STIG Security Profile in Red Hat Enterprise Linux 7

Red Hat has recently updated the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) Profile to include more coverage of automated content and improve the profile’s stability. In this post, we’ll talk about how Red Hat contributes to the creation of new SCAP content and automation and how you can consume the latest updates for the RHEL 7 STIG Profile to more effectively apply security hardening policies.

What is a STIG?

A STIG is a document published by the Department of Defense Cyber Exchange (DoD), which is sponsored by the Defense Information Systems Agency (DISA). It contains guidance on how to configure systems to defend against potential threats. These threats mainly include cyberattacks, but they can also be problems caused by the use of misconfigured systems. 

A STIG is derived from the Security Requirements Guide (SRG), which contains high-level security requirements that later are translated into configuration items for a specific target of evaluation (TOE)—in this case, RHEL 7.

RHEL 7 STIG Profile update

Red Hat has been developing the automation of hardening systems via STIGs for many years, and since then, the STIG for RHEL 7 has been updated several times by DISA. Red Hat also takes part in STIG development by suggesting improvements and reporting issues to the guide back to DISA. Red Hat works to keep automated remediations up to date to provide customers with automated solutions to help harden their systems and help bring them into  compliance.

Coverage status of automated content

The automated content mainly consists of two parts:

• Check - to assess the current configuration state of a system
  • Organized in an Extensible Configuration Checklist Description Format (XCCDF) benchmark, which contains checks in Open Vulnerability and Assessment Language (OVAL) language.
• Fix - to bring the system to a compliant state
  • Available fix formats are Bash scripts and Ansible Playbooks.

The current coverage of implemented automated content is about 92% out of the 250 controls described in the STIG. Let’s say the system is not compliant with the guidance and you want to fix and to bring it to a compliant state, you can either run the provided Bash scripts or apply the provided Ansible Playbooks to suit your method of automation. Out of the 92% of covered STIG items, about 83% of them are covered with Bash scripts and about 75% with Ansible Playbooks.

How to consume it

There are two ways to harden your systems with the STIG for RHEL 7. The first method is to use the Anaconda installer to automatically apply the profile during the installation process. The second one is to run either the OpenSCAP scanner or the SCAP Workbench to assess an existing in-place system and apply subsequent fixes to bring it to a compliant state if needed.

If you decide to harden the systems during installation, you need to activate the option "Security Policy" in the installation setup phase, then select the profile called "DISA STIG for Red Hat Enterprise Linux 7" and follow the on-screen instructions. You can also use the unattended installation method to select the profile using the following code in your kickstart file:

%addon org_fedora_oscap
       content-type = scap-security-guide
       profile = xccdf_org.ssgproject.content_profile_stig
%end

# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report report.html --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

/usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml

# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer stig-viewer-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml