spectrocloud · santhoshdaivajna · Mar 16, 2026 · Mar 16, 2026
diff --git a/rhel-stig/Dockerfile.rhel9 b/rhel-stig/Dockerfile.rhel9
@@ -43,6 +43,10 @@ RUN uuidgen > /etc/machine-id && dnf install -y \
   iscsi-initiator-utils \
   ethtool \
   tcpdump \
+  gnutls-utils \
+  nss-tools \
+  rng-tools \
+  rsyslog-gnutls \
   && dnf clean all
 
 # Run init stage; skip cleanup (removes dracut/squashfs) and initrd (we run dracut ourselves below)

diff --git a/rhel-stig/Dockerfile.rhel9-fips b/rhel-stig/Dockerfile.rhel9-fips
@@ -50,6 +50,10 @@ RUN uuidgen > /etc/machine-id && dnf install -y \
   iscsi-initiator-utils \
   ethtool \
   tcpdump \
+  gnutls-utils \
+  nss-tools \
+  rng-tools \
+  rsyslog-gnutls \
   && dnf clean all
 
 RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml

diff --git a/rhel-stig/README.md b/rhel-stig/README.md
@@ -237,7 +237,7 @@ For a minimal Kairos/edge image, many STIG rules will **fail** or be **notapplic
 | **AIDE** | File integrity monitoring not typically used on edge nodes |
 | **FIPS** | Only for FIPS-enabled build; non-FIPS image will fail FIPS checks |
 | **Mount options** | `/tmp`, `/var/log`, `/dev/shm`, etc. – Kairos layout differs from traditional partitioning |
-| **GRUB** | `init_on_free`, PTI, vsyscall, password – require kernel/GRUB changes |
+| **GRUB** | `init_on_free`, PTI, vsyscall in base image (`/etc/kernel/cmdline`); GRUB password – environment-specific |
 | **Packages** | chrony, cron, fapolicyd, postfix, s-nail, nfs-utils, usbguard, libreswan |
 | **Partitions** | `/var/log/audit`, `/var/tmp` – edge layout may not match STIG expectations |
 | **User namespaces** | `sysctl_user_max_user_namespaces` – may conflict with containers |

diff --git a/rhel-stig/overlay/rhel9/etc/kernel/cmdline b/rhel-stig/overlay/rhel9/etc/kernel/cmdline
@@ -0,0 +1 @@
+init_on_free=1 pti=on vsyscall=none
diff --git a/rhel-stig/stig-remediate.sh b/rhel-stig/stig-remediate.sh
@@ -409,6 +409,55 @@ else
     print_debug "WARNING: Remediation script not found for saving (may have been deleted earlier)"
 fi
 
+# STIG High-priority: Sudo configuration
+echo "Applying STIG sudo configuration..."
+for f in /etc/sudoers /etc/sudoers.d/*; do
+    [ -f "$f" ] || continue
+    # Remove NOPASSWD (CCE-83536-3)
+    sed -i 's/^[^#]*NOPASSWD:[^$]*$/# STIG: NOPASSWD removed - &/' "$f" 2>/dev/null || true
+    # Remove !authenticate (CCE-83544-7)
+    sed -i 's/^[^#]*!authenticate[^$]*$/# STIG: !authenticate removed - &/' "$f" 2>/dev/null || true
+done
+# Ensure timestamp_timeout=0 for reauth (CCE-90029-0)
+mkdir -p /etc/sudoers.d
+if ! grep -rq "timestamp_timeout" /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
+    echo "Defaults timestamp_timeout=0" > /etc/sudoers.d/stig-reauth.conf
+    chmod 0440 /etc/sudoers.d/stig-reauth.conf
+fi
+# Ensure validate for sudoers (CCE-83529-8)
+if ! grep -rq "validate" /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
+    echo "Defaults use_pty" >> /etc/sudoers.d/stig-reauth.conf 2>/dev/null || true
+fi
+print_debug "Sudo STIG configuration applied"
+
+# STIG High-priority: Login banner (CCE-83557-9)
+echo "Applying STIG login banner..."
+cat > /etc/issue <<'BANNER'
+You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+- The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+- At any time, the USG may inspect and seize data stored on this IS.
+- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+- This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
+BANNER
+chmod 644 /etc/issue
+print_debug "Login banner applied"
+
+# STIG High-priority: authselect (CCE-89732-2)
+if command -v authselect &>/dev/null; then
+    echo "Applying authselect configuration..."
+    if authselect select minimal with-faillock without-nullok --force 2>/dev/null; then
+        print_debug "authselect minimal with-faillock applied"
+    elif authselect select minimal --force 2>/dev/null; then
+        print_debug "authselect minimal applied"
+    elif authselect select sssd with-faillock without-nullok --force 2>/dev/null; then
+        print_debug "authselect sssd with-faillock applied"
+    else
+        print_debug "authselect: no suitable profile, skipping"
+    fi
+fi
+
 # Firewall: no default ports/zones - customers configure via user-data or cluster profile
 echo "STIG remediation completed"
 echo "NOTE: Some rules requiring downloads or network access were skipped (expected in container builds)"