News, tips, partners, and perspectives for the Oracle Linux operating system and upstream Linux kernel work

Announcing the release of Oracle Linux 7 Security Technical Implementation Guide (STIG) OpenSCAP profile

Avi Miller
Senior Solutions Architect

On February 28 2020, the Defence Information Systems Agency (DISA) released the Oracle Linux 7 Security Technical Implementation Guide (STIG) Release 1 Version 1 (R1V1). Oracle has implemented the published STIG in Security Content Automation Protocol (SCAP) format and included it in the latest release of the scap-security-guide package for Oracle Linux 7. This can be used in conjunction with the OpenSCAP tool shipped with Oracle Linux to validate a server against the published implementation guide. The validation process can also suggest and in some cases automatically apply remediation in cases where compliance is not met.

Running a STIG compliance scan with OpenSCAP

To validate a server against the published profile, you will need to install the OpenSCAP scanner tool and the SCAP Security Guide content:

# yum install openscap scap-security-guide
Loaded plugins: ovl, ulninfo
Resolving Dependencies
--> Running transaction check
---> Package openscap.x86_64 0:1.2.17-9.0.3.el7 will be installed
Dependencies Resolved

 Package                             Arch                   Version                           Repository                  Size
 openscap                            x86_64                 1.2.17-9.0.3.el7                  ol7_latest                 3.8 M
 scap-security-guide                 noarch                 0.1.46-11.0.2.el7                 ol7_latest                 7.9 M
Installing for dependencies:
 libxslt                             x86_64                 1.1.28-5.0.1.el7                  ol7_latest                 241 k
 openscap-scanner                    x86_64                 1.2.17-9.0.3.el7                  ol7_latest                  62 k
 xml-common                          noarch                 0.6.3-39.el7                      ol7_latest                  26 k

Transaction Summary
Install  2 Packages (+3 Dependent packages)
  openscap.x86_64 0:1.2.17-9.0.3.el7                       scap-security-guide.noarch 0:0.1.46-11.0.2.el7

To confirm you have the STIG profile available, run:

# oscap info --profile stig /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml
Document type: XCCDF Checklist
	Title: DISA STIG for Oracle Linux 7
	Id: stig

	Description: This profile contains configuration checks that align to the DISA STIG for Oracle Linux V1R1.

To start an evaluation of the host against the profile, run:

# oscap xccdf eval --profile stig \
  --results /tmp/`hostname`-ssg-results.xml \
  --report /var/www/html/`hostname`-ssg-results.html \
  --cpe /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml \
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2 file which is referenced from XCCDF content
Title   Remove User Host-Based Authentication Files
Rule    no_user_host_based_files
Result  pass

Title   Remove Host-Based Authentication Files
Rule    no_host_based_files
Result  pass

Title   Uninstall rsh-server Package
Rule    package_rsh-server_removed
Result  pass


The results will be saved to /tmp/hostname-ssg-results.xml and a human-readable report will be saved to /var/www/html/hostname-ssg-results.html as well.

For further details on additional options for running OpenSCAP compliance checks, including ways to generate a full security guide from SCAP content, please see the Oracle Linux 7 Security Guide. For details on methods to automate OpenSCAP scanning using Spacewalk, please see the Spacewalk for Oracle Linux: Client Life Cycle Management Guide.

For community-based support, please visit the Oracle Linux space on the Oracle Groundbreakers Community.