DISA Stig Compliance in Hyperglance

Overview

While the relevant STIG's have been applied to each container, there are a number of additional steps to be taken to ensure that each container if fully compliant. These are detailed below their respective sections.

The specific checklists used can be downloaded under their appropriate sections.

Apache / httpd

There are 2 STIG checklists that target httpd/apache. The first STIG targets the server portion of the deployment, and the second targets any sites hosted on the server.

Specifically, the 2 STIG's that have been applied to the Apache / httpd container are:

  • Apache Server 2.4 UNIX Server Security Technical Implementation Guide :: Version 2, Release: 3 Benchmark Date: 27 Jan 2022

  • Apache Server 2.4 UNIX Site Security Technical Implementation Guide :: Version 2, Release: 2 Benchmark Date: 27 Jan 2022

The only  specific vulnerability id that requires customer intervention is V-214300, which states:

"The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs)"

To ensure compliance with this, please place a Certificate Authority bundle named 'ca-bundle.crt' on the Hyperglance host at the location /var/lib/data/httpd/ssl/ca-bundle.crt

If this bundle is provided, the relevant configurations are applied on container start.

With the setting applied, all client connections that do not provide a DoD approved client certificate will be rejected.

Additionally, logs files are created and rotated on a regular basis. These should be ingested into your organisations centralised log management system to ensure compliance. These log files can be located at /var/lib/data/log/httpd/ on the Hyperglance host.

Apache Site STIG Checklist

Apache Server STIG Checklist

 
Postgresql

The checklist provided by the DoD targets psql9, while our current release container utilises psql15. The checklist contents did not have any version specific requirements, so they look to be compatible.

Postgresql utilises 2 main configuration files:

  • postgresql.conf - located in /x/x/x/x
  • pg_hba.conf - located in /x/x/x/

These configuration files have been modified to ensure STIG compliance. To enforce this, these 2 files are overwritten on each restart of the postgresql container with known-good configuration files. If there is a need to use a customised configuration, please place an empty file at the following location on the Hyperglance host: /var/lib/postgresql/15/main/use_custom_config

This will disable configuration check which could pose a compliance concern.

There are 4 vulnerability id's that remain open in the standard Hyperglance deployment, and will require manual intervention to rectify.

  • V-214117
  • V-214119
  • V-214153
  • V-214157

These vulnerability ids are concerned with the use of NIST certified FIPS modules and all require the same system configuration.

The configuration process is described in the following article: Enable FIPS modules in Hyperglance Containers

Additionally, there are a number of Vulnerability IDs that are Not Applicable to the standard Hyperglance deployment, but which you may want to address based on your organisations requirements.

These revolve around 3 key areas, which are not applicable to the Hyperglance provided deployment of postgresql.

  1. User management and controlling access/authorisation to the postgresql database.
    Hyperglance does not support or provide any mechanisms for the creation or management of additional users to the provided postgresql database. This database container is provided only to provide persistence for the Hyperglance application.

  2. Securing connections to the postgresql database and data in transit.
    For standard Hyperglance fucntionality, no non-local connections to the provided database are expected or supported. The standard postgresql configuration limits connections to the database to either local connections, or those originating from the Hyperglance wildfly container.

  3. Log Offloading
    The standard Hyperglance provided postgresql configuration writes logs to /var/lib/data/postgresql/logs on the host os, or at /var/lib/pgsql/logs from within the container. These logs are rotated weekly, with the oldest day being overwritten by the current day ( for example, Mondays logs will be overwritten by the proceeding Mondays logs). The provided logs should be ingested into your organisations centralised log management solution to ensure STIG compliance.

Postgresql STIG Checklist

Wildfly

Hyperglance utilises WildFly as the Java server to provide Hyperglance functionality. Wildfly is the upstream project for JBOSS. The installation provided by Hyperglance as part of the container stack is not intended to be user serviceable/manageable, and is configured in line with our product requirements. Due to this, many of the STIG vulnerability ids fall under Not Applicable.

The specific STIG that the Hyperglance installation of Wildfly was tested against is: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide :: Version 2, Release: 3 Benchmark Date: 27 Jan 2022

Please note. By default, 2 vulnerability ID's are left open as they require a configuration update that is not included within the release containers. These are:
  • V-213496 - Java permissions must be set for hosted applications.
  • V-213497 - The Java Security Manager must be enabled for the JBoss application server.

The mitigation for these can be enabled by ensuring you have set USE_SECMGR=true in /var/lib/data/hyperglance/config.env. If this entry does not exist in previous installations, it can be appended to the config file. The container must be recreated for this to setting to take effect. This can be accomplished by running the following command:

sudo docker-compose -f /etc/docker-compose.yml up -d --force-recreate

To confirm that the configuration has been applied, please run the following command on your Hyperglance host:

sudo cat /var/lib/data/log/wildfly/server.log | grep secmgr

The output of this command should include -secmgr as part of the output, as shown below.

sun.java.command = /opt/wildfly/jboss-modules.jar -secmgr -mp /opt/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/opt/wildfly -Djboss.server.base.dir=/opt/wildfly/standalone -c standalone.xml

Additionally, as with the other containers, you should ensure that log files are ingested into your organisations central log management system. The log files can be located in the /var/lib/data/log/wildfly directory on the Hyperglance host.

JBoss STIG Checklist