Red Hat Security: Linux in Physical, Virtual, and Cloud

Instructions

1. On the workstation machine, use the SCAP Workbench graphical utility to customize the DISA STIG for Red Hat Enterprise Linux 9 profile.

   1. Start SCAP Workbench by running the scap-workbench command.

      [student@workstation ~]$ scap-workbench

      The SCAP Workbench utility detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.

      In the Select content to load field, select rhel9 and click Load Content.

   2. Locate the Profile field and select the DISA STIG for Red Hat Enterprise Linux 9 profile.

      Click Customize to the right of that field.

   3. In the New Profile ID field, enter xccdf_com.example_profile_RH415-rhel9 and click OK.

      The new window displays all the available rules. The rules that are included in the DISA STIG for Red Hat Enterprise Linux 9 profile are selected.

   4. Click Deselect All and select the three following rules in the Updating Software section:

      • Ensure gpgcheck Enabled In Main dnf Configuration

      • Ensure gpgcheck Enabled For All dnf Package repositories

      • Ensure dnf Removes Previous Package Versions

      In the Set Password Quality Requirements with pam_pwquality section, select the following:

      • Select the Ensure PAM Enforces Password Requirements - Minimum Length rule to enable the test.

      • Click the minlen rule. In the right pane, select 6 from the Modify Value list. This configuration sets the pam_pwquality minlen option to six characters.

      Click OK.

   5. Save the customization in a tailoring file. Select File → Save Customization Only and enter RH415-tailoring.xml for the file name. Keep this file in your home directory so that you can refer to it later.

      Close SCAP Workbench.

2. Scan the serverc machine for compliance with your customization of the DISA STIG profile.

   1. As the student user, use the scp command to copy the RH415-tailoring.xml tailoring file to the serverc machine. No password is required.

      [student@workstation ~]$ scp RH415-tailoring.xml student@serverc:
      RH415-tailoring.xml                            100%   66KB  36.3MB/s   00:00

   2. Log in to the serverc machine as the student user. No password is required.

      [student@workstation ~]$ ssh student@serverc
      [student@serverc ~]$

   3. Change to the root user. Use student as the password.

      [student@serverc ~]$ sudo -i
      [sudo] password for student: student
      [root@serverc ~]#

   4. Use the oscap info command on the /home/student/RH415-tailoring.xml tailoring file to retrieve the associated profile.

      [root@serverc ~]# oscap info /home/student/RH415-tailoring.xml
      Document type: XCCDF Tailoring
      Imported: 2023-10-24T12:56:41
      Benchmark Hint: /tmp/scap-workbench-IlIHwP/ssg-rhel9-ds.xml
      Profiles:
      	Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 [CUSTOMIZED]
      		Id: xccdf_com.example_profile_RH415-rhel9

   5. Scan the system for compliance with your customization. Save the result in the /root/RH415-results.xml file. Keep this file in your home directory so that you can refer to it later.

      [root@serverc ~]# oscap xccdf eval \
          --profile xccdf_com.example_profile_RH415-rhel9 \
          --tailoring-file /home/student/RH415-tailoring.xml \
          --results /root/RH415-results.xml \
          /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
      WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
      WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
      WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
      --- Starting Evaluation ---
      
      Title   Ensure dnf Removes Previous Package Versions
      Rule    xccdf_org.ssgproject.content_rule_clean_components_post_updating
      Ident   CCE-83458-0
      Result  pass
      
      Title   Ensure gpgcheck Enabled In Main dnf Configuration
      Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
      Ident   CCE-83457-2
      Result  pass
      
      Title   Ensure gpgcheck Enabled for All dnf Package Repositories
      Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
      Ident   CCE-83464-8
      Result  pass
      
      Title   Ensure PAM Enforces Password Requirements - Minimum Length
      Rule    xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
      Ident   CCE-83579-3
      Result  fail

   6. When the scan is complete, convert the /root/RH415-results.xml file to HTML. Save the HTML report in the /root/RH415-results.html file.

      [root@serverc ~]# oscap xccdf generate report \
          RH415-results.xml > RH415-results.html
      [root@serverc ~]#

   7. Use the scp command to copy the RH415-results.html file to the workstation machine so that you can use Mozilla Firefox to display it. Use student as the password.

      [root@serverc ~]# scp RH415-results.html student@workstation:
      student@workstation's password: student
      RH415-results.html                             100%  274KB  99.5MB/s   00:00

   8. Return to the workstation machine.

      [root@serverc ~]# logout
      [student@serverc ~]$ logout
      [student@workstation ~]$

   9. Use Firefox to display the RH415-results.html file.

      [student@workstation ~]$ firefox RH415-results.html

   10. The page only displays the rules from your tailoring file. Optionally, compare the results of this exercise to the results of the previous exercise. Close Firefox when you are done exploring the scan results.

       Figure 9.11: Tailored rules scan results