This is Part 2 of a 2 part series. In this part we will setup OpenSCAP and
demonstrate how to use it to scan a Red Hat Enterprise Linux 9 (RHEL9)
server for DISA STIG compliance and generate an interactive web based report.
☐ Open an SSH session back into the RHEL 9 server and install opensecap-scanner and scap-security-guide with the following commands.
[john@RHEL98 ~]$ sudo -i
[sudo] password for john: **********
[root@RHEL98 ~]# yum install openscap-scanner scap-security-guide
Updating Subscription Management repositories.
Last metadata expiration check: 1:21:46 ago on Sat 23 May 2026 01:02:10 PM EDT.
Package openscap-scanner-1:1.3.13-1.el9_7.x86_64 is already installed.
Package scap-security-guide-0.1.80-1.el9_7.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Updating Subscription Management repositories.
Last metadata expiration check: 1:21:46 ago on Sat 23 May 2026 01:02:10 PM EDT.
Package openscap-scanner-1:1.3.13-1.el9_7.x86_64 is already installed.
Package scap-security-guide-0.1.80-1.el9_7.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
☐ Run 'oscap info' to check the version of the DISA STIG with the following commands.
[root@RHEL98 ~]# oscap info --profile stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2026-03-18T05:35:29
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: 2026-03-11T00:00:00
Version: 1.3
Profile
Title: DISA STIG for Red Hat Enterprise Linux 9
Id: xccdf_org.ssgproject.content_profile_stig
Description: This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
Document type: Source Data Stream
Imported: 2026-03-18T05:35:29
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: 2026-03-11T00:00:00
Version: 1.3
Profile
Title: DISA STIG for Red Hat Enterprise Linux 9
Id: xccdf_org.ssgproject.content_profile_stig
Description: This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
☐ Scan the system and generate the eXtensible Configuration Checklist Description Format (XCCDF) HTML report using the following commands.
(Replace admin with the account name you created at the beginning of Part 1)
[root@RHEL98 ~]# oscap xccdf eval --report /home/admin/rhel98.html --profile stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
...
Title Write Audit Logs to the Disk
Rule xccdf_org.ssgproject.content_rule_auditd_write_logs
Ident CCE-83705-4
Result pass
Title Verify Permissions on /etc/audit/auditd.conf
Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
Ident CCE-89284-4
Result pass
Rule xccdf_org.ssgproject.content_rule_auditd_write_logs
Ident CCE-83705-4
Result pass
Title Verify Permissions on /etc/audit/auditd.conf
Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
Ident CCE-89284-4
Result pass
☐ In the example above the report was written to the admin user's home directory. We need to change the permissions on the report file so we can secure copy (SCP) the file from the virtual server to the host/hypervisor desktop. Use the following commands.
[root@RHEL98 ~]# ls -l /home/john
total 5148
-rw-------. 1 root root 5270296 May 23 15:13 rhel98.html
total 5148
-rw-------. 1 root root 5270296 May 23 15:13 rhel98.html
[root@RHEL98 ~]# chown john:john /home/john/rhel98.html
[root@RHEL98 ~]# ls -l /home/john
total 5148
-rw-------. 1 john john 5270296 May 23 15:13 rhel98.html
[root@RHEL98 ~]#
total 5148
-rw-------. 1 john john 5270296 May 23 15:13 rhel98.html
[root@RHEL98 ~]#
☐ Open a new terminal on the host/hypervisor and SCP the rhel98.html report file from the virtual RHEL9 server. Use the following commands.
(You will need to know/remember the IP address of the virtual RHEL9 server)
$ scp john@192.168.122.117:rhel98.html .
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
...
communications and work product are private and confidential. See User
Agreement for details.
john@192.168.122.117's password: ************
rhel98.html 100% 5147KB 273.0MB/s 00:00
communications and work product are private and confidential. See User
Agreement for details.
john@192.168.122.117's password: ************
rhel98.html 100% 5147KB 273.0MB/s 00:00
☐ Now open the local copy of the rhel98.html report file in a browser on the host/hypervisor system. Note: that there are still 10 medium and 5 high rules that failed even though we applied the DISA STIG during the server build process.
☐ There is also a version of the oscap command that will attempt to automatically
remediate the problems that the scan finds. This is the modified scan command.
[root@RHEL98 ~]# oscap xccdf eval --report /home/john/rhel98.html --profile stig --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
☐ Repeate the steps above to change permissions and secure copy the new report back
to the host/hypervisor and check the new report to see if there was an improvement.
(Changing the scp command to preserver the 1st version of the report for comparison.)
$ scp john@192.168.122.117:rhel98.html ./rhel98-remediated.html
☐ Open the local copy of the rhel98-remediated.html file in a browser on the host/hypervisor system. Note: we still have 8 medium (cat 2) and 4 high (cat 1) failed rules, even though the Red Hat installation software applied the DISA STIG and we have also used the OpenSCAP "remediate" function.
CONCLUSION
☐ Application of the DISA STIG via automated means is not a 100% solution, nor is STIG application a "one and done" process. New STIGs are released periodically and systems need to be re-checked and re-evaluated against them when they are.
☐ The OpenSCAP Evaluation Report is an interactive web page with sections that expand and collapse. There are explanations and instructions on how to remediate the medium (Cat 2) and high (Cat 1) findings within the report.
No comments:
Post a Comment