The Security Technical Implementation Guide (STIG), which is published by the Defense Information Systems Agency (DISA), is a document that provides guidance on configuring a system to meet cybersecurity requirements for deployment within the Department of Defense (DoD) IT network systems.
The STIG guidelines have been included in the scap-security-guide package available under the ol8_appstream channel, which can be used with the openscap tool for evaluating the compliance of an Oracle Linux installation. The validation process can also suggest and in some cases automatically apply remediation in cases where compliance is not met. Individual rules and the remediation details are well documented in ssg-ol8-guide-standard. The scap-security-guide package available for Oracle Linux 8 machines provides the remediation playbooks for different profiles including STIG, which is located under /usr/share/scap-security-guide/ansible/ .
These playbooks can be used with Oracle Linux Automation Manager for applying the remediation on a group of machines.
Let's now go through the steps on how to leverage Oracle Linux Automation Manager to apply remediation for a STIG profile.
# cp /usr/share/scap-security-gudie/ansible/ol8-playbook-stig.yml /var/lib/awx/projects/<project-directory> OR
Ensure that the latest version of the openscap package is installed on the target host.
# dnf install openscap -y
Execute the following command to check the compliance:
# oscap xccdf eval --profile stig --results /tmp/<path-to-result>.xml --report /tmp/<path-to-report>.html --cpe /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml
The report which will be generated as an HTML file that will list the compliance score and the details on each of the rules that was a success or a failure.
If there are a large number of target machines, installing the OpenSCAP package and running the scan can be combined into a simple playbook.
Each task from the playbook is in the below format:
- name: Ensure tmux is installed package: name: tmux state: present when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-OL08-00-020039 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_tmux_installed
Every task is associated with job tags, for example "no_reboot_needed" as seen above.
The "job tags" option from Oracle Linux Automation Manager can be leveraged to selectively execute only the required tasks.
Similarly, the tasks which are not required can be skipped using "skip tags" from Oracle Linux Automation Manager when launching the template.
As part of the remediation activity, one of the rules with tag DISA-STIG-OL08-00-010550 disables root login over SSH.
If the remediation for this task is applied, the consequent tasks will fail as the SSH root login would be disabled.
Hence, this task needs to be skipped for the consequent tasks to be played.
Ensure to enter "DISA-STIG-OL08-00-010550" tag under "skip tags" before launching the template.
If more logging is required, increase the verbosity to 2 (More Verbose) and Launch the template.
The template may require a minimum of 30 minutes to be completed. Post which, rerun the oscap command, specifying a new path for the report and results.
# oscap xccdf eval --profile stig --results /tmp/<new-path-to-result>.xml --report /tmp/<new-path-to-report>.html --cpe /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml
Open the generated html file using a browser and notice the compliance score.
Note that the compliance score varies between different environments and may not be the same as seen above.
As part of applying remediation, there will be multiple modifications made, hence it is necessary to review each task. Here are few examples:
To continue exploring more use cases of Oracle Linux Automation Manager, Please navigate to Ansible Collections Github page.