STIG hardening

Nexthink aims to provide compliance with the Security Technical Implementation Guide (STIG) standards for the Nexthink V6 product. Additional steps required before and during the deployment of Nexthink V6 to achieve compliance. This guide is intended to highlight these steps and differences from a standard Nexthink V6 deployment.

The STIG hardening procedure must be done in collaboration with Nexthink. Reach to your Nexthink representative before beginning this procedure.

Prerequisites

Download the Nexthink Appliance ISO image from the V6 Release Notes page.

Additional material

See the Nexthink STIG Hardening Guide for a complete description of the STIG hardening procedure:

Hardware requirements

Standard Nexthink Hardware requirements apply.

Additionally, the minimum hard disk requirement for STIG hardening is 60GB because you must mount filesystems on separate mount points. The following table shows the default size requirements for the different filesystems that is built using the STIG-specific Appliance ISO image:

Path

Disk space

/home

4GB

/tmp

4GB

/var/log

10GB

/var/log/audit

10GB

/var/tmp

4GB

/

15GB (default OS files)

/var

remaining disk space; /var is usually the largest partition as it contains Nexthink databases

Installation

Install the appliance with the ISO image.

After installing the appliance and Engine or Portal, and before enabling security hardening, install the RPM dependencies. The RPMs are located on the STIG Appliance in the following folder: /home/nexthink/stigrpms/Packages

Then, perform the following steps:

Log in to the Appliance Command Line Interface (CLI)
Run the following command and wait until the transaction completes:

cd /home/nexthink/stigrpms
sudo chmod +x ./install_stig.dependencies.sh
sudo ./install_stig.dependencies.sh

Log in to the Web Console of the primary Appliance (the Portal) as administrator; use the following URL to ensure STIG is enabled: https://<appliance_host_or_IP>:99/appliance/compliance
Select the Appliance tab at the top of the Web Console.
Select Compliance from the left-hand side menu.
Select the STIG Enabled? checkbox.
Select Save changes.

Optional steps - Apply automatic hardening manually

Run the following command in the Appliance CLI session:

sudo nxhardening

Result. An Ansible playbook is launched, which takes several minutes to complete.

Reboot the Appliance.

Troubleshooting

I get an access denied error message when attempting to log in as a Nexthink user

One of the STIG requirements is to lock user accounts with too many failed logins. If this happens, unlock the user by logging in as root and running the following command:

faillock --user nexthink --reset

The root user can only login through the console, not SSH.

Last updated 1 day ago