EMC® VNX™

Using nas_stig Utility on VNX

Version 7.1

Technical Notes
P/N 300-013-819 Rev 01

July 2012

These technical notes contain information about the EMC VNX nas_stig
script that begins with version 7.1.
Topics include:
◆ About STIG............................................................................................ 2
◆ Using nas_stig ....................................................................................... 2

1
About STIG

About STIG
A Security Technical Implementation Guide (STIG) defines a
configuration and maintenance standardS for computer deployments
required by the US Department of Defense (DoD) Information
Assurance (IA) program. These guidelines are designed to enhance
security settings and configuration options before the systems are
connected to a network. More information about the various STIGs is
available at http://iase.disa.mil/stigs/index.html.
The EMC VNX nas_stig command initiates a script that changes
Control Station settings according to the Linux STIG. The nas_stig
command provides a simple and automated mechanism to apply
these changes. These changes can also be undone if there is a
requirement to do so at a later date (for example, to troubleshoot an
operational issue).

! CAUTION
While the changes implemented by the nas_stig script can be
undone, not all Control Station settings are returned to their prior
values. Some settings return to their default values.

Using nas_stig
The nas_stig command is available in the /nas/tools directory. Log
in as root user to use this command.

Command syntax Manages DoD IA security settings and configuration options on the
Control Station:
nas_stig
-on
| -off
| -status
| -verify
| -version

-on
Initiates a script that changes settings on the Control Station.

2 Using the nas_stig Utility on VNX

 Using nas_stig

Note: If your VNX is configured with two Control Stations, the nas_stig
script should be run on each Control Station, as described in “Running
nas_stig on a second Control Station” on page 7.

-off
Returns all Control Station settings to their default state.

Note: Any modifications that you may have made manually to the default
Control Station settings are lost when you execute nas_stig -off.

-status
Displays the current state of the Control Station. For example, if the
nas_stig script has been run and the date and time it was performed.
-verify
This option has not been implemented.
-version
Displays the current version of the nas_stig utility.

Examples To initiate the nas_stig script, type:

# /nas/tools/nas_stig -on
Aug 25 18:07:53 Stig-on operation started
Aug 25 18:07:53 Changing permissions for the doc/man
files...
Aug 25 18:07:57 Files modification started
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Shutting down sendmail: [ OK ]
Shutting down sm-client: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Aug 25 18:07:58 Files modification completed
Password policy has been changed. To prevent any critical
accounts to be locked please set a new passwords for them
right now
Aug 25 18:07:59 Stig-on operation completed

To return all Control Station settings to their default values, type:

# /nas/tools/nas_stig -off

Using the nas_stig Utility on VNX 3

Using nas_stig

Aug 25 18:07:13 Stig-off operation started

Aug 25 18:07:14 Files modification started
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Restore /usr/sbin/tcpdump from the backup or other Linux
system if needed for troubleshooting
Shutting down sendmail: [ OK ]
Shutting down sm-client: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Aug 25 18:07:16 Files modification completed
Aug 25 18:07:16 Stig-off operation completed

To verify if the nas_stig has been run on the Control Station, type:
# /nas/tools/nas_stig -status
STIG ON operation has been performed on Aug 01 22:41:35

To display the current version of the nas_stig utility, type:

# /nas/tools/nas_stig -version
2.0

Control Station The nas_stig script makes the following changes to Control Station
changes settings:
◆ Changes the permissions and modifies ownership of certain files,
including assigning root credentials to all files whose owner’s
UID is not associated with a valid system identity
◆ Changes the password policy. The password must be 14
characters in length including one special character, one
lower-case letter, one upper-case letter, and one digit.
◆ Restricts root login access to the Control Station
◆ Modifies IP settings in the /etc/sysctl.conf file
◆ Deletes /usr/sbin/tcpdump

Note: To retain /usr/sbin/tcpdump, back it up prior to running the

nas_stig script or copy it from another system after running the nas_stig
script.

4 Using the nas_stig Utility on VNX

 Using nas_stig

◆ Enables a TCP wrapper and disallows all services except SSH

◆ Changes the login announcement to declare USG compliance

On the following files, permissions and ownership are changed, so

that the owner has read/write permission, the group has read
permission, and others are given read access:
File permission and
ownership changes /usr/share/man/man1/*
/usr/share/man/man5/*
/usr/share/man/man8/*
/usr/share/doc/setserial-2.17/*
/usr/share/doc/bash-3.2/misc/*
/usr/share/doc/bash-3.2/scripts/*
/usr/share/doc/iproute-2.4.7/examples/*
/usr/share/doc/lm_sensors-2.5.5/developers/*
/usr/share/doc/procmail-3.21/examples/*
/usr/share/doc/words-3.0/*
/usr/share/doc/ppp-2.4.4/scripts/*
/usr/share/doc/lilo-21.4.4/doc/*
/usr/share/doc/stunnel-4.15/*
/usr/share/doc/rxvt-2.7.6/*
/usr/share/doc/dhcpcd-1.3.18pl8/*
/usr/share/doc/lynx-2.8.5/samples/*
/usr/share/doc/mod_perl-2.0.2/eg/*
/usr/share/doc/pygtk-0.6.8/examples/glade/*
/usr/share/doc/pygtk-0.6.8/examples/ide/*
/usr/share/doc/pygtk-0.6.8/examples/imlib/*
/usr/share/doc/pygtk-0.6.8/examples/neil/*
/usr/share/doc/pygtk-0.6.8/examples/simple/*
/usr/share/doc/pygtk-0.6.8/examples/testgtk/*
/usr/share/doc/pygnome-1.4.1/examples/*
/usr/share/doc/ucd-snmp-4.2.3/*
/home/nasadmin/.[b,s]*
/nbsnas/sys/emccelerra.mib
/nbsnas/sys/powernet361.mib
/etc/syslog.conf
/etc/security/access.conf

Using the nas_stig Utility on VNX 5

Using nas_stig

On the following files, permissions and ownership are changed, so

that the owner has read/write permission and others are given read
access:
/etc/cron.daily/0anacron
/etc/cron.daily/makewhatis.cron
/etc/cron.daily/rpm
/etc/cron.daily/slocate.cron
/etc/cron.daily/sysstat
/etc/cron.daily/tmpwatch
/etc/cron.d/sysstat
/etc/cron.hourly/logrotate
/etc/cron.weekly/0anacron
/etc/cron.weekly/makewhatis.cron
/etc/cron.monthly/0anacron
/nas/site/cron.d/nas_sys
/nas/site/cron.d/nas_user
/etc/sysctl.conf
On the /var/sadm/pkg/emcnas/install/* file, ownership is changed
from UID/GID 4294967294/4294967294 to root/root.

Password policy The Control Station administrative user password policy is changed
changes to the following:
◆ Password must be a minimum of nine characters and include at
least two uppercase characters, two lowercase characters, two
digits, and two special characters.
◆ Passwords must be changed every 60 days and not more than
once in 24 hours.
◆ A password history file will be used, so that old passwords
cannot be reused.

Note: If the VNX has been running over 60 days when the password policy is
changed, you are requested to change your password upon your first login
attempt. After creating a new password, your connection to the VNX is
disconnected. However, you will be able to use your new password
successfully on a subsequent login. Currently, you can only change the
password by using the command line interface (CLI) accessing the Control
Station with a SSH connection.

Root login changes The nas_stig script restricts root login access to the Control Station to
a console. While remote root login is not allowed, it is possible to log
in remotely as a regular administrative user and then switch to root.

6 Using the nas_stig Utility on VNX

 Using nas_stig

IP changes The /etc/sysctl.conf file is changed as follows:

◆ net.ipv4.tcp_max_syn_backlog is set to a larger value (1280
instead of 1024) to reduce the risk from SYN flood attacks
◆ net.ipv4.icmp_echo_ignore_broadcasts is set to disable ICMP
response to a ping.

TCP changes The nas_stig script closes all network services in /etc/hosts.deny and
allows the use of SSH in /etc/hosts.allow.
The TCP wrapper affects only Linux default services, such as telnet,
finger, ftp, exec, rsh, rlogin, tftp, talk, comsat, and other services that
have a one-to-one mapping to executable files. The VNX functionality
is not affected.

Running nas_stig on If your VNX is configured with two Control Stations, the nas_stig
a second Control script should be run on each Control Station. To run nas_stig on a
Station secondary Control Station:
1. Log in to the secondary Control Station. You must be root user to
use the nas_stig command.
2. To become the primary Control Station, type:
# /nasmcd/sbin/cs_standby -takeover

3. To initiate the nas_stig script on this Control Station, type:

# /nas/tools/nas_stig -on

4. To verify that the Control Station in slot 0 is up, type:

# /nas/sbin/getreason

5. If necessary, to fail back the primary Control Station to slot 0,

type:
# /nasmcd/sbin/cs_standby -failover

Using the nas_stig Utility on VNX 7

Using nas_stig

Copyright © 2012 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is
subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable
software license.

For the most up-to-date regulatory document for your product line, go to the Technical Documentation and
Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

8 Using the nas_stig Utility on VNX