Revision $Id: webjob-disa-srr-unix.base,v 1.13 2005/12/14 17:19:00 klm Exp $ Purpose This recipe demonstrates how to run DISA's UNIX Security Readiness Review Scripts (SRRs) within a WebJob framework. Information about SRRs and Security Technical Implementation Guides (STIGs) is available here: http://iase.disa.mil/stigs/ The following paragraphs, quoted from the above URL, provide some basic background information about STIGs and SRRs. "The STIGs and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems." "A Security Checklist (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security." "Security Readiness Review Scripts (SRRs) test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk." Motivation The current SRR process, as we understand it, is inefficient because it requires a significant amount of labor to run SRR scripts, aggregate output, and disseminate findings/results to the folks who need them. We believe that the efficiency and effectiveness of this process can be greatly improved by retrofitting SRR tarballs to run within a WebJob framework. This is because a WebJob framework can reduce the amount labor required to run SRR scripts on hundreds or even thousands of systems; it can automatically aggregate output according to your needs and preferences; and findings/results can be easily and securely shared or disseminated. Requirements Cooking with this recipe requires an operational WebJob server. If you do not have one of those, refer to the instructions provided in the README.INSTALL file that comes with the source distribution. The latest source distribution is available here: http://sourceforge.net/project/showfiles.php?group_id=40788 The server must be running UNIX and have basic system utilities, Apache, WebJob (1.5.0 or higher), and PaD installed. Note: PaD tools are included in the WebJob distribution. Each client must be running UNIX and have basic system utilities (including tar and uuencode) and WebJob (1.5.0 or higher) installed. Each client must also have at least 50 MB of space in the WebJob temporary directory. This space is required to hold the SRR tarball and any output it produces. The commands presented throughout this recipe were designed to be executed within a Bourne shell (i.e., sh or bash). Time to Implement Assuming that you have satisfied all the requirements/prerequisites, this recipe should take less than one hour to implement. Plan on 1-3 hours for testing. Solution The solution is to repackage DISA's UNIX SRR tarball as a PaD file and configure WebJob clients to download and execute that PaD file on a periodic or as needed basis. The following steps describe how to implement this solution. 1. Setup the WebJob server. a. Set WEBJOB_ROOT, WEBJOB_CLIENT, and WEBJOB_COMMANDS as appropriate for your server. If you want the SRR scripts to be bound to a particular client, set WEBJOB_CLIENT as appropriate before running the following commands. # export WEBJOB_ROOT="/var/webjob" # export WEBJOB_CLIENT="common" # export WEBJOB_COMMANDS="${WEBJOB_ROOT}/profiles/${WEBJOB_CLIENT}/commands" Next, set SRR_DIR_NAME, SRR_TAR_FILE, SRR_PAD_FILE, and WEBJOB_NPH_CONFIG_DIR as shown here. # export SRR_DIR_NAME="disa_srr_unix" # export SRR_TAR_FILE="${SRR_DIR_NAME}.tar" # export SRR_PAD_FILE="${SRR_TAR_FILE}.pad" # export WEBJOB_NPH_CONFIG_DIR="${WEBJOB_ROOT}/config/nph-webjob/commands/${SRR_PAD_FILE}" Finally, set CURRENT_SRR_TAR_FILE and CURRENT_SRR_DIR_NAME. # export CURRENT_SRR_TAR_FILE="unix-44-15jul05.tar.gz" # export CURRENT_SRR_DIR_NAME="Script.July" b. Download DISA's current UNIX SRR from following location: http://iase.disa.mil/stigs/SRR/unix.html If your server has wget installed, you can download the current tarball as follows: # wget http://iase.disa.mil/stigs/SRR/${CURRENT_SRR_TAR_FILE} WARNING: SRR files are not GPG-signed or released with corresponding MD5/SHA1 hashes. This means you have no way to verify their origin or integrity, and that should make you uneasy about running the scripts -- especially since you must run them as root. If you want to ensure that the files are safe or have not been tampered with, you'll need to review them on your own. Next, unpack the tarball it in a suitable work area and rename as shown here: # gunzip -c ${CURRENT_SRR_TAR_FILE} | tar -xf - # mv ${CURRENT_SRR_DIR_NAME} ${SRR_DIR_NAME} NOTE: The directory created when you untar the SRR tarball will have a name that matches the following format: Script. where is the full name of the month in which the tarball was released. Renaming this directory with a standard name makes this recipe easier to follow. More importantly, it makes it much easier to deploy and run new SRR tarballs in the future. For example, suppose that you decide to periodically run SRRs via webjob by setting up a monthly cron job on each client. Imagine having to change hundreds of crontab entries just because the name of the next SRR tarball changed. With a fixed naming convention, client crontab entries won't need to be changed. In other words, standardizing the SRR directory name allows the client-side configurations to remain static through updates of the SRR tarball, and that is good. c. Extract the runme script from Appendix 1, insert it into the SRR directory. # sed -e '1,/^--- runme ---$/d; /^--- runme ---$/,$d' webjob-disa-srr-unix.txt > ${SRR_DIR_NAME}/runme # chmod 755 ${SRR_DIR_NAME}/runme NOTE: When you review the runme script, you'll see that the 'nocrack' option is being passed to Start-SRR. This was done to prevent crack from running on each client, which can take a considerable amount of time. Next, create a new SRR tarball. # tar -cf ${SRR_TAR_FILE} ${SRR_DIR_NAME} d. Create a PaD file of the new SRR tarball, and place it in the appropriate commands directory. # pad-make-script -c ${SRR_TAR_FILE} > ${WEBJOB_COMMANDS}/${SRR_PAD_FILE} e. Clean up temporary work files (as desired). # rm -rf ${SRR_DIR_NAME} ${CURRENT_SRR_TAR_FILE} f. Create a special WebJob configuration file that overrides the default WebJob properties and places output from the SRR scripts in the following custom directory: ${WEBJOB_ROOT}/incoming/${SRR_DIR_NAME} This will make it easier for you to aggregate and manage SRR output. For this recipe, we assume that you'll want to group SRR jobs based on the year and month they were run, and we assume that that you'll want to tag uploads with the following information: client ID, IP address, and the date/time the upload occurred. # mkdir -p ${WEBJOB_NPH_CONFIG_DIR} # echo "PutNameFormat=${SRR_DIR_NAME}/%Y-%m/%CID_%IP_%Y%m%d%H%M%S" > ${WEBJOB_NPH_CONFIG_DIR}/nph-webjob.cfg 2. Configure WebJob clients to periodically run the command shown below. Make sure that SRR_DIR_NAME is properly defined on the clients prior to job execution. SRR_DIR_NAME=disa_srr_unix webjob -e -f upload.cfg ${SRR_DIR_NAME}.tar.pad "{ tar -xf %payload && ( cd ${SRR_DIR_NAME} && sh runme -f - ) ; } ; { rm -rf ${SRR_DIR_NAME} ; }" When executed, this job will download the modified SRR tarball (as a PaD file), untar it, and launch the runme script. That script will, in turn, launch the Start-SRR script, wait for it to finish, and then, tar up and uuencode the results. Since all of this is happening within a single job, all output, including the uuencoded results, will be captured on stdout/stderr and uploaded to the WebJob server. 3. Check the results. All results will be uploaded to the WebJob server and stored in the following location: ${WEBJOB_ROOT}/incoming/${SRR_DIR_NAME}// In this directory, you should expect to find files that have names in the following format: __.env __.err __.out __.rdy You can extract SRR results on the server by piping the output file through uudecode and tar as shown here: # uudecode -p __.out | tar -xf - This will lay down two directories per system that have names in the following format: .Log NOTE: The SRR scripts determine hostname using `uname -n`. Closing Remarks This recipe was tested on Sun Solaris 7, 8, and 9 machines. Your mileage may vary on other platforms. In writing this recipe we chose not to compress the SRR tarball because WebJob clients may not have compression utilities installed or compression utilities may vary among WebJob clients. For example, some clients may have compress but not gzip, while others may have gzip but not bzip2. Without consistent compression utilities on all clients, compressing the SRR tarball is cumbersome and most likely impractical when managing large numbers of clients. However, if you do have a standard set of compression utilities available on your clients, you can achieve some very good compression ratios. We experienced roughly 3:1, 6:1, and 9:1 compression ratios using compress, gzip, and bzip2, respectively. Credits This recipe was brought to you by Andy Bair and Klayton Monroe. References The Security Readiness Review Evaluation Scripts can be found here: http://iase.disa.mil/stigs/SRR/ Appendix 1 --- runme --- ###################################################################### # # $Id: runme,v 1.1 2005/12/11 19:26:45 klm Exp $ # ###################################################################### # # Copyright 2005-2005 The WebJob Project, All Rights Reserved. # ###################################################################### # # Purpose: Run DISA's UNIX SRR scripts within a WebJob framework. # ###################################################################### IFS=' ' PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin PROGRAM=`basename $0` REVISION=`echo '$Revision: 1.1 $' | sed 's/^.Revision:[^0-9]*//; s/[^0-9]*$//;'` HOSTNAME=`uname -n` ###################################################################### # # Usage # ###################################################################### Usage() { echo 1>&2 echo "Usage: ${PROGRAM} [-vz] [-o srr-options] -f {file|-}" 1>&2 echo 1>&2 exit 1 } ###################################################################### # # Main # ###################################################################### Main() { #################################################################### # # Punch in and go to work. # #################################################################### umask 077 GZIP_ON="N" OUT_FILE="" SRR_OPTIONS="nocrack" TAR_EXTENSION="tar" TAR_OPTIONS="-cf" #################################################################### # # Process command line arguments. # #################################################################### while getopts "f:o:zv" OPTION ; do case "${OPTION}" in f) OUT_FILE="${OPTARG}" ;; o) SRR_OPTIONS="${OPTARG}" ;; v) echo "${PROGRAM} ${REVISION}" exit 0 ;; z) GZIP_ON="Y" TAR_EXTENSION="tgz" TAR_OPTIONS="-zcf" ;; *) Usage ;; esac done if [ ${OPTIND} -le $# ] ; then Usage fi if [ -z "${OUT_FILE}" ] ; then Usage fi #################################################################### # # Launch SRR scripts. # #################################################################### if [ -f Start-SRR ] ; then sh Start-SRR ${SRR_OPTIONS} fi STATUS=$? if [ ${STATUS} -ne 0 ] ; then exit ${STATUS} fi #################################################################### # # Tar up and uuencode the output. # #################################################################### if [ "${OUT_FILE}"X = "-"X ] ; then tar ${TAR_OPTIONS} - ${HOSTNAME} ${HOSTNAME}.Log | uuencode ${HOSTNAME}.${TAR_EXTENSION} else tar ${TAR_OPTIONS} - ${HOSTNAME} ${HOSTNAME}.Log | uuencode ${HOSTNAME}.${TAR_EXTENSION} > ${OUT_FILE} fi } Main $* --- runme ---