RHEL7 DISA STIG with OSCAP
RHEL7: DISA STIG Guidance
A STIG is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but they can also be problems caused by the use of misconfigured systems.
STIGs are derived from the Security Requirements Guide (SRG), which contains high-level security requirements for a specific target of evaluation (TOE)—in this case, RHEL 7.
RHEL 7 STIG Profile update
Red Hat is no stranger to DISA STIGs and they work hard on maintaining the automated remediation efforts so our machines can be compliant.
Coverage status of automated content
The automated content mainly consists of two parts:
Check - to assess the current configuration state of a system
- Organized in an Extensible Configuration Checklist Description Format (XCCDF) benchmark, which contains checks in Open Vulnerability and Assessment Language (OVAL) language.
Fix - to bring the system to a compliant state
- Available fix formats are Bash scripts and Ansible Playbooks.
The current coverage of implemented automated content is about 92% out of the 250 controls described in the STIG. Let’s say the system is not compliant with the guidance and you want to fix and to bring it to a compliant state, you can either run the provided Bash scripts or apply the provided Ansible Playbooks to suit your method of automation.
Out of the 92% of covered STIG items, about 83% of them are covered with Bash scripts and about 75% with Ansible Playbooks.
Hardening
There are two ways to harden your systems with the STIG for RHEL 7. The first method is to use the Anaconda installer to automatically apply the profile during the installation process. The second one is to run either the OpenSCAP scanner or the SCAP Workbench to assess an existing in-place system and apply subsequent fixes to bring it to a compliant state if needed.
If you decide to harden the systems during installation, you need to activate the option "Security Policy" in the installation setup phase, then select the profile called "DISA STIG for Red Hat Enterprise Linux 7" and follow the on-screen instructions. You can also use the unattended installation method to select the profile using the following code in your kickstart file:
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig
%end
If you want to apply the guidelines on existing in-place systems, you will need to install these first: "scap-security-guide" and "openscap-scanner". Additionally, install "scap-workbench" if you want to use a Graphical User Interface and/or tailor the STIG profile based on your needs.
sudo yum install scap-security-guide -y
sudo yum install openscap-scanner -y
After installing these packages you can run the following commands as root to assess the system:
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--report report.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Open the file report.html on your preferred browser and check the results, if there are any failures, you can fix them (if remediation is available) by running a similar command with the option --remediate included:
oscap xccdf eval \
--remediate \
--profile xccdf_org.ssgproject.content_profile_stig \
--report report.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The scanner by default uses Bash Scripts when fixing the system. If you would like to use an Ansible Playbook instead:
/usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml
STIG Viewer
STIG Viewer is a tool provided by DISA that enables you to load STIG benchmarks and create checklists that can be used to evaluate systems. In some cases, the use of STIG Viewer is mandatory when evaluating STIGs. These checklists are usually filled manually, but there is an option to import scan results. OpenSCAP provides an option to generate such scan results that can be imported into STIG Viewer to speed up the evaluation process. To generate this file use the option "--stig-viewer" when running a system scan:
oscap xccdf eval \
--remediate \
--profile xccdf_org.ssgproject.content_profile_stig \
--stig-viewer stig-viewer-results.xml \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
After loading the RHEL 7 STIG benchmark provided by DISA into STIG Viewer you can now import the file stig-viewer-results.xml to check the scan results which are mapped to STIG items.
Script
Here's a script to accomplish compliancy
