a fixed naming convention, client crontab entries won't need to be changed. In other words, standardizing the SRR directory name allows the client-side configurations to remain static through updates of the SRR tar ball, and that is good. c. Extract the runme script from Appendix 1, insert it into the SRR directory. # sed -e '1,/^--- runme ---$/d; /^--- runme ---$/,$d' webjob-disa-srr-unix.txt > ${SRR_DIR_NAME}/runme # chmod 755 ${SRR_DIR_NAME}/runme NOTE: Upon review of the runme script, you'll see that the 'nocrack' option is passed to Start-SRR. This was done to prevent crack from running on each client, which can take a considerable amount of time. Next, create a new SRR tar ball. # tar -zcf ${SRR_TAR_FILE} ${SRR_DIR_NAME} d. Create a PaD file of the new SRR tar ball, and place it in the appropriate commands directory. # pad-make-script -c ${SRR_TAR_FILE} > ${WEBJOB_COMMANDS}/${SRR_PAD_FILE} e. Clean up temporary work files (as desired). # rm -rf ${SRR_DIR_NAME} ${CURRENT_SRR_TAR_FILE} f. Create a special configuration file that overrides the default PutNameFormat property such that SRR output is placed in the following custom directory: ${WEBJOB_ROOT}/incoming/${SRR_DIR_NAME} This will make it easier for you to aggregate and manage SRR output. For this recipe, we assume that you'll want to group SRR jobs based on the year and month they were run, and we assume that that you'll want to tag uploads with the following information: client ID, IP address, and the date/time the upload occurred. # export WEBJOB_NPH_CONFIG_DIR="${WEBJOB_ROOT}/config/nph-webjob/commands/${SRR_PAD_FILE}" # mkdir -p ${WEBJOB_NPH_CONFIG_DIR} # echo "PutNameFormat=${SRR_DIR_NAME}/%Y-%m/%cid_%ip_%Y%m%d%H%M%S" > ${WEBJOB_NPH_CONFIG_DIR}/nph-webjob.cfg 2. Configure WebJob clients to periodically run the command shown below. Make sure that SRR_DIR_NAME is properly defined on the clients prior to job execution. SRR_DIR_NAME=disa_srr_unix webjob -e -f upload.cfg ${SRR_DIR_NAME}.tgz.pad "{ tar -zxf %payload && ( cd ${SRR_DIR_NAME} && sh runme -f - ) ; } ; { rm -rf ${SRR_DIR_NAME} ; }" When executed, this job will download the modified SRR tar ball (as a PaD file), untar it, and launch the runme script. That script will, in turn, launch the Start-SRR script, wait for it to finish, and then, tar up and uuencode the results. Since all of this is happening within a single job, all output, including the uuencoded results, will be captured on stdout/stderr and uploaded to the WebJob server. 3. Check the results. All results will be uploaded to the WebJob server and stored in the following location: ${WEBJOB_ROOT}/incoming/${SRR_DIR_NAME}// In this directory, you should expect to find files that have names in the following format: __.env __.err __.out __.rdy You can extract SRR results on the server by piping the output file through uudecode and tar as shown here: # uudecode -p __.out | tar -xf - This will lay down two directories per system that have names in the following format: .Log NOTE: The SRR scripts determine hostname using `uname -n`. Closing Remarks This recipe was tested on Sun Solaris 7, 8, and 9 machines. Your mileage may vary on other platforms. Note that the modified SRR tar ball in this recipe is compressed. If the version of tar in your environment does not support the '-z' option, you will need to adjust the commands provided above. Credits This recipe was brought to you by Andy Bair and Klayton Monroe. References The Security Readiness Review Evaluation Scripts can be found here: http://iase.disa.mil/stigs/SRR/ Appendix 1 --- runme --- ###################################################################### # # $Id: runme,v 1.2 2009/06/23 02:47:56 klm Exp $ # ###################################################################### # # Copyright 2005-2005 The WebJob Project, All Rights Reserved. # ###################################################################### # # Purpose: Run DISA's UNIX SRR scripts within a WebJob framework. # ###################################################################### IFS=' ' PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin PROGRAM=`basename $0` REVISION=`echo '$Revision: 1.2 $' | sed 's/^.Revision:[^0-9]*//; s/[^0-9]*$//;'` HOSTNAME=`uname -n` ###################################################################### # # Usage # ###################################################################### Usage() { echo 1>&2 echo "Usage: ${PROGRAM} [-vz] [-o srr-options] -f {file|-}" 1>&2 echo 1>&2 exit 1 } ###################################################################### # # Main # ###################################################################### Main() { #################################################################### # # Punch in and go to work. # #################################################################### umask 077 GZIP_ON="N" OUT_FILE="" SRR_OPTIONS="nocrack" TAR_EXTENSION="tar" TAR_OPTIONS="-cf" #################################################################### # # Process command line arguments. # #################################################################### while getopts "f:o:zv" OPTION ; do case "${OPTION}" in f) OUT_FILE="${OPTARG}" ;; o) SRR_OPTIONS="${OPTARG}" ;; v) echo "${PROGRAM} ${REVISION}" exit 0 ;; z) GZIP_ON="Y" TAR_EXTENSION="tgz" TAR_OPTIONS="-zcf" ;; *) Usage ;; esac done if [ ${OPTIND} -le $# ] ; then Usage fi if [ -z "${OUT_FILE}" ] ; then Usage fi #################################################################### # # Launch SRR scripts. # #################################################################### if [ -f Start-SRR ] ; then sh Start-SRR ${SRR_OPTIONS} fi STATUS=$? if [ ${STATUS} -ne 0 ] ; then exit ${STATUS} fi #################################################################### # # Tar up and uuencode the output. # #################################################################### if [ X"${OUT_FILE}" = X"-" ] ; then tar ${TAR_OPTIONS} - ${HOSTNAME} ${HOSTNAME}.Log | uuencode ${HOSTNAME}.${TAR_EXTENSION} else tar ${TAR_OPTIONS} - ${HOSTNAME} ${HOSTNAME}.Log | uuencode ${HOSTNAME}.${TAR_EXTENSION} > ${OUT_FILE} fi } Main $* --- runme ---