In the last article we set up a new rocky linux 8 system with the DISA stig applied using OpenSCAP. Now we’re going to cover how to test the system using those same tools, and look at what kinds of reports we can generate using the tools oscap, and its UI counterpart SCAP Workbench.
Rocky Linux 8 (and 9!) includes a suite of SCAP content to test, and remediate compliance against various standards. If you built a STIG’d system in part 1, you’ve already seen this in action. The anaconda installer leveraged this content to modify the rocky 8 configuration to implement various controls, install/remove packages, and change the way the OS level mount points work.
Over time, these things could change and you will want to keep an eye on it. Frequently, I also use these reports to show proof that a particular control has been implemented correctly. Either way, its baked in to Rocky. We will begin with some basics.
To list the security profiles available, we need to use the command oscap info provided by the openscap-scanner package. This should already be installed in your system if you've been following along since Part 1. To obtain the security profiles available:
Next, we will generate a scan, and then use the results of the scan to generate a bash script to remediate the system based on the DISA stig profile. I do not recommend using automatic remediation, you should always review the changes before actually running them.
Scott Shinn is the CTO for Atomicorp, and part of the Rocky Linux Security team. He has been involved with federal information systems at
the White House, Department of Defense, and Intelligence Community since 1995. Part of that was creating STIG’s and the requirement
that you use them and I am so very sorry about that.