Yolinux.com Tutorial

Linux DoD NISPOM Chapter 8 Compliance:

This tutorial covers the configuration of Linux for Department of Defense (DoD US) National Industry Security Program Operating Manual (NISPOM) Chapter 8 compliance. This tutorial is for Red Hat Enterprise Linux 4. This distribution is supported by the Snare auditing kernel and supports PAM in a manner which can be configured for NISPOM chapter 8 compliance.

Related YoLinux Tutorials:

°Internet Security Configuration

°Linux Security Tools

°YoLinux Tutorials Index




Free Information Technology Magazines and Document Downloads
TradePub link image


Free Information Technology SECURITY Magazine Subscriptions and Document Downloads


DoD NISPOM Chapter 8:

NISPOM (National Industry Security Program Operating Manual) chapter 8 is a computer security requirement developed by the US DoD (Department of Defense - US) and DoE (Department of Energy) and published by the DSS (Defense Security Service) which US defense contractors are required to meet when processing classified data on computers in a classified environment. Linux as issued by major distros defaults do not meet this requirement.


BIOS and Hardware Configuration for NISPOM Compliance:

  • Configure the system to use a BIOS password to protect the BIOS settings. Note that the password must be chosen in accordance with SSP policy.
  • Set the system boot sequence to boot from the hard drive first or only boot from the hard drive. This will disallow recovery boot media which can be used to modify the root user password or create a second system admin account which can compromise the system.


Linux System Configuration for NISPOM Compliance:

  • Set the GRUB boot loader password:
    This can be set during OS installation or by editing /etc/grub.conf (Linked to: /boot/grub/grub.conf or /boot/grub/menu.1st)

    1. Use the command "grub" to enter the grub shell and assign a password:
      # grub
      Probing devices to guess BIOS drives. This may take a long time.
      
      
          GNU GRUB  version 0.95  (640K lower / 3072K upper memory)
      
       [ Minimal BASH-like line editing is supported.  For the first word, TAB
         lists possible command completions.  Anywhere else TAB lists the possible
         completions of a device/filename.]
      grub> md5crypt
      md5crypt
      Password: supersecret
      supersecret
      Encrypted: $1$0IgDW1$ZNL./S6N1d6xGbUmcUzw/1
      grub> quit
              
      Note that the password must be chosen in accordance with SSP policy.
    2. Before the first "title" entry, add the line:
      passwd --md5
      $1$0IgDW1$ZNL./S6N1d6xGbUmcUzw/1
                    
      Copy the encrypted character sequence from the previous step and put it as the line following the "passwd --md5" statement in the file /etc/grub.conf.

      Note: This is an example for GRUB 0.95 which uses the directive "passwd". The directive for GRUB 0.97 is "password".

  • Configure SysLog:
    Add the following line to /etc/syslog.conf
    ..
    ...

    # Log authentication history
    auth.* /var/log/authlog
    Restart the system logger:
    • [root]# ps -auxw|grep syslogd
    • [root]# kill -HUP process-id-of-syslogd
    This will record login failures and account lockout in the file /var/log/authlog.

  • Configure PAM: /etc/pam.d/system-auth
    • Login authentication should allow only five failed login attempts:
      ..
      ...
      
      password    requisite     /lib/security/$ISA/pam_cracklib.so retry=5
      
      ...
      ..
              
    • Set password length and complexity: Options:
      • minlen: Minimum password length.
        i.e.: minlen=8
      • difok: Minimum number of characters by which a new password must differ from the previous password.
      • lcredit, ucredit, dcredit, ocredit: (lower, upper, digit, other) Password complexity score based on password chosen.
    • Do not allow blank passwords:
      Change from default:
      ..
      ...

      auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok

      ..
      ..

      password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow

      ...
      ..
      To:
      ..
      ...
      auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
      ..
      ..
      password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
      ...
      ..
      Remove directive "nullok".
    • Use encryption and file access restrictions to manage passwords.
      For a network of Linux computers use central authentication (NIS or LDAP). See the YoLinux LDAP authentication tutorial. For a single system use local encrypted passwords (md5 password requirement set in file /etc/pam.d/system-auth) and shadow password file (/etc/shadow set to chmod 400). This of course is the default behavior of most distributions such as Red Hat or Fedora Core.
      ..
      ...

      password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
      password required /lib/security/$ISA/pam_deny.so

      ...
      ..

  • Configure Login Expiration:
    • New accounts take their defaults from the configuration file: /etc/login.defs
      ..
      ...

      PASS_MAX_DAYS 90

      ...
      ..
      Change from PASS_MAX_DAYS 99999.
      This is if you are using local password file authentication. If using an authentication server (LDAP, NIS, ...) then configure it appropriately.
    • Existing accounts can have their defaults set with the command: chage -M 90 userID
    Note that your security policy may differ from 90 days.

  • Require root password for single user mode:
    Edit file: /etc/inittab
    ..
    ...
    si::wait:/etc/rc.d/rc.sysinit
    su:S:wait:/sbin/sulogin /dev/console
    ...
    ..
    Add second line.
  • Clear login field for GUI login screen:
    Edit file: /etc/X11/gdm/gdm.conf
    ..
    ...

    Greeter=/usr/bin/gdmlogin

    ...

    DisplayLastLogin=false

    ...

    Welcome=DoD message goes here ... ..
    Add second line.


Greeting Banners and Messages:

The DoD requires user warnings about authorized use of the system.

  • Telnet greeting message: Edit file /etc/issue
  • Secure shell login greeting message: Edit file /etc/ssh/sshd_config
    Edit/enable the line: Banner /etc/issue
    Restart sshd: service sshd restart
  • vsftpd greeting message: Edit file /etc/vsftpd/vsftpd.conf
    Edit/enable the line: ftpd_banner=Welcome to Node1 FTP service
    (Also disable anonymous FTP: anonymous_enable=NO)
    Restart vsftpd: service vsftpd restart
  • GDM login message: Edit /etc/X11/gdm/gdm.conf as shown above. Configure "Welcome" option.


Snare Auditing Kernel:

Snare (System iNtrusion Analysis & Reporting Environment) provides a central collection, analysis, reporting and archival capability for a variety of operating systems, appliances, and servers.

This is required for Red Hat Enterprise 4. Newer releases of Red Hat have built-in auditing which does not require the Snare kernel.


Snare Agent (Client):

Installation:

  • Download the Snare Linux Kernel from IntersectAlliance.com.
    Available for Red Hat Enterprise, Fedora, Debian and Ubuntu.
  • For Red Hat Enterprise 4 download:
    • kernel-2.6.9-34_snare.EL.i686.rpm
      (Also available in smp or hugemem versions)
    • snare-core-0.9.8-1_RHEL4.i386.rpm
      (Audit daemon)
    • kernel-devel-2.6.9-34_snare.EL.i686.rpm
      (Kernel source. Required if you install NVidia drivers, Clearcase or anything which creates a loadable module or kernel interface.)
  • Install: rpm -ivh kernel-2.6.9-34_snare.EL.i686.rpm snare-core-0.9.8-1_RHEL4.i386.rpm kernel-devel-2.6.9-34_snare.EL.i686.rpm

Configuration:

  • Edit /etc/grub.conf to pick the Snare kernel as the default kernel upon system boot. See YoLinux Grub boot loader configuration.
  • Edit file: /etc/audit/audit.conf
    This is the configuration file for the audit daemon.
    [Remote]
    allow=1
    listen_port=6161

    [Output]
    file=/var/log/audit/audit.log
    network=192.168.10.99:514
    syslog=3

    [Objectives]
    ...
    ..

    [HostID]
    name=host-name-goes-here
    Change "allow=0" to "allow=1".
  • Reboot the system to load the Snare kernel.
    As root, issue the command: shutdown -r now
  • Launch a web browser (i.e. firefox) and enter the following URL: http://localhost:6161
    1. Select "Network Configuration"
    2. Enter configuration values:
      • Client name: host-name-goes-here
      • Destination IP address: (snare server) 192.168.XXX.XXX
      • UDP port: 514 (default)
      • Destination fileName: /var/log/audit.log (default)
      • Audit to STDOUT: (box not checked)
      • SYSLOG Facility (optional): Kernel (default)
      • SYSLOG Priority (optional): Error
  • Restart Snare audit daemon to pick-up new configuration: service snare restart


Snare Auditing/Reporting Server:

Buy the IntersectAlliance.com's Snare Server appliance or download the Snare Micro-Server (Download and build from GPL source).


Links:


Links:


Books:

Security Source Magazine

Security Source Magazine's cover story is about keeping the network secure, from the gateway to the desktop. Subscribe now and continue to learn about valuable security topics and strategies in each quarterly issue.

Free
Subscription
Info Security Magazine

Business and management of information security. It is an international magazine, with an European focus. It is published in both print and digital editions, the latter containing the full content of the print publication, accessible via the web. Its experienced editorial team delivers stories that deal with the big picture issues of information security. Our sources and columnists are the expert security researchers and practitioners who define, drive, and lead the field. And our journalists are in demand by the IT trade and broadsheet press.

Free
Subscription

   

    Bookmark and Share


Advertisements




Copyright © 2006 YoLinux.com