Scope
This document will cover how
to setup a RHEL 6.5 system for STIG scanning using the OpenSCAP tool and the
official DISA STIG benchmark content from DISA.
Assumptions
1.
We are starting
with a base installation of RHEL 6.5 x64 using the minimal installation.
2.
The system is
registered with Red Hat Network or Red Hat Network Satellite Server.
NOTE: When I
am STIGing a system I always start with the minimal installation instead of
trying to remove packages after the fact.
This way only needed packages are installed. A base install of RHEL 6.5 without updates
applied is 243 packages installed from the ISO.
Installation Instructions
1.
Login to the
system as root or with an account that has SUDO privileges.
NOTE: when
logging in as root over SSH it is a CAT II finding.
2.
Install OpenSCAP
# sudo
yum install openscap-utils
NOTE: 21 package dependancies will need to be
installed.
3.
Install
openssh-clients and its libedit dependency so you can securely transfer files to
the system.
#
yum install openssh-clients libedit
# yum install openscap-utils
Installation Summary
Transaction Summary: Installed
21 Package(s)
Installed:
openscap-utils.x86_64 0:1.0.8-1.el6_5
Dependency Installed:
elfutils.x86_64 0:0.152-1.el6
elfutils-libs.x86_64 0:0.152-1.el6
fakeroot.x86_64 0:1.12.2-22.2.el6 fakeroot-libs.x86_64
0:1.12.2-22.2.el6
gdb.x86_64 0:7.2-60.el6_4.1 man.x86_64
0:1.6f-32.el6
openscap.x86_64 0:1.0.8-1.el6_5 patch.x86_64
0:2.6-6.el6
perl.x86_64 4:5.10.1-136.el6
perl-Module-Pluggable.x86_64 1:3.90-136.el6
perl-Pod-Escapes.x86_64 1:1.04-136.el6 perl-Pod-Simple.x86_64
1:3.13-136.el6
perl-libs.x86_64 4:5.10.1-136.el6 perl-version.x86_64
3:0.77-136.el6
rpm-build.x86_64 0:4.8.0-37.el6 rpmdevtools.noarch
0:7.5-2.el6
unzip.x86_64 0:6.0-1.el6 wget.x86_64 0:1.12-1.11.el6_5
xz.x86_64 0:4.999.9-0.3.beta.20091007git.el6
xz-lzma-compat.x86_64
0:4.999.9-0.3.beta.20091007git.el6
NOTE: After
installing OpenSCAP I ran yum update. My
normal process is to install the OS, update all packages, then install required
packages for the needed functionality. I
followed the above process to show the exact packages needed for the
installation of OpenSCAP. After running
yum update 49 packages were updated and the new kernel installed as of 19 June
2014. It is always recommended to keep
your systems patched.
Upload the DISA STIG Benchmark
Upload your benchmark content
to the RHEL 6 system using the file transfer tool of choice or that is
available. From my Mac & RHEL
systems I used the built in SCP utility.
From Windows there are numerous tools available including but not
limited to WinSCP.
1.
Change to the
directory where the files are located
$ cd ~/Downloads/u_redhat_6_v1r3_benchmark
2.
Upload the files. This example show how on a Mac.
$ scp
U_RedHat_6_V1R3_Benchmark-cpe-dictionary.xml user@172.16.101.146:U_RedHat_6_V1R3_Benchmark-cpe-dictionary.xml
$ scp U_RedHat_6_V1R3_Benchmark-cpe-oval.xml user@172.16.101.146:U_RedHat_6_V1R3_Benchmark-cpe-oval.xml
$ scp U_RedHat_6_V1R3_Benchmark-oval.xml user@172.16.101.146:U_RedHat_6_V1R3_Benchmark-oval.xml
$ scp U_RedHat_6_V1R3_Benchmark-xccdf.xml user@172.16.101.146:U_RedHat_6_V1R3_Benchmark-xccdf.xml
3.
Run the scan using the OpenSCAP tool on the RHEL
system
# sudo oscap xccdf eval --profile MAC-2_Sensitive --results
scan-results.xml --report scan-report.xml --cpe
U_RedHat_6_V1R3_Benchmark-cpe-dictionary.xml
U_RedHat_6_V1R3_Benchmark-xccdf.xml
4.
Now you can download the results files. This example shows how on a Mac.
$
scp user@172.16.101.146:scan-report.xml
~/Downloads/scan-report.xml
$
scp user@172.16.101.146:scan-results.xml
~/Downloads/scan-results.xml
NOTE: 172.16.101.146 is my test system. You will use your IP when accessing your
system.
