Appliance STIG Hardening

  • 1 minute read
Prev Next

The STIG customization package applies STIG hardening to your AppGate ZTNA appliances. Use this customization as part of your STIG compliance workflow for a seeded appliance.

Installing the Customization

To install the customization, complete the following steps:

  1. Sign in to the AppGate admin UI.

  2. Upload the .zip package to the Appliance Customizations page (System > Appliance Customizations).

  3. Apply the customization to each appliance where STIG settings must be applied (System > Appliances > Miscellaneous settings).

View cz-stig commands

To view available commands:

  1. SSH in to the appliance.

  2. Run man cz-stig. Use these options to further harden the appliance if necessary.

NOTE

The following optional commands can have a negative effect on user experience or system performance. It is not recommended to use these commands unless you must use them for compliance reasons.

Enable auditd

cz-config set -j hardening/auditd true

Enable auditd from boot

cz-config set kernel/cmdlineOptions "$(cz-config get kernel/cmdlineOptions) audit=1"

Set issue string

cz-config set motd/issue.net "$(cat/usr/share/stigdata/dod_banner.txt)"

cz-config set motd/issue "$(cat/usr/share/stigdata/dod_banner.txt)"

Lock single user and maintenance mode

cz-configd set -j kernel/lockGrubEdit true

Set password even in cloud environments

Run passwd, copy the hash from the shadow file, and replace it in the command:

cz-configd set users/0/encrypted-password '<hash>'

cz-configd set -j users/0/nopasswd false

Denylist USB storage kernel module

cz-configd set kernel/cmdlineOptions "$(cz-configd get kernel/cmdlineOptions) module_blakclist=usb_storage"

cz-configd set -j hardening/blacklistUsbStorage true

Changes to harden the SSH configuration

cz-config set -j hardening/hardenSSH true

Optional Configurations

You can make further customizations by configuring the following lines in /data/settings.config:

  • Line 2: Edit the expected underlying OS value.

  • Line 3: Change the error message text.

Packaging Changes

If you modify the package contents under src/, ensure the zip structure is correct.

Required layout:

folder.zip                                                                                  
  start
  status
  stop
  data/...

Tailoring Profile

A SCAP tailoring file is included in the customization repository to control which findings are selected during scanning. You can mark findings as Not selected in the tailoring file to exclude them from checks.

The file CAN_Ubuntu_24-04_STIG001.003.005MAC-2_Public_tailored_tailoring.xml is used by internal scans to achieve the advertised score.

Justifications for exclusions specified in this file are outlined in a separate attestation. Contact an AppGate ZTNA representative to obtain a copy.

Related articles