If you want to apply the guidelines on existing in-place systems, you will need to install the following packages first: “scap-security-guide” and “openscap-scanner”. Additionally, install “scap-workbench” if you want to use a Graphical User Interface and/or tailor the STIG profile based on your needs.
After installing these packages you can run the following commands as root to assess the system:
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report report.html --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Open the file “report.html” on your preferred browser and check the results, if there are any failures, you can fix them (if remediation is available) by running a similar command with the option “--remediate” included:
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
We advise you to run these commands in a testing environment first as it can result in undesired changes from your existing software configuration.
The scanner uses by default Bash Scripts when fixing the system. If you would like to use an Ansible Playbook instead, you can find it at:
/usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml
STIG Viewer
STIG Viewer is a tool provided by DISA that enables you to load STIG benchmarks and create checklists that can be used to evaluate systems. In some cases, the use of STIG Viewer is mandatory when evaluating STIGs. These checklists are usually filled manually, but there is an option to import scan results. OpenSCAP provides an option to generate such scan results that can be imported into STIG Viewer to speed up the evaluation process. To generate this file use the option “--stig-viewer” when running a system scan:
# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer stig-viewer-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
After loading the RHEL 7 STIG benchmark provided by DISA into STIG Viewer you can now import the file “stig-viewer-results.xml” to check the scan results which are mapped to STIG items.
Future Work
As stated previously, the current profile coverage is about 92% of the items described in the STIG. Despite not being fully complete, it can save a lot of time when systems are being evaluated using STIG. Red Hat works with DISA to provide our consumers with updated content and automation. As DISA now releases new STIGs on a quarterly basis, we plan to continue to bring the latest changes to the content throughout RHEL 7 life support.
Conclusion
This post touched briefly on what a STIG is, its importance, how Red Hat supports the development and how to consume the STIG content. Consumption can either happen during installation time or afterward. The OpenSCAP suite along with the “scap-security-guide” provides consumers with a quick and easy way to assist in helping to maintain compliance with the RHEL 7 STIG.