A Secure Technical Implementation Guide (“STIG”) is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but there can also be problems caused by the use of misconfigured systems.
The DISA STIG for Red Hat Enterprise Linux version 8 (“RHEL 8”) is available on Github. As there are 291 rules, implementation can be somewhat time consuming (and error prone). Luckily, while installing RHEL 8, you can select the DISA STIG security profile. This makes setting up a compliant server incredibly easy. This is incredible work by the Red Hat security team.
A Secure Technical Implemenation Guide (“STIG”) is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but they can also be problems caused by the use of misconfigured systems.
Some of the features of this security profile may be significantly more strict then the default configuration for RHEL 8. In particular, consider these three services:
Before you install the Gluu Server, you’ll need to do a base installation of RHEL 8. Here is a rough procedure:
1. Download rhel-8.4-x86_64.dvd.iso
2. Select Minimal Software installation
3. Manual Partition:
/ (rest of the space)
4. Security Profile: DISA STIG
5. Enable network and set a FQDN hostname
Once you have the base installation completed, don’t forget to connect to the RHEL package repository:
$ sudo su –
# subscription-manager register
Username: (your acct name)
# subscription-manager attach –auto
# yum upgrade
# mv RPM-GPG-KEY-GLUU /etc/pki/rpm-gpg/
# rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU
# dnf install gluu-server-fips-4.3.0.el8.x86_64.rpm
After installing the package, navigate to /install/community-edition-setup, and run setup.py as normal. You’ll also need to open the local system firewall for https
# firewall-cmd –zone=public –permanent –add-service=https
# firewall-cmd –reload
This distribution is based on open-source components, and the binary is freely available. If you’re organization is interested in deploying a highly available cluster of these servers, you should reach out for more information about a VIP support subscription.