9.2 Checking STIG Compliance

Next, check whether the Exalytics Machine is in compliance with STIG guidelines.

To check STIG compliance:

  1. Navigate to the following link:

    http://iase.disa.mil/stigs/scap/Pages/index.aspx

  2. For the Linux 6 operating system, perform following actions:

    1. Under the SCAP 1.1 Content section, click Red Hat 6 STIG Benchmark - Version 1, Release 7, and download the U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark.zip file.

    2. To run a scan of the system using the RHEL6 STIG policy, run the following commands:

      # export PATH=/usr/bin:/usr/sbin:$PATH

      # oscap xccdf eval --results results-xccdf.xml --oval-results --cpe U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-xccdf.xml

      The "oscap" command generates an output file indicating whether specific tests passed or failed.

  3. To get more details, enter the following command:

    # oscap xccdf generate report --output results-xccdf.html results-xccdf.xml

    The Scan report is displayed.

  4. Review the Scan report to confirm that specific tests passed.

    The output is similar to the following:

    Scan Report
    Introduction
    Test Result
    Result ID       Profile         Start time      End time        Benchmark       Benchmark version
    xccdf_org.open-scap_testresult_default-profile  (Default profile) 
            2015-04-10 12:16        2015-02-10 12:16        embedded        1
    Target info
    Targets
    <name of the Exalytics Machine>
     
            Addresses
    127.0.x.xx
    10.242.xxx.xxx
    0:0:0:0:0:0:0:x
    2606:b400:2010:504d:210:e0ff:fe46:xxx
    fe80:0:0:0:210:e0ff:fe46:xxx
     
                    Applicable platforms
    cpe:/o:redhat:enterprise_linux:6
     
    Score
    system                                                   score            max           %               bar
    urn:xccdf:scoring:default               80.79             100.00          80.79%        
    Results overview
    Rule Results Summary
    pass    fixed   fail    error   not selected    not checked     not applicable  informational   unknown         total
    286     0       68      0       0       0       0       0       0       354
    Title                                                                   Result
    The system must require authentication upon booting into single-user and maintenance modes.                                                     pass
    The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.                           fail
    The system must disable accounts after three consecutive unsuccessful login attempts.                                                              pass
    The root account must be the only account having a UID of 0.             pass
    The root user's home directory must not be the root directory (/).      pass
    The root account's home directory (other than /) must have mode 0700. pass