Monday, May 25, 2026

Part 3 - Install, STIG, and verify STIG'd Red Hat Enterprise Linux (RHEL) 9.x Server

THIS IS STILL A WORK-IN-PROGRESS... 

Part 3 of a 3 part series.  In this part we will take a look at the individual findings from the DISA STIG based OpenSCAP Evaluation Report we generated in the previous article, and see what needs to be done to correct these rule violations.

To streamline the iterative process of fixing and re-scanning the system to verify our corrections we will temporarily enable a web server on the RHEL 9.x server we are working on.  Follow the commands below in bold.

$ sudo -i
[sudo] password for admin: ************
 
# yum install httpd
Updating Subscription Management repositories.
Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)            9.7 kB/s | 4.5 kB     00:00    
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)                12 kB/s | 4.1 kB     00:00    
Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs)             14 kB/s | 4.5 kB     00:00    
Dependencies resolved.
====================================================================================================
 Package                Arch       Version               Repository                            Size
====================================================================================================
Installing:
 httpd                  x86_64     2.4.62-13.el9         rhel-9-for-x86_64-appstream-rpms      54 k
Installing dependencies:
 apr                    x86_64     1.7.0-12.el9_3        rhel-9-for-x86_64-appstream-rpms     126 k
 apr-util               x86_64     1.6.1-23.el9          rhel-9-for-x86_64-appstream-rpms      97 k
 apr-util-bdb           x86_64     1.6.1-23.el9          rhel-9-for-x86_64-appstream-rpms      14 k
 httpd-core             x86_64     2.4.62-13.el9         rhel-9-for-x86_64-appstream-rpms     1.5 M
 httpd-filesystem       noarch     2.4.62-13.el9         rhel-9-for-x86_64-appstream-rpms      18 k
 httpd-tools            x86_64     2.4.62-13.el9         rhel-9-for-x86_64-appstream-rpms      88 k
 redhat-logos-httpd     noarch     90.6-1.el9            rhel-9-for-x86_64-appstream-rpms      15 k
Installing weak dependencies:
 apr-util-openssl       x86_64     1.6.1-23.el9          rhel-9-for-x86_64-appstream-rpms      17 k
 mod_http2              x86_64     2.0.26-5.el9          rhel-9-for-x86_64-appstream-rpms     163 k
 mod_lua                x86_64     2.4.62-13.el9         rhel-9-for-x86_64-appstream-rpms      65 k

Transaction Summary
====================================================================================================
Install  11 Packages

Total download size: 2.2 M
Installed size: 6.0 M
Is this ok [y/N]: y

...

Installed:
  apr-1.7.0-12.el9_3.x86_64                         apr-util-1.6.1-23.el9.x86_64                    
  apr-util-bdb-1.6.1-23.el9.x86_64                  apr-util-openssl-1.6.1-23.el9.x86_64            
  httpd-2.4.62-13.el9.x86_64                        httpd-core-2.4.62-13.el9.x86_64                 
  httpd-filesystem-2.4.62-13.el9.noarch             httpd-tools-2.4.62-13.el9.x86_64                
  mod_http2-2.0.26-5.el9.x86_64                     mod_lua-2.4.62-13.el9.x86_64                    
  redhat-logos-httpd-90.6-1.el9.noarch             

Complete!
 
# firewall-cmd --permanent --zone=public --add-service=http
success
# systemctl reload firewalld
# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
# mkdir /var/www/html/openscap 
# ls -l /var/www/html
total 0
drwx------. 2 root root 6 May 25 10:43 openscap

# chmod 755 /var/www/html/openscap
# ls -l /var/www/html
total 0
drwxr-xr-x. 2 root root 6 May 25 10:43 openscap

Re-run the DISA STIG OpenSCAP scan and specify the new web directory in the report output parameter using the commands below in bold

# oscap xccdf eval --report /var/www/html/openscap/rhel98.html --profile stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

☐ Modify the file permissions of the report so it can be viewed via the web server
# chmod 755 /var/www/html/openscap/rhel98.html 

Access the DISA STIG web report using a browser and the URL below:

http://192.168.x.x/openscap/rhel98.html  (use ifconfig command to find IP) 

Note the last time we ran the oscap scan we tried using the '--remediate' option and in the meantime this test system has been rebooted.  The report we just generated now has 9 medium (Cat 2) and 2 high (Cat 1) rule violations.


Let's tackle the Cat 1 violations first. Scroll through the most recent OpenSCAP Evaluation Report and look for the two high severity failed rules.

If you click on the red text it will expand to a detailed description of the problem and how to fix it.  Here is a simplified solution to fix both of these Cat 1 findings:
 
Edit the /etc/grub.d/01_users file as follows (csadm means cybersecurity admin):

# vi /etc/grub.d/01_users

#!/bin/sh -e

cat << EOF

if [ -f \${prefix}/user.cfg ]; then

  source \${prefix}/user.cfg

  if [ -n "\${GRUB2_PASSWORD}" ]; then

    set superusers="csadm"

    export superusers

    password_pbkdf2 root \${GRUB2_PASSWORD}

  fi

fi

EOF

 

:wq

Set the UEFI Boot Loader Password

# grub2-setpassword

Enter password: **********

Confirm password: **********

 

 Generate a new GRUB configuration file

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done


Reboot the system, log back in and re-run the scan as the root user and view the new report and check to make sure the high (Cat 1) violations were taken care of.
# shutdown -r now
 
SUCCESS!  There are no high (Cat 1) findings.





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)