9.2 Checking STIG Compliance

Next, check whether the Exalytics Machine is in compliance with STIG guidelines.

To check STIG compliance:

1. Navigate to the following link:

   http://iase.disa.mil/stigs/scap/Pages/index.aspx

2. For the Linux 6 operating system, perform following actions:

   1. Under the SCAP 1.1 Content section, click Red Hat 6 STIG Benchmark - Version 1, Release 7, and download the U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark.zip file.

   2. To run a scan of the system using the RHEL6 STIG policy, run the following commands:

      # export PATH=/usr/bin:/usr/sbin:$PATH

      # oscap xccdf eval --results results-xccdf.xml --oval-results --cpe U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-xccdf.xml

      The "oscap" command generates an output file indicating whether specific tests passed or failed.

3. To get more details, enter the following command:

   # oscap xccdf generate report --output results-xccdf.html results-xccdf.xml

   The Scan report is displayed.

4. Review the Scan report to confirm that specific tests passed.

   The output is similar to the following:

   Scan Report
   Introduction
   Test Result
   Result ID       Profile         Start time      End time        Benchmark       Benchmark version
   xccdf_org.open-scap_testresult_default-profile  (Default profile) 
           2015-04-10 12:16        2015-02-10 12:16        embedded        1
   Target info
   Targets
   <name of the Exalytics Machine>
    
           Addresses
   127.0.x.xx
   10.242.xxx.xxx
   0:0:0:0:0:0:0:x
   2606:b400:2010:504d:210:e0ff:fe46:xxx
   fe80:0:0:0:210:e0ff:fe46:xxx
    
                   Applicable platforms
   cpe:/o:redhat:enterprise_linux:6
    
   Score
   system                                                   score            max           %               bar
   urn:xccdf:scoring:default               80.79             100.00          80.79%        
   Results overview
   Rule Results Summary
   pass    fixed   fail    error   not selected    not checked     not applicable  informational   unknown         total
   286     0       68      0       0       0       0       0       0       354
   Title                                                                   Result
   The system must require authentication upon booting into single-user and maintenance modes.                                                     pass
   The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.                           fail
   The system must disable accounts after three consecutive unsuccessful login attempts.                                                              pass
   The root account must be the only account having a UID of 0.             pass
   The root user's home directory must not be the root directory (/).      pass
   The root account's home directory (other than /) must have mode 0700. pass