Red Hat has recently updated the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) Profile to include more coverage of automated content and improve the profile’s stability. In this post, we’ll talk about how Red Hat contributes to the creation of new SCAP content and automation and how you can consume the latest updates for the RHEL 7 STIG Profile to more effectively apply security hardening policies.
What is a STIG?
A STIG is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but they can also be problems caused by the use of misconfigured systems.
A STIG is derived from the Security Requirements Guide (SRG), which contains high-level security requirements that later are translated into configuration items for a specific target of evaluation (TOE)—in this case, RHEL 7.
RHEL 7 STIG Profile update
Red Hat has been developing the automation of hardening systems via STIGs for many years, and since then, the STIG for RHEL 7 has been updated several times by DISA. Red Hat also takes part in STIG development by suggesting improvements and reporting issues to the guide back to DISA. Red Hat works to keep automated remediations up to date to provide customers with automated solutions to help harden their systems and help bring them into compliance.
Coverage status of automated content
The automated content mainly consists of two parts:
- Check - to assess the current configuration state of a system
- Organized in an Extensible Configuration Checklist Description Format (XCCDF) benchmark, which contains checks in Open Vulnerability and Assessment Language (OVAL) language.
- Fix - to bring the system to a compliant state
- Available fix formats are Bash scripts and Ansible Playbooks.
The current coverage of implemented automated content is about 92% out of the 250 controls described in the STIG. Let’s say the system is not compliant with the guidance and you want to fix and to bring it to a compliant state, you can either run the provided Bash scripts or apply the provided Ansible Playbooks to suit your method of automation. Out of the 92% of covered STIG items, about 83% of them are covered with Bash scripts and about 75% with Ansible Playbooks.
How to consume it
There are two ways to harden your systems with the STIG for RHEL 7. The first method is to use the Anaconda installer to automatically apply the profile during the installation process. The second one is to run either the OpenSCAP scanner or the SCAP Workbench to assess an existing in-place system and apply subsequent fixes to bring it to a compliant state if needed.
If you decide to harden the systems during installation, you need to activate the option "Security Policy" in the installation setup phase, then select the profile called "DISA STIG for Red Hat Enterprise Linux 7" and follow the on-screen instructions. You can also use the unattended installation method to select the profile using the following code in your kickstart file:
%addon org_fedora_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_stig %end
If you want to apply the guidelines on existing in-place systems, you will need to install the following packages first: "scap-security-guide" and "openscap-scanner". Additionally, install "scap-workbench" if you want to use a Graphical User Interface and/or tailor the STIG profile based on your needs.
After installing these packages you can run the following commands as root to assess the system:
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report report.html --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Open the file "report.html" on your preferred browser and check the results, if there are any failures, you can fix them (if remediation is available) by running a similar command with the option "--remediate" included:
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
We advise you to run these commands in a testing environment first as it can result in undesired changes from your existing software configuration.
The scanner uses by default Bash Scripts when fixing the system. If you would like to use an Ansible Playbook instead, you can find it at:
STIG Viewer is a tool provided by DISA that enables you to load STIG benchmarks and create checklists that can be used to evaluate systems. In some cases, the use of STIG Viewer is mandatory when evaluating STIGs. These checklists are usually filled manually, but there is an option to import scan results. OpenSCAP provides an option to generate such scan results that can be imported into STIG Viewer to speed up the evaluation process. To generate this file use the option "--stig-viewer" when running a system scan:
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer stig-viewer-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
After loading the RHEL 7 STIG benchmark provided by DISA into STIG Viewer you can now import the file "stig-viewer-results.xml" to check the scan results which are mapped to STIG items.
As stated previously, the current profile coverage is about 92% of the items described in the STIG. Despite not being fully complete, it can save a lot of time when systems are being evaluated using STIG. Red Hat works with DISA to provide our consumers with updated content and automation. As DISA now releases new STIGs on a quarterly basis, we plan to continue to bring the latest changes to the content throughout RHEL 7 life support.
This post touched briefly on what a STIG is, its importance, how Red Hat supports the development and how to consume the STIG content. Consumption can either happen during installation time or afterward. The OpenSCAP suite along with the "scap-security-guide" provides consumers with a quick and easy way to assist in helping to maintain compliance with the RHEL 7 STIG.
About the authors
Gabriel Gaspar Becker is a part of the Security Compliance team for Red Hat Enterprise Linux (RHEL) focused on the development of the OpenSCAP ecosystem. He mainly focuses on developing automated Security Content, which is used by organizations to speed up their adoption of security policies.
Carlos Matos is a Specialist Solutions Architect in Red Hat’s North America Public Sector organization. He works with internal product teams and, externally, with the United States Government and open source communities to create possiblities and solve problems.