Install, STIG, and verify STIG'd Red Hat Enterprise Linux (RHEL) 9.x Server - Part 1

THIS IS STILL A WORK-IN-PROGRESS... 

These instructions will walk you through building a virtual RHEL 9.x server and applying the DISA (Defense Information Systems Agency) STIG (Security Technical Implementation Guide).  It will also demonstrate how to verify the STIG has been applied using OpenSCAP an open-source tool designed for automated security auditing and compliance management based on the Security Content Automation Protocol (SCAP).

All this will be demonstrated using the KVM (Kernel-based Virtual Machine) hypervisor module and QEMU (Quick Emulator), a free open-source hypervisor and machine emulator, all running on a Debian based version of Linux.  

Setting Up Virtual Machines with QEMU, KVM, and Virt-Manager on Debian/Ubuntu 

You will need a bootable ISO file of RHEL 9.x which you can obtain by creating a free account on https://developers.redhat.com/ and downloading the latest x86_64 DVD ISO from :

https://developers.redhat.com/products/rhel/download#downloadsbyrelease.

In this example the ISO file will be saved in a folder named 'ISO' in the user's home directory on the host (hypervisor) system.

The STIG requires separate disk partitions, or volumes, be created for different functional parts of the operating system.  At a minimum this will insure that if a rouge process overloads the system with logging it will not fill up the root volume and crash the system, thus enabling you to still be able to login and fix the problem.

The Disk partitioning layout is presented here for virtual disk space requirements and will be referred back to later during the operating system (OS) install.

Recommended disk partition/volume sizes:

Mount Point	Recommended Size	Minimum Size	Notes
/boot	1G	1G	Use '/boot' from Mount Point menu
/boot/efi	600M	512M	Use '/boot/efi' from Mount Point menu
/	20G	10G	Use '/' from Mount Point menu
/home	20G	5G	Use '/home' from Mount Point menu
/var	20G	8G	Use '/var' from Mount Point menu
Swap	10G	4G	Use 'swap' from Mount Point menu Up to 1/2 size of RAM
/tmp	10G	8G	Enter '/tmp' for the Mount Point
/var/tmp	2G	1G	Enter '/var/tmp' for the Mount Point
/var/log	1G	1G	Enter '/var/log' for the Mount Point
/var/log/audit	2G	1.5G	Enter '/var/log/audit' for the Mount Point
Total	87G	40G	disk space

Assuming you have KVM and QEMU installed and working correctly, let's get started.

☐ Launch the Vitual Machine Manager GUI that was installed along with QEMU. 

 

☐ Click the shiny looking monitor icon on the left of the Virtual Machine Manager GUI.

 

 ☐ Select "Local install media (ISO image or CDROM)" and click the "Forward" button.

 

 ☐ Click the "Browse" button, then on the "Locate ISO media volume" dialog, then click

 the blue + icon on the lower left side. 

 

☐ Change "Pool" to "ISO" and use the "Browse" button to select the /home/username/ISO

folder, then click the"Finish" button.

 

 ☐ Select the latest rhel-9.x-x86_64-dvd.iso file and click the "Choose Volume" button. 

   

☐ Click the "Forward" button to continue.

 

 ☐ Adjust Memory and CPUs to something reasonable and click the "Forward" button.

Note: The default values are the bare minimum you need. I went with

Memory:4096 and CPUs:4

 

 ☐ Adjust the disk image size to meet the total requirements from the "Recommended

disk partition/volume sizes" table above  (87 or 40 GiB) then click the "Forward" button.

 

☐ Change the Name to represent the OS and version you are installing.

☐ Click the "Customize configuration before install" and click the "Finish" button.

 

 

On the Customization screen

☐ Choose "Overview" and then change the Firmware: setting to "UEFI" and click the

"Apply" button.  

☐ (Optional) Choose "OS information" and enter "Red Hat Enterprise Linux 9" and

select the highest version of RHEL9 available and click the "Apply" button.

 

☐ Click on "Begin Installation"

 

☐ A virtual console will now open and you can select "Install Red Hat Enterprise Linux 9.8"

from the text menu. 

Note: the virtual console will grab control of the mouse and keyboard in order to keep

you from accidentally exiting it. Pressing left Ctrl and Alt keys simultaneously will

release the mouse and keyboard so you can move to other windows on your desktop.

☐ Select "English (United States)" and click the "Continue" button.

 

On the "Installation Summary" screen many settings need to be adjusted.

☐ Select the "Root Password" and change the root password to a complex password

and press the "Done" button.

☐ Select "User Creation" and create an admin user account for yourself. Check the "Make

this user administrator" checkbox before clicking the "Done" button.

☐ Back on the "Installation Summary" screen select "Installation Destination" and on the

next screen verify the disk with the correct disk size is selected with a check mark. 

☐ Under "Storage Configuration" select the "Custom" option and click the "Done" button.

☐ On the Manual Partitioning screen use the "+" button to add the 1st partition.

☐ Select or key in "/boot" for the "Mount Point", then enter the "1G" for the "Desired Capacity" and click the "Add mount point" button.

☐ Use the "+" button on the "Manual Partitioning" screen to repeat the above step for every partition listed in the "Recommended disk partition/volume sizes" table at top

of this document.

☐ After adding all of the partitions click the "Done" button.

☐ Now click the "Accept Changes" button.

☐ Back on the "Installation Summary" screen select "Network & Hostname" and enter a 

hostname for the system and click the "Apply" button followed by the "Done" button.

 

 

 ☐ Back on the "Installation Summary" screen select "Software Selection" and choose the "Server"

radio button on the left and click the "Done" button.

 

☐ Back on the "Installation Summary" screen select "Security Profile" and scroll down through

the security profiles and select "DISA STIG for Red Hat Enterprise Linux 9" and click the "Select

profile" button.  

 

☐ After a few seconds a green check mark should appear next to the highlighted security profile.

Press the "Done" button to continue.

 

☐ Finally back on the "Installation Summary" screen it should say "Everything okay" under the "Security Profile", and you can click the "Begin Installation" button. 

 ☐ Installation will take several minutes to complete. 

☐ Click the "Reboot system" button. 

☐ Login with your admin user account. 

 ☐ For the system to get updates, register it with Red Hat using your developer account and the following command.

 

    $ sudo subscription-manager register

 

☐ You may need to go back to the Red Hat site and create a login ID to use with subscription-manager.

☐ After sucessful registration the subscription-manager command should return an ID and state "The registered system name is: hostname" .

  

☐ Run the following commands to update/patch the system.

$ sudo yum repolist

$ sudo yum update

 

☐ Answer "Y" to go ahead and patch the system. 

 

☐ Now let's reboot the system (just for good measure) using this command.

$ sudo shutdown -r now 

 

☐ Log back in using your administrator account and run this command to find the system's IP address.

$ ifconfig 

☐ Now that we can see what know what the IP address is, we should be able to ssh to the RHEL9 virtual server from the host (hypervisor).   Open a local terminal window try logging in using SSH with your admin account.

$ ssh john@192.168.122.117 (IP address will likely be different on your system) 

☐ Now by using SSH from a terminal window we can cut and paste to and from the session, whereas we could not do that using the virtual console.  You can just close the Virtual Machine Manager console window using the "x" at the top right of the window.

 

 

☐ Using the  SSH session you opened earlier lets install the Extra Packages for

Enterprise Linux (EPEL).  This provides an additional repository of packages that are

not strictly speaking necessary or essential to the OS, but contains a lot of 

'nice to have' stuff.  Use the following commands to install EPEL for RHEL 9.

$ sudo -i
# subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
# curl -fsSL https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9 -o /tmp/RPM-GPG-KEY-EPEL-9
# rpm --import /tmp/RPM-GPG-KEY-EPEL-9
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm 

 

 

☐ Lets check status of our current repos and then install and run 'htop' to test if EPEL

is working.  Use the following commands.

# yum repolist 

Updating Subscription Management repositories.
repo id                                  repo name
codeready-builder-for-rhel-9-x86_64-rpms Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs)
epel                                     Extra Packages for Enterprise Linux 9 - x86_64
epel-cisco-openh264                      Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64
rhel-9-for-x86_64-appstream-rpms         Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
rhel-9-for-x86_64-baseos-rpms            Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)
 

# yum install htop 

Updating Subscription Management repositories.
Last metadata expiration check: 0:11:29 ago on Sat 23 May 2026 01:02:10 PM EDT.
Dependencies resolved.
================================================================================
 Package      Arch     Version            Repository                       Size
================================================================================
Installing:
 htop         x86_64   3.3.0-1.el9        epel                            198 k
Installing dependencies:
 hwloc-libs   x86_64   2.4.1-6.el9_7      rhel-9-for-x86_64-baseos-rpms   2.1 M

Transaction Summary
================================================================================
Install  2 Packages

Total download size: 2.3 M
Installed size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): htop-3.3.0-1.el9.x86_64.rpm              426 kB/s | 198 kB     00:00    
(2/2): hwloc-libs-2.4.1-6.el9_7.x86_64.rpm      3.3 MB/s | 2.1 MB     00:00    
--------------------------------------------------------------------------------
Total                                           2.5 MB/s | 2.3 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : hwloc-libs-2.4.1-6.el9_7.x86_64                        1/2 
  Installing       : htop-3.3.0-1.el9.x86_64                                2/2 
  Running scriptlet: htop-3.3.0-1.el9.x86_64                                2/2 
  Verifying        : htop-3.3.0-1.el9.x86_64                                1/2 
  Verifying        : hwloc-libs-2.4.1-6.el9_7.x86_64                        2/2 
Installed products updated.

Installed:
  htop-3.3.0-1.el9.x86_64            hwloc-libs-2.4.1-6.el9_7.x86_64           

Complete!
 

# htop  (press F10 or 'q' to exit)

 

☐ You might see an error after exiting htop, which can be easily fixed by creating

 a '.config' directory in the root user's home directory.

[root@RHEL98 ~]# htop
Can not save configuration to /root/.config/htop/htoprc: No such

file or directory
[root@RHEL98 ~]# mkdir .config
[root@RHEL98 ~]# htop
[root@RHEL98 ~]#

[root@RHEL98 ~]# exit
logout
[john@RHEL98 ~]$ 

  

GOOD STOPPING POINT FOR PART 1

 

In Part 2 we will setup OpenSCAP and demonstrate how to use it to create a STIG

check web report.

 

Multi Host Availability Grapher (MHAG)

Born out of frustration with my cable Internet provider constantly dropping my connection and a desire to teach myself Python, I developed the Multi Host Availability Grapher (MHAG).  I wrote MHAG in Python 3 and it is intended to run on a Raspberry Pi or similar Linux host.   FAIR WARNING, this script will send five pings to the top three DNS servers every minute. Below I will describe how to install and configure MHAG on a Raspberry Pi 3 running a fresh install of the latest version of Raspbian Lite (the non-GUI version). I Recommend looking over/following my previous post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine.  In the examples below my Raspberry Pi's hostname is "mhag". OK, now here's where to find the script: https://github.com/jullrey/MHAG

SSH to your Raspberry Pi using pi@hostname ("mhag" in my case). Lets update/upgrade the Raspian Operating System before we go any further. sudo apt-get update sudo apt-get upgrade -y The "-y" just answers yes to the default question asking if you are sure you want to install the package.
Now we will install the apache2 web server package: sudo apt-get install apache2 -y
Verify that the web server is running by opening your favorite web browser and going to http://hostname  (in my example: http://mhag) The Apache2 Debian Default Page or something similar should display in your browser, if it does not, you may have to start the service.  Try the following if the default page doesn't display: sudo service apache2 restart
Install the Python 3 pip package sudo apt-get install python3-pip -y
Now we will use a python utility to install the pytz timezone library. sudo pip3 install pytz
Now install the Round Robin Database tool package sudo apt-get install rrdtool -y
Next we will create some folders in the "pi" user's home directory and in the web servers html directory. cd (takes us to our home directory) mkdir bin mkdir data sudo mkdir /var/www/html/graphs sudo chown pi.pi /var/www/html/graphs
Using secure copy (scp or pscp if using PuTTY in windows) lets upload the mhag.py script to the bin sub-directory in the pi users's home directory.  scp mhag.py pi@mhag:bin/
Check the file permissions. cd cd bin ls -la Look for -rwx-r-xr-x in front of the mhag.py file.  If it doesn't look right, run the chmod command in the bin directory. chmod +x mhag.py
Test run the script. ./mhag.py -D /home/pi/data -H /var/www/html/graphs
Schedule the script to run via cron. crontab -e Select which editor you want to use with cron (I prefer vim, but we'll use nano to make it easier)
Press Page Down until the cursor is all the way at the bottom of the file, and add the following line: * * * * * bin/mhag.py -D data -H /var/www/html/graphs >bin/mhag.log 2>&1 Now press Ctrl-o and Enter to write the file and then Ctrl-x to exit.
Use the  command command to verify that your entry is correct. crontab -l
Now bring up the web page. http://hostname/graphs/mhag.html (in my example: http://mhag/graphs/mhag.html) *Note*  It will take a few minutes for data to start appearing on the graphs.
That's it, you should be able to actively monitor your connectivity to the Internet in near real time now.