This open-source project is not officially supported under a Kasm support license. It is an open-source project provided to the community to assist with hardening systems to meet DoD STIG requirements. Kasm Technologies does not provide any guarantees that these scripts will work as designed on every possible system and different configurations. There is the possibility that running these scripts can break systems and caution should be taken before running these scripts.
Ensure that you switch to a branch that matches the version of Kasm Workspaces that you have installed. For example, if you are running Kasm Workspaces 1.18.1, ensure that you change to the release/1.18.1 branch before applying the script.
The develop branch is kept broadly in sync with the current rolling developer preview of Kasm but we make no assurances with regard to compatibilty at any given point, and do not recommend running the developer preview in environments where STIG compliance is required.
These hardening scripts will only work on x86_64/AMD64 based architectures.
These hardening scripts have been tested by Kasm Technologies on the following operating systems. It should be noted that we started with a base OS install and then installed Kasm Workspaces. These systems were not pre-configured in any way nor did they already have docker installed. These hardening scripts may not work on the following operating systems if they have unique non-default configurations. A supported Linux kernel version is required.
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Please open an issue on the project's issue tracker to report your experience with other operating systems. The scripts have been written such that they should work on any Linux distro with the prerquisites cited.
auditd must be installed on the operating system. Auditd is required to meet base operating system STIG requirements and should therefore already be installed. The package jq is also required and should be available in the operating systems package repository for most operating systems.
The apply_kasm_stigs.sh will attempt to use the yq utility that is bundled with a Kasm install, or alternatively download it on an internet connected host. If you are on an air gapped network, please pull down the latest yq from here: https://github.com/mikefarah/yq/releases and put the binary here: /opt/kasm/bin/utilities/yq_x86_64
Kasm must be running when executing these scripts on the web app servers and agent servers. The apply_kasm_stigs.sh will handle shutting down and restarting kasm service containers when needed.
The order that the scripts are run is important, run the apply_docker_stigs.sh first, then run the apply_kasm_stigs.sh
# Kasm Workspaces must already be installed
git clone https://github.com/kasmtech/workspaces-stigs.git
cd workspaces-stigs
# switch to the release branch that matches your installed version of Kasm Workspaces
git checkout release/1.18.1
sudo bash apply_docker_stigs.sh
sudo bash apply_kasm_stigs.shV-235819 will fail if Kasm was installed using the default listening port of 443. To pass this check, Kasm must be installed with the -L 8443 flag, where 8443 can be any port above 1024. In a hardened environment, it is assumed that Kasm will be proxied behind a security device, such as an F5 or NGINX, which supports proxying on 443 to end-users.
Because the database is running as uid:gid 70:70, when you execute the /opt/kasm/bin/utils/db_backup script ensure that the directory passed for the backup file is writable by 70:70 or the backup will fail.
When running apply_docker_stigs.sh or apply_kasm_stigs.sh, an optional flag --verbose can be set to show the output of the commands specified in the STIG check to validate the system passes the check. The hardening script does not restart docker until the end, so changes made during the script execution may not have been applied yet. Artifacts will be output in the following format:
V-235831, PASS, log driver is enabled
Command: cat /etc/docker/daemon.json | grep -i log-driver
Output: "log-driver": "syslog",