p.note { color: red; }
Red Hat has recently updated the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) Profile to include more coverage of automated content and improve the profile’s stability. In this post, we’ll talk about how Red Hat contributes to the creation of new SCAP content and automation and how you can consume the latest updates for the RHEL 7 STIG Profile to more effectively apply security hardening policies.
What is a STIG?
A STIG is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but they can also be problems caused by the use of misconfigured systems.
A STIG is derived from the Security Requirements Guide (SRG), which contains high-level security requirements that later are translated into configuration items for a specific target of evaluation (TOE)—in this case, RHEL 7.
RHEL 7 STIG Profile update
Red Hat has been developing the automation of hardening systems via STIGs for many years, and since then, the STIG for RHEL 7 has been updated several times by DISA. Red Hat also takes part in STIG development by suggesting improvements and reporting issues to the guide back to DISA. Red Hat works to keep automated remediations up to date to provide customers with automated solutions to help harden their systems and help bring them into compliance.
Read more about optimizing performance for the open-hybrid enterprise.
Read more about optimizing performance for the open-hybrid enterprise.
Coverage status of automated content
The automated content mainly consists of two parts:
- Check - to assess the current configuration state of a system
- Organized in an Extensible Configuration Checklist Description Format (XCCDF) benchmark, which contains checks in Open Vulnerability and Assessment Language (OVAL) language.
- Fix - to bring the system to a compliant state
- Available fix formats are Bash scripts and Ansible Playbooks.
The current coverage of implemented automated content is about 92% out of the 250 controls described in the STIG. Let’s say the system is not compliant with the guidance and you want to fix and to bring it to a compliant state, you can either run the provided Bash scripts or apply the provided Ansible Playbooks to suit your method of automation. Out of the 92% of covered STIG items, about 83% of them are covered with Bash scripts and about 75% with Ansible Playbooks.
How to consume it
There are two ways to harden your systems with the STIG for RHEL 7. The first method is to use the Anaconda installer to automatically apply the profile during the installation process. The second one is to run either the OpenSCAP scanner or the SCAP Workbench to assess an existing in-place system and apply subsequent fixes to bring it to a compliant state if needed.
If you decide to harden the systems during installation, you need to activate the option “Security Policy” in the installation setup phase, then select the profile called “DISA STIG for Red Hat Enterprise Linux 7” and follow the on-screen instructions. You can also use the unattended installation method to select the profile using the following code in your kickstart file:
%addon org_fedora_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_stig %end
If you want to apply the guidelines on existing in-place systems, you will need to install the following packages first: “scap-security-guide” and “openscap-scanner”. Additionally, install “scap-workbench” if you want to use a Graphical User Interface and/or tailor the STIG profile based on your needs.
After installing these packages you can run the following commands as root to assess the system:
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report report.html --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Open the file “report.html” on your preferred browser and check the results, if there are any failures, you can fix them (if remediation is available) by running a similar command with the option “--remediate” included:
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
We advise you to run these commands in a testing environment first as it can result in undesired changes from your existing software configuration.
The scanner uses by default Bash Scripts when fixing the system. If you would like to use an Ansible Playbook instead, you can find it at:
/usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml
STIG Viewer
STIG Viewer is a tool provided by DISA that enables you to load STIG benchmarks and create checklists that can be used to evaluate systems. In some cases, the use of STIG Viewer is mandatory when evaluating STIGs. These checklists are usually filled manually, but there is an option to import scan results. OpenSCAP provides an option to generate such scan results that can be imported into STIG Viewer to speed up the evaluation process. To generate this file use the option “--stig-viewer” when running a system scan:
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer stig-viewer-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
After loading the RHEL 7 STIG benchmark provided by DISA into STIG Viewer you can now import the file “stig-viewer-results.xml” to check the scan results which are mapped to STIG items.
Future Work
As stated previously, the current profile coverage is about 92% of the items described in the STIG. Despite not being fully complete, it can save a lot of time when systems are being evaluated using STIG. Red Hat works with DISA to provide our consumers with updated content and automation. As DISA now releases new STIGs on a quarterly basis, we plan to continue to bring the latest changes to the content throughout RHEL 7 life support.
Conclusion
This post touched briefly on what a STIG is, its importance, how Red Hat supports the development and how to consume the STIG content. Consumption can either happen during installation time or afterward. The OpenSCAP suite along with the “scap-security-guide” provides consumers with a quick and easy way to assist in helping to maintain compliance with the RHEL 7 STIG.
Über die Autoren
Gabriel Gaspar Becker is a part of the Security Compliance team for Red Hat Enterprise Linux (RHEL) focused on the development of the OpenSCAP ecosystem. He mainly focuses on developing automated Security Content, which is used by organizations to speed up their adoption of security policies.
Carlos Matos is a Specialist Solutions Architect in Red Hat’s North America Public Sector organization. He works with internal product teams and, externally, with the United States Government and open source communities to create possiblities and solve problems. As a member of Red Hat’s Government Readiness team, he brings his past experiences as a platform and Linux engineer supporting the Department of Defense and public sector initiatives, with an emphasis on compliance and security.
Mehr davon
Nach Thema durchsuchen
Automatisierung
Das Neueste zum Thema IT-Automatisierung für Technologien, Teams und Umgebungen
Künstliche Intelligenz
Erfahren Sie das Neueste von den Plattformen, die es Kunden ermöglichen, KI-Workloads beliebig auszuführen
Open Hybrid Cloud
Erfahren Sie, wie wir eine flexiblere Zukunft mit Hybrid Clouds schaffen.
Sicherheit
Erfahren Sie, wie wir Risiken in verschiedenen Umgebungen und Technologien reduzieren
Edge Computing
Erfahren Sie das Neueste von den Plattformen, die die Operations am Edge vereinfachen
Infrastruktur
Erfahren Sie das Neueste von der weltweit führenden Linux-Plattform für Unternehmen
Anwendungen
Entdecken Sie unsere Lösungen für komplexe Herausforderungen bei Anwendungen
Original Shows
Interessantes von den Experten, die die Technologien in Unternehmen mitgestalten
Produkte
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud-Services
- Alle Produkte anzeigen
Tools
- Training & Zertifizierung
- Eigenes Konto
- Kundensupport
- Für Entwickler
- Partner finden
- Red Hat Ecosystem Catalog
- Mehrwert von Red Hat berechnen
- Dokumentation
Testen, kaufen und verkaufen
Kommunizieren
Über Red Hat
Als weltweit größter Anbieter von Open-Source-Software-Lösungen für Unternehmen stellen wir Linux-, Cloud-, Container- und Kubernetes-Technologien bereit. Wir bieten robuste Lösungen, die es Unternehmen erleichtern, plattform- und umgebungsübergreifend zu arbeiten – vom Rechenzentrum bis zum Netzwerkrand.
Wählen Sie eine Sprache
Red Hat legal and privacy links
- Über Red Hat
- Jobs bei Red Hat
- Veranstaltungen
- Standorte
- Red Hat kontaktieren
- Red Hat Blog
- Diversität, Gleichberechtigung und Inklusion
- Cool Stuff Store
- Red Hat Summit