OpenSCAP provides an option to generate such scan results that can be imported into STIG Viewer to speed up the evaluation process. These checklists are usually filled manually, but there is an option to import scan results. In some cases, the use of STIG Viewer is mandatory when evaluating STIGs. STIG Viewer is a tool provided by DISA that enables you to load STIG benchmarks and create checklists that can be used to evaluate systems. If you would like to use an Ansible Playbook instead, you can find it at: /usr/share/scap-security-guide/ansible/rhel7-playbook-stig.yml STIG Viewer The scanner uses by default Bash Scripts when fixing the system. #Redhat linux 7 softwareWe advise you to run these commands in a testing environment first as it can result in undesired changes from your existing software configuration. Open the file "report.html" on your preferred browser and check the results, if there are any failures, you can fix them (if remediation is available) by running a similar command with the option "-remediate" included: # oscap xccdf eval -remediate -profile xccdf_profile_stig -report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml #Redhat linux 7 installAdditionally, install "scap-workbench" if you want to use a Graphical User Interface and/or tailor the STIG profile based on your needs.Īfter installing these packages you can run the following commands as root to assess the system: # oscap xccdf eval -profile xccdf_profile_stig -report report.html -fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml If you want to apply the guidelines on existing in-place systems, you will need to install the following packages first: "scap-security-guide" and "openscap-scanner". #Redhat linux 7 codeYou can also use the unattended installation method to select the profile using the following code in your kickstart file: If you decide to harden the systems during installation, you need to activate the option "Security Policy" in the installation setup phase, then select the profile called "DISA STIG for Red Hat Enterprise Linux 7" and follow the on-screen instructions. The second one is to run either the OpenSCAP scanner or the SCAP Workbench to assess an existing in-place system and apply subsequent fixes to bring it to a compliant state if needed. The first method is to use the Anaconda installer to automatically apply the profile during the installation process. There are two ways to harden your systems with the STIG for RHEL 7. Out of the 92% of covered STIG items, about 83% of them are covered with Bash scripts and about 75% with Ansible Playbooks. Let’s say the system is not compliant with the guidance and you want to fix and to bring it to a compliant state, you can either run the provided Bash scripts or apply the provided Ansible Playbooks to suit your method of automation. The current coverage of implemented automated content is about 92% out of the 250 controls described in the STIG.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |