Merge pull request #41 from cmckee786/patching

kolkhis · web-flow · commit e092c1203291 · 2025-04-07T15:10:49.000-04:00
fixed/add: added .txt for u2_lab,  fixed malformed .txt output
diff --git a/src/assets/downloads/u2/u2_lab.txt b/src/assets/downloads/u2/u2_lab.txt
@@ -0,0 +1,131 @@
+﻿Unit 2 Lab – Network Standards and
+Compliance
+
+Required Materials
+
+Putty or other connection tool Lab Server
+Root or sudo command access
+STIG Viewer 2.18 (download from https://public.cyber.mil/stigs/downloads/ )
+
+
+EXERCISES (Warmup to quickly run through your system and familiarize yourself)
+
+1. sysctl -a | grep -i ipv4 | grep -i forward
+   1. Does this system appear to be set to forward? Why or why not?
+2. sysctl -a | grep -i ipv4 | grep -i martian
+   1. What are martians and is this system allowing them?
+3. sysctl -a | grep -i panic
+   1. How does this system handle panics?
+4. sysctl -a | grep -i crypto
+   1. What are the settings you see? Is FIPS enabled?
+5. cat /proc/cmdline
+6. fips-mode-setup --check
+7. sestatus
+8. cat /etc/selinux/config
+   1. What information about the security posture of the system can you see here?
+      1. Can you verify SELINUX status?
+      2. Can you verify FIPS status?
+
+PreLAB
+
+Download the STIG Viewer 2.18 from - https://public.cyber.mil/stigs/downloads/
+Download the STIG for RHEL 9 and the import it into your STIG viewer
+Create a checklist from the opened STIG for RHEL 9
+
+LAB
+
+This lab is designed to have the engineer practice securing a Linux server or service against a set of configuration standards. These standards are sometimes called benchmarks, checklists, or guidelines. The engineer will be using STIG Viewer 2.18 to complete this lab.
+
+Network Service configuration:
+
+1. Connect to a hammer server
+2. Filter by ipv4 and see how many STIGS you have.
+3. Examine STIG V-257957
+   1. What is the problem?
+   2. What is the fix?
+   3. What type of control is being implemented?
+4. Is it set properly on your system?
+   1. sysctl -a | grep -i ipv4 | grep -i syncookies
+   2. Can you remediate this finding?
+
+In this case it’s already correctly set.
+
+But if we needed to, we would set that value in /etc/sysctl.d/00- remediate.conf
+And then reload sysctl with `sysctl --system`
+
+5. Check and remediate V-257958 STIG
+	1. What is the problem?
+	2. What is the fix?
+   	3. What type of control is being implemented?
+	4. Is it set properly on your system?
+	5. How would you go about remediating this on your system?
+
+6. Check and remediate V-257960 and V-257961 STIGs
+	1. What is the problem? How are they related?
+	2. What is the fix?
+	3. What type of control is being implemented?
+	4. Is it set properly on your system?
+7. Filter by firewall
+	1. How many STIGS do you see?
+	2. What do these STIGS appear to be trying to do? What types of controls are they?
+
+
+Firewall port exposure
+
+Your team needs to use node_exporter with Prometheus to allow scraping of system information back to your network monitoring solution. You are running a firewall, so you need to expose the port that node_exporter runs on to the network outside of your system.
+
+7. Expose a network port through your firewall
+         1. Verify that your firewall is running systemctl status firewalld
+         2. Verify that your firewall has the service defined firewall-cmd --get-services | grep -i node
+ls /usr/lib/firewalld/services | grep -i node
+         3. Verify that the service is not currently enabled for node_exporter firewall-cmd --list-services
+         4. Examine the structure of the firewall .xml file
+cat /usr/lib/firewalld/services/prometheus-node-exporter.xml
+         5. Enable the service through your firewall
+firewall-cmd --permanent --add-service=prometheus-node-exporter firewall-cmd --reload
+         6. Verify that the service is currently enabled for node_exporter firewall-cmd --list-services
+
+Automate STIG remediation on a system
+
+There are many options and the STIG remediation steps are well known. Here the learner will examine a few ways to generate Ansible and Shell fixes to your system. Then one can apply all of them, or just
+some of them. This is the real value of a security engineer focused Linux engineer, the tradeoff between security and productivity.
+
+8. Download and extract a STIG remediation tool
+
+cd /root mkdir stigs cd stigs
+wget -O U_RHEL_9_V2R3_STIG_Ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_Ansible.zip
+unzip U_RHEL_9_V2R3_STIG_Ansible.zip 
+mkdir ansible
+cp rhel9STIG-ansible.zip ansible/ 
+cd ansible
+unzip rhel9STIG-ansible.zip
+
+
+9. Examine the default values for stigs
+
+vim /root/stigs/ansible/roles/rhel9STIG/defaults/main.yml
+
+Search for a few of the STIG numbers you used earlier and see their default values. 
+	#use /257784 to search
+
+10. Examine the playbook to see how those are applied in a running system.
+
+vim /root/stigs/ansible/roles/rhel9STIG/tasks/main.yml
+
+#use /257784 to search for the STIG from above and see how it is fixed in the playbook.
+
+11. Create an Ansible playbook from openscap.
+
+dnf -y install openscap-scanner openscap-utils openscap-scanner scap-security-guide
+
+#Generate the Ansible
+oscap xccdf generate fix --profile ospp --fix-type ansible /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > draft-disa-remediate.yml
+
+#Examine the file
+vim draft-disa-remediate.yml
+
+#Generate a BASH version
+oscap xccdf generate fix --profile ospp --fix-type bash /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > draft-disa-remediate.sh
+
+#Examine the file
+vim draf-disa-remediate.sh
