IT Monger

Saturday, May 23, 2026

Part 2 - Install, STIG, and verify STIG'd Red Hat Enterprise Linux (RHEL) 9.x Server

This is Part 2 of a 2 part series. In this part we will setup OpenSCAP and

demonstrate how to use it to scan a Red Hat Enterprise Linux 9 (RHEL9)

server for DISA STIG compliance and generate an interactive web based report.

☐ Open an SSH session back into the RHEL 9 server and install opensecap-scanner and scap-security-guide with the following commands.

[john@RHEL98 ~]$ sudo -i

[sudo] password for john: **********

[root@RHEL98 ~]# yum install openscap-scanner scap-security-guide
Updating Subscription Management repositories.
Last metadata expiration check: 1:21:46 ago on Sat 23 May 2026 01:02:10 PM EDT.
Package openscap-scanner-1:1.3.13-1.el9_7.x86_64 is already installed.
Package scap-security-guide-0.1.80-1.el9_7.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!

☐ Run 'oscap info' to check the version of the DISA STIG with the following commands.

[root@RHEL98 ~]# oscap info --profile stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2026-03-18T05:35:29
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: 2026-03-11T00:00:00
Version: 1.3
Profile
Title: DISA STIG for Red Hat Enterprise Linux 9
Id: xccdf_org.ssgproject.content_profile_stig
Description: This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image

☐ Scan the system and generate the eXtensible Configuration Checklist Description Format (XCCDF) HTML report using the following commands.

(Replace admin with the account name you created at the beginning of Part 1)

[root@RHEL98 ~]# oscap xccdf eval --report /home/admin/rhel98.html --profile stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

...

Title Write Audit Logs to the Disk
Rule xccdf_org.ssgproject.content_rule_auditd_write_logs
Ident CCE-83705-4
Result pass

Title Verify Permissions on /etc/audit/auditd.conf
Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
Ident CCE-89284-4
Result pass

☐ In the example above the report was written to the admin user's home directory. We need to change the permissions on the report file so we can secure copy (SCP) the file from the virtual server to the host/hypervisor desktop. Use the following commands.

[root@RHEL98 ~]# ls -l /home/john
total 5148
-rw-------. 1 root root 5270296 May 23 15:13 rhel98.html

[root@RHEL98 ~]# chown john:john /home/john/rhel98.html

[root@RHEL98 ~]# ls -l /home/john
total 5148
-rw-------. 1 john john 5270296 May 23 15:13 rhel98.html
[root@RHEL98 ~]#

☐ Open a new terminal on the host/hypervisor and SCP the rhel98.html report file from the virtual RHEL9 server. Use the following commands.

(You will need to know/remember the IP address of the virtual RHEL9 server)

$ scp john@192.168.122.117:rhel98.html .
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,

...
communications and work product are private and confidential. See User
Agreement for details.
john@192.168.122.117's password: ************
rhel98.html 100% 5147KB 273.0MB/s 00:00

☐ Now open the local copy of the rhel98.html report file in a browser on the host/hypervisor system. Note: that there are still 10 medium and 5 high rules that failed even though we applied the DISA STIG during the server build process.

☐ There is also a version of the oscap command that will attempt to automatically

remediate the problems that the scan finds. This is the modified scan command.

[root@RHEL98 ~]# oscap xccdf eval --report /home/john/rhel98.html --profile stig --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

☐ Repeate the steps above to change permissions and secure copy the new report back

to the host/hypervisor and check the new report to see if there was an improvement.

(Changing the scp command to preserver the 1st version of the report for comparison.)

$ scp john@192.168.122.117:rhel98.html ./rhel98-remediated.html

☐ Open the local copy of the rhel98-remediated.html file in a browser on the host/hypervisor system. Note: we still have 8 medium (cat 2) and 4 high (cat 1) failed rules, even though the Red Hat installation software applied the DISA STIG and we have also used the OpenSCAP "remediate" function.

CONCLUSION

☐ Application of the DISA STIG via automated means is not a 100% solution, nor is STIG application a "one and done" process. New STIGs are released periodically and systems need to be re-checked and re-evaluated against them when they are.

☐ The OpenSCAP Evaluation Report is an interactive web page with sections that expand and collapse. There are explanations and instructions on how to remediate the medium (Cat 2) and high (Cat 1) findings within the report.

Friday, May 22, 2026

Part 1 - Install, STIG, and verify STIG'd Red Hat Enterprise Linux (RHEL) 9.x Server

THIS IS STILL A WORK-IN-PROGRESS...

These instructions will walk you through building a virtual RHEL 9.x server and applying the DISA (Defense Information Systems Agency) STIG (Security Technical Implementation Guide). It will also demonstrate how to verify the STIG has been applied using OpenSCAP an open-source tool designed for automated security auditing and compliance management based on the Security Content Automation Protocol (SCAP).

All this will be demonstrated using the KVM (Kernel-based Virtual Machine) hypervisor module and QEMU (Quick Emulator), a free open-source hypervisor and machine emulator, all running on a Debian based version of Linux.

Setting Up Virtual Machines with QEMU, KVM, and Virt-Manager on Debian/Ubuntu

You will need a bootable ISO file of RHEL 9.x which you can obtain by creating a free account on https://developers.redhat.com/ and downloading the latest x86_64 DVD ISO from :

https://developers.redhat.com/products/rhel/download#downloadsbyrelease.

In this example the ISO file will be saved in a folder named 'ISO' in the user's home directory on the host (hypervisor) system.

The STIG requires separate disk partitions, or volumes, be created for different functional parts of the operating system. At a minimum this will insure that if a rouge process overloads the system with logging it will not fill up the root volume and crash the system, thus enabling you to still be able to login and fix the problem.

The Disk partitioning layout is presented here for virtual disk space requirements and will be referred back to later during the operating system (OS) install.

Recommended disk partition/volume sizes:

Mount Point	Recommended Size	Minimum Size	Notes
/boot	1G	1G	Use '/boot' from Mount Point menu
/boot/efi	600M	512M	Use '/boot/efi' from Mount Point menu
/	20G	10G	Use '/' from Mount Point menu
/home	20G	5G	Use '/home' from Mount Point menu
/var	20G	8G	Use '/var' from Mount Point menu
Swap	10G	4G	Use 'swap' from Mount Point menu Up to 1/2 size of RAM
/tmp	10G	8G	Enter '/tmp' for the Mount Point
/var/tmp	2G	1G	Enter '/var/tmp' for the Mount Point
/var/log	1G	1G	Enter '/var/log' for the Mount Point
/var/log/audit	2G	1.5G	Enter '/var/log/audit' for the Mount Point
Total	87G	40G	disk space

Assuming you have KVM and QEMU installed and working correctly, let's get started.

☐ Launch the Vitual Machine Manager GUI that was installed along with QEMU.

☐ Click the shiny looking monitor icon on the left of the Virtual Machine Manager GUI.

☐ Select "Local install media (ISO image or CDROM)" and click the "Forward" button.

☐ Click the "Browse" button, then on the "Locate ISO media volume" dialog, then click

the blue + icon on the lower left side.

☐ Change "Pool" to "ISO" and use the "Browse" button to select the /home/username/ISO

folder, then click the"Finish" button.

☐ Select the latest rhel-9.x-x86_64-dvd.iso file and click the "Choose Volume" button.

☐ Click the "Forward" button to continue.

☐ Adjust Memory and CPUs to something reasonable and click the "Forward" button.

Note: The default values are the bare minimum you need. I went with

Memory:4096 and CPUs:4

☐ Adjust the disk image size to meet the total requirements from the "Recommended

disk partition/volume sizes" table above (87 or 40 GiB) then click the "Forward" button.

☐ Change the Name to represent the OS and version you are installing.

☐ Click the "Customize configuration before install" and click the "Finish" button.

On the Customization screen

☐ Choose "Overview" and then change the Firmware: setting to "UEFI" and click the

"Apply" button.

☐ (Optional) Choose "OS information" and enter "Red Hat Enterprise Linux 9" and

select the highest version of RHEL9 available and click the "Apply" button.

☐ Click on "Begin Installation"

☐ A virtual console will now open and you can select "Install Red Hat Enterprise Linux 9.8"

from the text menu.

Note: the virtual console will grab control of the mouse and keyboard in order to keep

you from accidentally exiting it. Pressing left Ctrl and Alt keys simultaneously will

release the mouse and keyboard so you can move to other windows on your desktop.

☐ Select "English (United States)" and click the "Continue" button.

On the "Installation Summary" screen many settings need to be adjusted.

☐ Select the "Root Password" and change the root password to a complex password

and press the "Done" button.

☐ Select "User Creation" and create an admin user account for yourself. Check the "Make

this user administrator" checkbox before clicking the "Done" button.

☐ Back on the "Installation Summary" screen select "Installation Destination" and on the

next screen verify the disk with the correct disk size is selected with a check mark.

☐ Under "Storage Configuration" select the "Custom" option and click the "Done" button.

☐ On the Manual Partitioning screen use the "+" button to add the 1st partition.

☐ Select or key in "/boot" for the "Mount Point", then enter the "1G" for the "Desired Capacity" and click the "Add mount point" button.

☐ Use the "+" button on the "Manual Partitioning" screen to repeat the above step for every partition listed in the "Recommended disk partition/volume sizes" table at top

of this document.

☐ After adding all of the partitions click the "Done" button.

☐ Now click the "Accept Changes" button.

☐ Back on the "Installation Summary" screen select "Network & Hostname" and enter a

hostname for the system and click the "Apply" button followed by the "Done" button.

☐ Back on the "Installation Summary" screen select "Software Selection" and choose the "Server"

radio button on the left and click the "Done" button.

☐ Back on the "Installation Summary" screen select "Security Profile" and scroll down through

the security profiles and select "DISA STIG for Red Hat Enterprise Linux 9" and click the "Select

profile" button.

☐ After a few seconds a green check mark should appear next to the highlighted security profile.

Press the "Done" button to continue.

☐ Finally back on the "Installation Summary" screen it should say "Everything okay" under the "Security Profile", and you can click the "Begin Installation" button.

☐ Installation will take several minutes to complete.

☐ Click the "Reboot system" button.

☐ Login with your admin user account.

☐ For the system to get updates, register it with Red Hat using your developer account and the following command.

$ sudo subscription-manager register

☐ You may need to go back to the Red Hat site and create a login ID to use with subscription-manager.

☐ After sucessful registration the subscription-manager command should return an ID and state "The registered system name is: hostname" .

☐ Run the following commands to update/patch the system.

$ sudo yum repolist

$ sudo yum update

☐ Answer "Y" to go ahead and patch the system.

☐ Now let's reboot the system (just for good measure) using this command.

$ sudo shutdown -r now

☐ Log back in using your administrator account and run this command to find the system's IP address.

$ ifconfig

☐ Now that we can see what know what the IP address is, we should be able to ssh to the RHEL9 virtual server from the host (hypervisor). Open a local terminal window try logging in using SSH with your admin account.

$ ssh john@192.168.122.117 (IP address will likely be different on your system)

☐ Now by using SSH from a terminal window we can cut and paste to and from the session, whereas we could not do that using the virtual console. You can just close the Virtual Machine Manager console window using the "x" at the top right of the window.

☐ Using the SSH session you opened earlier lets install the Extra Packages for

Enterprise Linux (EPEL). This provides an additional repository of packages that are

not strictly speaking necessary or essential to the OS, but contains a lot of

'nice to have' stuff. Use the following commands to install EPEL for RHEL 9.

$ sudo -i
# subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
# curl -fsSL https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9 -o /tmp/RPM-GPG-KEY-EPEL-9
# rpm --import /tmp/RPM-GPG-KEY-EPEL-9
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

☐ Lets check status of our current repos and then install and run 'htop' to test if EPEL

is working. Use the following commands.

# yum repolist

Updating Subscription Management repositories.
repo id repo name
codeready-builder-for-rhel-9-x86_64-rpms Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs)
epel Extra Packages for Enterprise Linux 9 - x86_64
epel-cisco-openh264 Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64
rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
rhel-9-for-x86_64-baseos-rpms Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)

# yum install htop

Updating Subscription Management repositories.
Last metadata expiration check: 0:11:29 ago on Sat 23 May 2026 01:02:10 PM EDT.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
htop x86_64 3.3.0-1.el9 epel 198 k
Installing dependencies:
hwloc-libs x86_64 2.4.1-6.el9_7 rhel-9-for-x86_64-baseos-rpms 2.1 M

Transaction Summary
================================================================================
Install 2 Packages

Total download size: 2.3 M
Installed size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): htop-3.3.0-1.el9.x86_64.rpm 426 kB/s | 198 kB 00:00
(2/2): hwloc-libs-2.4.1-6.el9_7.x86_64.rpm 3.3 MB/s | 2.1 MB 00:00
--------------------------------------------------------------------------------
Total 2.5 MB/s | 2.3 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : hwloc-libs-2.4.1-6.el9_7.x86_64 1/2
Installing : htop-3.3.0-1.el9.x86_64 2/2
Running scriptlet: htop-3.3.0-1.el9.x86_64 2/2
Verifying : htop-3.3.0-1.el9.x86_64 1/2
Verifying : hwloc-libs-2.4.1-6.el9_7.x86_64 2/2
Installed products updated.

Installed:
htop-3.3.0-1.el9.x86_64 hwloc-libs-2.4.1-6.el9_7.x86_64

Complete!

# htop (press F10 or 'q' to exit)

☐ You might see an error after exiting htop, which can be easily fixed by creating

a '.config' directory in the root user's home directory.

[root@RHEL98 ~]# htop
Can not save configuration to /root/.config/htop/htoprc: No such

file or directory
[root@RHEL98 ~]# mkdir .config
[root@RHEL98 ~]# htop
[root@RHEL98 ~]#

[root@RHEL98 ~]# exit
logout
[john@RHEL98 ~]$

GOOD STOPPING POINT FOR PART 1

In Part 2 we will setup OpenSCAP and demonstrate how to use it to create a STIG

check web report.

Monday, January 21, 2019

Multi Host Availability Grapher (MHAG)

Born out of frustration with my cable Internet provider constantly dropping my connection and a desire to teach myself Python, I developed the Multi Host Availability Grapher (MHAG). I wrote MHAG in Python 3 and it is intended to run on a Raspberry Pi or similar Linux host.

FAIR WARNING, this script will send five pings to the top three DNS servers every minute.

Below I will describe how to install and configure MHAG on a Raspberry Pi 3 running a fresh install of the latest version of Raspbian Lite (the non-GUI version).

I Recommend looking over/following my previous post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine. In the examples below my Raspberry Pi's hostname is "mhag".

OK, now here's where to find the script: https://github.com/jullrey/MHAG

SSH to your Raspberry Pi using pi@hostname ("mhag" in my case). Lets update/upgrade the Raspian Operating System before we go any further. sudo apt-get update sudo apt-get upgrade -y The "-y" just answers yes to the default question asking if you are sure you want to install the package.
Now we will install the apache2 web server package: sudo apt-get install apache2 -y
Verify that the web server is running by opening your favorite web browser and going to http://hostname (in my example: http://mhag) The Apache2 Debian Default Page or something similar should display in your browser, if it does not, you may have to start the service. Try the following if the default page doesn't display: sudo service apache2 restart

Install the Python 3 pip package sudo apt-get install python3-pip -y
Now we will use a python utility to install the pytz timezone library. sudo pip3 install pytz
Now install the Round Robin Database tool package sudo apt-get install rrdtool -y
Next we will create some folders in the "pi" user's home directory and in the web servers html directory. cd (takes us to our home directory) mkdir bin mkdir data sudo mkdir /var/www/html/graphs sudo chown pi.pi /var/www/html/graphs
Using secure copy (scp or pscp if using PuTTY in windows) lets upload the mhag.py script to the bin sub-directory in the pi users's home directory. scp mhag.py pi@mhag:bin/
Check the file permissions. cd cd bin ls -la Look for -rwx-r-xr-x in front of the mhag.py file. If it doesn't look right, run the chmod command in the bin directory. chmod +x mhag.py
Test run the script. ./mhag.py -D /home/pi/data -H /var/www/html/graphs
Schedule the script to run via cron. crontab -e Select which editor you want to use with cron (I prefer vim, but we'll use nano to make it easier)
Press Page Down until the cursor is all the way at the bottom of the file, and add the following line: * * * * * bin/mhag.py -D data -H /var/www/html/graphs >bin/mhag.log 2>&1 Now press Ctrl-o and Enter to write the file and then Ctrl-x to exit.
Use the command command to verify that your entry is correct. crontab -l
Now bring up the web page. http://hostname/graphs/mhag.html (in my example: http://mhag/graphs/mhag.html) *Note* It will take a few minutes for data to start appearing on the graphs.
That's it, you should be able to actively monitor your connectivity to the Internet in near real time now.