Install, STIG, and verrify STIG'd Red Hat Enterprise Linux (RHEL) 9.x Server - Part 1

THIS IS STILL A WORK-IN-PROGRESS... 

These instructions will walk you through building a virtual RHEL 9.x server and applying the DISA (Defense Information Systems Agency) STIG (Security Technical Implementation Guide).  It will also demonstrate how to verify the STIG has been applied using OpenSCAP an open-source tool designed for automated security auditing and compliance management based on the Security Content Automation Protocol (SCAP).

All this will be demonstrated using the KVM (Kernel-based Virtual Machine) hypervisor module and QEMU (Quick Emulator), a free open-source hypervisor and machine emulator, all running on a Debian based version of Linux.  

Setting Up Virtual Machines with QEMU, KVM, and Virt-Manager on Debian/Ubuntu 

You will need a bootable ISO file of RHEL 9.x which you can obtain by creating a free account on https://developers.redhat.com/ and downloading the latest x86_64 DVD ISO from :

https://developers.redhat.com/products/rhel/download#downloadsbyrelease.

In this example the ISO file will be saved in a folder named 'ISO' in the user's home directory on the host (hypervisor) system.

The STIG requires separate disk partitions, or volumes, be created for different functional parts of the operating system.  At a minimum this will insure that if a rouge process overloads the system with logging it will not fill up the root volume and crash the system, thus enabling you to still be able to login and fix the problem.

The Disk partitioning layout is presented here for virtual disk space requirements and will be referred back to later during the operating system (OS) install.

Recommended disk partition/volume sizes:

Mount Point	Recommended Size	Minimum Size	Notes
/boot	1G	1G	Use '/boot' from Mount Point menu
/boot/efi	600M	512M	Use '/boot/efi' from Mount Point menu
/	20G	10G	Use '/' from Mount Point menu
/home	20G	5G	Use '/home' from Mount Point menu
/var	20G	8G	Use '/var' from Mount Point menu
Swap	10G	4G	Use 'swap' from Mount Point menu Up to 1/2 size of RAM
/tmp	10G	8G	Enter '/tmp' for the Mount Point
/var/tmp	2G	1G	Enter '/var/tmp' for the Mount Point
/var/log	1G	1G	Enter '/var/log' for the Mount Point
/var/log/audit	2G	1.5G	Enter '/var/log/audit' for the Mount Point
Total	87G	40G	disk space

Assuming you have KVM and QEMU installed and working correctly, let's get started.

☐ Launch the Vitual Machine Manager GUI that was installed along with QEMU. 

 

☐ Click the shiny looking monitor icon on the left of the Virtual Machine Manager GUI.

 

 ☐ Select "Local install media (ISO image or CDROM)" and click the "Forward" button.

 

 ☐ Click the "Browse" button, then on the "Locate ISO media volume" dialog, then click the
blue + icon on the lower left side. 

 

☐ Change "Pool" to "ISO" and use the "Browse" button to select the /home/username/ISO folder,

  then click the"Finish" button.

 

 ☐ Select the latest rhel-9.x-x86_64-dvd.iso file and click the "Choose Volume" button. 

   

☐ Click the "Forward" button to continue.

 

 ☐ Adjust Memory and CPUs to something reasonable and click the "Forward" button.

(The default values are the bare minimum you need. I went with Memory: 4096 and CPUs: 4)

 

 ☐ Adjust the disk image size to meet the total requirements from the "Recommended disk 

partition/volume sizes" table above  (87 or 40 GiB) then click the "Forward" button.

 

☐ Change the Name to represent the OS and version you are installing.

☐ Click the "Customize configuration before install" and click the "Finish" button.

 

On the Customization screen

☐ Choose "Overview" and then change the Firmware: setting to "UEFI" and click the "Apply" button.  

☐ (Optional) Choose "OS information" and enter "Red Hat Enterprise Linux 9" and select the highest

version of RHEL9 available and click the "Apply" button.

 

 

☐ Click on "Begin Installation"

 

☐ A virtual console will now open and you can select "Install Red Hat Enterprise Linux 9.8" from the 

text menu. 

(Note: the virtual console will grab control of the mouse and keyboard in order to keep you from

accidentally exiting it. Pressing left Ctrl and Alt keys simultaneously will release the mouse and

keyboard so you can move to other windows on your desktop.) 

☐ Select "English (United States)" and click the "Continue" button.

 

On the "Installation Summary" screen there are a lot of settings that need to be adjusted.

☐ Select the "Root Password" and change the root password to a complex password 

    and press the "Done" button.

☐ Select "User Creation" and create an admin user account for yourself. Check the "Make this user

 administrator" checkbox before clicking the "Done" button.

 

☐ Back on the "Installation Summary" screen select "Installation Destination" and on the next screen

verify the disk with the correct disk size is selected with a check mark. 

☐ Under "Storage Configuration" select the "Custom" option and click the "Done" button.

☐ On the Manual Partitioning screen use the "+" button to add the 1st partition.

☐ Select or key in "/boot" for the "Mount Point", then enter the "1G" for the "Desired Capacity" and click the "Add mount point" button.

☐ Use the "+" button on the "Manual Partitioning" screen to repeat the above step for every partition listed in the "Recommended disk partition/volume sizes" table at top of this document.

☐ After adding all of the partitions click the "Done" button.

☐ Now click the "Accept Changes" button.

☐ Back on the "Installation Summary" screen select "Network & Hostname" and enter a 

hostname for the system and click the "Apply" button followed by the "Done" button.

 

 

 ☐ Back on the "Installation Summary" screen select "Software Selection" and choose the "Server"

radio button on the left and click the "Done" button.

 

☐ Back on the "Installation Summary" screen select "Security Profile" and scroll down through

the security profiles and select "DISA STIG for Red Hat Enterprise Linux 9" and click the "Select

profile" button.  

 

☐ After a few seconds a green check mark should appear next to the highlighted security profile.

Press the "Done" button to continue.

 

☐ Finally back on the "Installation Summary" screen it should say "Everything okay" under the "Security Profile", and you can click the "Begin Installation" button.

 

 ☐ Installation will take several minutes to complete.

 

☐ Click the "Reboot system" button.

 

☐ Login with your admin user account.

 

 ☐ For the system to get updates, register it with Red Hat using your developer account and the following command.

 

    $ sudo subscription-manager register

 

☐ You may need to go back to the Red Hat site and create a login ID to use with subscription-manager.

☐ After sucessful registration the subscription-manager command should return an ID and state "The registered system name is: hostname" .

  

☐ Run the following commands to update/patch the system.

$ sudo yum repolist

$ sudo yum update

 

☐ Answer "Y" to go ahead and patch the system. 

 

☐ Now let's reboot the system (just for good measure) using this command.

$ sudo shutdown -r now

 

☐ Log back in using your administrator account and run this command to find the system's IP address.

 $ ifconfig

 

☐ Now that we can see what know what the IP address is, we should be able to ssh to the RHEL9 virtual server from the host (hypervisor).   Open a local terminal window try logging in using SSH with your admin account.

$ ssh john@192.168.122.117 (IP address will likely be different on your system)

 

 ☐ Now by using SSH from a terminal window we can cut and paste to and from the session, whereas we could not do that using the virtual console.  You can just close the Virtual Machine Manager console window using the "x" at the top right of the window.

 

 

GOOD STOPPING POINT FOR PART 1

 

In Part 2 we will setup OpenSCAP and demonstrate how to use it to create a STIG check web report.