On February 28 2020, the Defence Information Systems Agency (DISA) released the Oracle Linux 7 Security Technical Implementation Guide (STIG) Release 1 Version 1 (R1V1). Oracle has implemented the published STIG in Security Content Automation Protocol (SCAP) format and included it in the latest release of the scap-security-guide package for Oracle Linux 7. This can be used in conjunction with the OpenSCAP tool shipped with Oracle Linux to validate a server against the published implementation guide. The validation process can also suggest and in some cases automatically apply remediation in cases where compliance is not met.
Running a STIG compliance scan with OpenSCAP
To validate a server against the published profile, you will need to install the OpenSCAP scanner tool and the SCAP Security Guide content:
# yum install openscap scap-security-guide Loaded plugins: ovl, ulninfo Resolving Dependencies --> Running transaction check ---> Package openscap.x86_64 0:1.2.17-9.0.3.el7 will be installed ... Dependencies Resolved =============================================================================================================================== Package Arch Version Repository Size =============================================================================================================================== Installing: openscap x86_64 1.2.17-9.0.3.el7 ol7_latest 3.8 M scap-security-guide noarch 0.1.46-11.0.2.el7 ol7_latest 7.9 M Installing for dependencies: libxslt x86_64 1.1.28-5.0.1.el7 ol7_latest 241 k openscap-scanner x86_64 1.2.17-9.0.3.el7 ol7_latest 62 k xml-common noarch 0.6.3-39.el7 ol7_latest 26 k Transaction Summary =============================================================================================================================== Install 2 Packages (+3 Dependent packages) ... Installed: openscap.x86_64 0:1.2.17-9.0.3.el7 scap-security-guide.noarch 0:0.1.46-11.0.2.el7 ... Complete!
To confirm you have the STIG profile available, run:
# oscap info --profile stig /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml Document type: XCCDF Checklist Profile Title: DISA STIG for Oracle Linux 7 Id: stig Description: This profile contains configuration checks that align to the DISA STIG for Oracle Linux V1R1.
To start an evaluation of the host against the profile, run:
# oscap xccdf eval --profile stig \
--results /tmp/`hostname`-ssg-results.xml \
--report /var/www/html/`hostname`-ssg-results.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2 file which is referenced from XCCDF content
Title Remove User Host-Based Authentication Files
Rule no_user_host_based_files
Result pass
Title Remove Host-Based Authentication Files
Rule no_host_based_files
Result pass
Title Uninstall rsh-server Package
Rule package_rsh-server_removed
Result pass
...
The results will be saved to /tmp/hostname-ssg-results.xml and a human-readable report will be saved to /var/www/html/hostname-ssg-results.html as well.
For further details on additional options for running OpenSCAP compliance checks, including ways to generate a full security guide from SCAP content, please see the Oracle Linux 7 Security Guide. For details on methods to automate OpenSCAP scanning using Spacewalk, please see the Spacewalk for Oracle Linux: Client Life Cycle Management Guide.
For community-based support, please visit the Oracle Linux space on the Oracle Groundbreakers Community.