New year, new thread? (RHEL 7 STIG)
The other thread's gotten stupid long and hard to follow, so, starting anew...
DISA's web site had indicated that the first STIG release for 2017 was to have happened on January 27th. Unfortunately, appears that - not only did they miss the previous quarter's release-date, they missed this one, too. Coincidentally, looks like they also missed the quarterly-date for updating the other RHEL STIGs' updates. Does anyone at Red Hat (or elsewhere) know if DISA's planning to release this quarter or not? If so, any projected dates and any knowledge of whether it will be another "draft" release or if (hope beyond hope) it might actually be a "real" release?
Responses
Red Hat
Active Contributor
312 points
The currently released DISA content does not embed automation, so won't be able to use with classic tools like OpenSCAP, ACAS, SCC, etc. As Tom spoke of, consider using the natively delivered SCAP content via the scap-security-guide RPM. It contains a DoD Vendor STIG profile which should get you most of the way there.
We're working on updating the OpenSCAP/SCAP Security Guide content to directly align with what DISA released. Hope to have patches upstream shortly.
Guru
6435 points
Would also be helpful if Red Hat were able to publish "preview" content that more-quickly tracked what was in the upstream sources. Could be helpful to organizations that want to push oscap if they were able to say to their IA folks "we can optionally scan/remediate to DISA-spec or enhanced/anticipatory guidance".
Red Hat
Active Contributor
312 points
Tracking. Current non-official thoughts on how we'll handle releases moving forward:
Some people can use GitHub/upstream. They'll always have the latest, but also need to recognize they're on the edge regarding supportability;
Our friends at NIST reactivated our National Checklist Program * account, allowing us to upload SCAP content directly -- e.g. post the latest SSG content when released by upstream. This will give consumers a .gov URL to download the latest baselines.
RHEL will continue to rebase OpenSCAP/SCAP Security Guide during minor releases (e.g. RHEL 7.4).
So, upstream has bleeding edge. NIST will house interim upstream releases. RHEL will continue to ship and rebase during minor releases and house content supported by big Red Hat.
*The NIST NCP webpage is going through major rehauls and appears down at the moment (1030 EST). Promise, content is there! When website returns, you can search for "Red Hat" as a content provider and pull RHEL and JBoss baselines.
Thanks, for the reply's and clarification.
For what it is worth -
I know this thread is old, but I am sure there are some that reference it for finding SCAP related content avenues. I saw this on the DISA STIG website and thought it might be applicable.
"Red Hat 7 Benchmark is currently under development, no release date. "
Would this lead one to believe automation is, in fact, being worked on as it relates to the DISA STIG and the DISA SCC tool?
Guru
Community Member
3711 points
Who knows. It's laughably late, at this point (seriously: four point-releases beyond the initial, .0 release??). I know the customers I work for (and peers at other organizations) have pretty much moved on from trying to wait for DISA automation-content.
Red Hat
Active Contributor
312 points
Meanwhile, consider using the NIST National Checklist for RHEL 7:
"Security Baselines for Red Hat Enterprise Linux 7.x" https://nvd.nist.gov/ncp/checklist/811
Includes a STIG profile.
And for the savvy observer, this is the same content shipped in RHEL via the scap-security-guide.
Hey guys,
I have gone through this thread and the previous thread and i wanted to know if anyone has a good method for mapping oscap results back to DISA STIG ids. I wrote a python script that uses the following file to do the mapping. Anyone have a better way? Anything out there already?
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/auxiliary/stig_overlay.xml
Guru
6435 points
Depending on who you're providing proof-of-hardening data for, your accreditors should care more about RMF mappings (ICD 503 controls) rather than STIG ID numbers, OSCAP rule-names, vendor control IDs or the like. Fortunately, the OSCAP rules, vendor STIG-content and DISA STIG content all include that mapping-information, already.
I've been reading through the thread and I'm if anything more confused as to what I should do (have done):
I'm dealing with an air-gapped system which I'm in the process of reinstalling RHEL 7.2 on (we need to use RedHat 7.2 due to tools that won't support 7.3 for another few months, at which point we'll upgrade). I have the DISA STIG on a DVD, however, when I got to the security profile section of the installation, I was only able to take the options off of the DVD or specify a URL (not an option over an air gap, and figuring out a file URL is extremely difficult at best during installation).
I do have a potential need to reinstall this again (I misplaced the root password, so I probably need to redo the installation since I don't want to have it totally unknown), but I'm not seeing anything in this thread that gives me hope that I can improve upon this - nor much of an idea how to apply the STIG after installation.
Any suggestions? Help in the next few minutes would be really useful, but I'll probably be able to try again tomorrow (Mountain Daylight Time, US) morning, without making too big of an impact on resuming my normal work.
Ron O (Programmer, not a system admin)
Ronald-
As far as I can tell, at this moment, there isn't an "automatic" way to apply DISA STIGS to a RHEL 7.X build, either during the installation process or post installation.
The DISA STIGS are meant to be a guide for hardening your system.
The only real way to "STIG" your system is to go through the DISA STIG manually and check/apply as you deem necessary (using the check content and the fix content)...all 235 checks.
Hi Shawn,
Is the OpenSCAP or oscap tool and SCAP Security Guide part of the RHEL 7 package? I installed 7.3 and couldn't find any of the scap packages outlined in the Red Hat security guide for using these tools, namely scap-security-guide and openscap-scanner.
Community Member
25 points
Chris, Do you have a YUM server available with the rhel-x86_64-server-7 channel? The packages mentioned in RHEL 7 Security Guide using OSCAP are in that channel.
Red Hat
Active Contributor
312 points
+1
Specifically, the "openscap-scanner" provides the tooling and "scap-security-guide" provides the content, "scap-security-guide-docs" provides extra policy mapping tables and kickstarts.
They're available in the base channels. You can also query the package browser tool, which shows what channel(s) a given package can be found in:
https://access.redhat.com/downloads/content/scap-security-guide/0.1.30-5.el7_3/noarch/fd431d51/package
I don't know what is meant by channel. Could someone explain. How do I get to the package browser tool?
Community Member
25 points
Chris, The channels available to you are based on the entitlements associated with your RHN account. Shawn placed a URL for the package browser for the scap-security-guide package. If you click this link can you log in and view the package?
Or can you follow the link to the RHEL 7 package viewer?
Newbie
12 points
Great thread. Thanks for the info.
BTW, I found this page in table format that Shawn put up very useful: http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-stig.html . Is there any chance a CSV version of that (or something roughly similar) can be relatively easily obtained?
Though DISA's Java-based STIG Viewer seems to have a lot of that information, for quick access and ease of searchability I often use the UCF STIG Viewer site, which has a page for RHEL 6 (but not RHEL 7 yet): https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/ . However, since they require you to click on the entries to get the fix information you can't search a single page that displays all fix information in one place.
Their CSV download option there would be great except that they left off the "Version" field or "V-ID" shown on Shawn's RHEL7 STIG html page, even though they include the Version IDs in their XML and JSON formats. That makes it more difficult to correlate UCF's V- (Vulnerability) IDs with the RHEL (Version/V-ID) IDs shown on Shawn's page. I posted a comment on that UCF page today asking them to include the Version field in their CSV.
In any case, even though a lot of the information is the same on the UCF site it isn't directly SCAP related as far as I can tell. I'm basically just looking for a table-like format that has all the Vulnerability/Version ID/CCI/Rule ID information alongside the fix text (although I noticed that Shawn's page doesn't have the Vulnerability IDs). Any suggestions? Or am I just being too lazy by not using DISA's Java GUI tool?
Best regards,
Josh Nielsen
Guru
6435 points
For what it's worth, if you use one of the 1.x STIG-viewers, the export capabilities are a lot better than the 2.x ones. Generally, when I need things in CSV, I use a 1.x viewer to do the export since it allows me to select which columns to export (whereas, to date, the 2.x ones only seem to "export all fields").
Red Hat
Active Contributor
312 points
RHEL ships policy mapping tables in HTML today, via the scap-security-guide-docs package. We can easily add column names and transform into CSV. To start that conversation, mind moving the question to the OpenSCAP/SCAP Security Guide community?
Could either use GitHub Issues [1] or the OpenSCAP/SSG mailing list [2].
This might also be a good time to plug the gov-sec mailing list [3] as well. Gov-sec is a moderated (US Gov community) list where people post questions/comments/ideas about anything relating to US Gov use of Red Hat and open source. Posts go to the extended community, and almost all RedHat Gov tech staff are subscribed. Fairly low traffic. Only reason I know about this access.redhat.com discussion is because someone (Tom?) forwarded me a heads up offline, whereas any of the above (GitHub + Mailing lists) are actively monitored.
[1] https://github.com/OpenSCAP/scap-security-guide/issues/new [2] https://lists.fedorahosted.org/admin/lists/scap-security-guide.lists.fedorahosted.org/ [3] https://www.redhat.com/mailman/listinfo/gov-sec
Guru
10133 points
Shawn,
You mentioned "Ansible NIST 800-53 playbooks" in regards to ansible playbooks for STIG hardening. I found multiple sites for this, but I'm not sure which one is the proper one. Where are the "Ansible NIST 800-53 playbooks" you cited earlier in this discussion? It would be good to have for reference. (or if anyone else knows, I've already done a google search against those key terms, and found multiple sites that could be it, but I'd rather pick the "right one")
===#### quoting Shawn Wells
17 April 2017 11:40 PM
Shawn Wells
There's the OpenSCAP content shipping natively in RHEL, or you can use upstream. There's also the Ansible NIST 800-53 playbooks.
===#### end the quote
(I picked a ridiculous name, I'm not really a developer, but a sysadmin)
Community Member
25 points
CD,
Here's what Shawn had to say on last year's thread:
We meant the rhtps account to be more of an internal staging repo. Before you go to far down the path, you may want to start using https://galaxy.ansible.com/RedHatGov/800-53/ and https://github.com/RedHatGov/ansible-role-800-53.
A US Intelligence customer let us open source that specific ansible playbook, which was generated in support of an ATO at their agency. I tipped off the RedHat guys who wrote it to comment here (as they have the full background + insight into who is using and where). Note Red Hat begins a corporate holiday shutdown this week, so responses may come next week.
Active Contributor
252 points
It's good to hear some orgs are allowing oscap now. More should follow now.
This is my new account. I'm not sure what it will look like compared to my other RH Community account. I still get to bug Tom though, so that will be fun.
;-)
Darn, back down to 5 points. Wish RH could have combined my accounts.
Chris
Guru
10133 points
They were able to kinda transfer my profile, contact David Powles (or I'll ask him to look at this thread). I unfortunately picked "caffeinated developer" but I'm really a sysadmin. Still attempting to flip my profile to just "R. Hinton"
Red Hat
25369 points
Just confirming - you can always contact me if you need your rep score migrated.
Searching around in some of the discussions here, I've seen references to installing RHEL7 using the GUI installation and the selecting security profiles to harden systems IAW the DISA STIG at install, or building a hardened installation disk using scripts on github. My question is there any way to utilize these hardening methods through kickstart via something like satellite or will post-installation scripts that are custom built by the site be required?
Active Contributor
157 points
Revision 3 has been posted to DISA's website: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R3_STIG.zip
Hopefully it has improved.
Guru
10133 points
A slightly different focus, a discussion for just the CAT I items that are currently not able to be resolved with specific server roles. Example (not limited to this example), Satellite, Gluster, Samba servers can not endure FIPS being active. For anyone interested in CAT I items (the most severe of a given STIG) being resolved, please see this thread https://access.redhat.com/discussions/3508811
Pages
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.