Original URL: https://trevorsmale.github.io/techblog/post/psc1/

Intro 👋

I’ve just started a new Security Engineering course created by Scott Champine through ProLUG. As a graduate of his Linux Administration course and an active contributor to the Professional Linux User Group, I felt compelled to make time for this new course—I’ve learned a great deal from his teachings in the past.

Worksheet

`Discussion Post 1`

Question

What is Security?

Answer

In regards to Cyber Security, Integrating protective measures throughout the system lifecycle to ensure the system maintains its mission/operational effectiveness, even in the presence of adversarial threats.

Question

Describe the CIA Triad.

Answer

The CIA Triad is a core model in systems security engineering.

Confidentiality – Preventing unauthorized disclosure of system data or resources, often enforced through access control, encryption, and information flow policies.
Integrity – Ensuring that system data and operations are not altered in an unauthorized or undetected way, including protection against both accidental and intentional modification.
Availability – Ensuring reliable access to system services and resources when required, even under attack or component failure.

Question

What is the relationship between Authority, Will, and Force as they relate to security?

Answer

In systems security engineering:

Authority is derived from policy and design requirements—what the system must enforce according to mission objectives, laws, or standards.
Will represents the commitment of system stakeholders to implement and maintain security measures.
Force is the application of engineered mechanisms—technical, administrative, or procedural—that ensure security objectives are realized in practice.

Question

What are the types of controls and how do they relate to the above question?

Answer

In systems security engineering, controls are safeguards built into the system to achieve security objectives. They align with Authority, Will, and Force as follows:

Administrative Controls – Derived from organizational policy (Authority) and guide design, personnel roles, and security governance.
Technical Controls – Engineered into the system as part of architecture and software/hardware features (Force), e.g., encryption, access enforcement, secure boot.
Operational Controls – Rely on human procedures and configurations to maintain secure operations (Will and Force), such as patch management and monitoring.
Physical Controls – Provide physical protection to system components (Force), e.g., secure facilities or tamper-evident hardware.

`Discussion Post 2`

Intro to the scenario[^3]

Find a STIG or compliance requirement that you do not agree is necessary for a server or service build.

Question

What is the STIG or compliance requirement trying to do?

Answer The compliance requirement encourages users to set up automated CVE patch updates from trusted providers within a 24-hour timeframe.

Question

What category and type of control is it?

Answer
This STIG is an administrative control. Since it is not built into the system by default, it must be applied and managed manually.

Question

Defend why you think it is not necessary. (What type of defenses do you think you could present?

Answer Initially, I found it difficult to identify a STIG procedural that I disagreed with. However, after extensive review, I selected this one. I believe automated patching is not ideal, especially for production systems. Patches can introduce unexpected behaviors in dependent systems. Additionally, relying on automation can foster complacency or a lack of awareness over time.

STIG


Apache Server 2.4 UNIX Server Security Technical Implementation Guide :: Version 3, Release: 2 Benchmark Date: 30 Jan 2025
Vul ID: V-214270 Rule ID: SV-214270r961683_rule STIG ID: AS24-U1-000930
Severity: CAT II Classification: Unclass Legacy IDs: V-92749; SV-102837
Group Title: SRG-APP-000456-WSR-000187
Rule Title: The Apache web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Discussion: Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
The Apache web server will be configured to check for and install security-relevant software updates from an authoritative source within an identified time period from the availability of the update. By default, this time period will be every 24 hours.
Check Text: Determine the most recent patch level of the Apache Web Server 2.4 software, as posted on the Apache HTTP Server Project website. If the Apache installation is a proprietary installation supporting an application and is supported by a vendor, determine the most recent patch level of the vendor’s installation.
In a command line, type "httpd -v".
If the version is more than one version behind the most recent patch level, this is a finding.

Definitions

CIA Triad Core principles of security — Confidentiality, Integrity, and Availability — guiding protection of information systems.
Regulatory Compliance Adhering to laws and regulations governing data privacy, security, and operational practices.
HIPAA U.S. healthcare regulation enforcing privacy and security of patient health information.
Industry Standards Best practices and technical guidelines agreed upon within specific industries to ensure consistency and security.
PCI/DSS Payment Card Industry Data Security Standard for protecting cardholder data during processing, storage, and transmission.
Security Frameworks Structured guidelines for managing cybersecurity risks and controls within organizations.
CIS Center for Internet Security provides globally recognized benchmarks and security controls.
STIG Security Technical Implementation Guide — DoD configuration standards for securing IT systems and software.

Lab 🧪🥼

MariaDB STIG Remediation Lab – Q&A Format

Signing into Remote Host

Question

How do you connect to the remote host?

Answer

ssh mchammer@prolug.asuscomm.com with password SecLab12#$5

Initial Setup

Question

What tools should be installed?

Answer

tmux and vim via dnf install tmux vim -y

Question

Why use tmux?

Answer

To persist sessions (e.g., for using nohup).

Installing and Verifying MariaDB

Question

How is MariaDB installed and started?

Answer

dnf install mariadb-server, then start and verify with:

systemctl start mariadb
systemctl status mariadb
ss -ntulp | grep 3306

Question

How do you enter the MariaDB shell?

Answer

Run mariadb.

V-253666: Listing Users & Max Connections

Question

How do you view users and max connections?

Answer

Run:

SELECT DISTINCT user FROM mysql.user;
SELECT user, max_user_connections FROM mysql.user;

V-253677: Shutdown on Audit Failure

Question

What is the issue?

Answer

MariaDB must shut down or alert on audit failures like lack of space.

Question

What is the fix?

Answer

Configure alerting when log space is low using the OS or DB logging tools.

Question

What type of control is this?

Answer

Technical, detective control.

Question

Is it set on your system?

Answer

Not by default. Logging rollover may need to be configured manually.

V-253678: FIFO Audit Logging

Question

What is the issue?

Answer

MariaDB must overwrite oldest audit logs when storage is full (FIFO).

Question

What is the fix?

Answer

Use syslog or configure log rotation/purging. Example configuration:
```
[mariadb]
server_audit_output_type = 'syslog'
```

Question

What type of control is this?

Answer

Technical, detective control.

Question

Is it set on your system?

Answer

TODO

V-253754: Audit on Security Object Change

Question

What is the issue?

Answer

Changes to roles, privileges, and security objects must be audited.

Question

What is the fix?

Answer

Configure MariaDB Audit Plugin with the following:

DELETE FROM mysql.server_audit_filters WHERE filtername = 'default';
INSERT INTO mysql.server_audit_filters (filtername, rule)
VALUES ('default',
 JSON_COMPACT(
 '{
 "connect_event": ["CONNECT", "DISCONNECT"],
 "query_event": ["ALL"]
 }'
 ));

Question

What type of control is this?

Answer

Technical, detective control.

Question

Is it set on your system?

Answer

Not by default, but was configured on the remote server.