Next, check whether the Exalytics Machine is in compliance with STIG guidelines.
To check STIG compliance:
Navigate to the following link:
For the Linux 6 operating system, perform following actions:
Under the SCAP 1.1 Content section, click Red Hat 6 STIG Benchmark - Version 1, Release 7, and download the U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark.zip file.
To run a scan of the system using the RHEL6 STIG policy, run the following commands:
# export PATH=/usr/bin:/usr/sbin:$PATH
# oscap xccdf eval --results results-xccdf.xml --oval-results --cpe U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-xccdf.xml
The "oscap" command generates an output file indicating whether specific tests passed or failed.
To get more details, enter the following command:
# oscap xccdf generate report --output results-xccdf.html results-xccdf.xml
The Scan report is displayed.
Review the Scan report to confirm that specific tests passed.
The output is similar to the following:
Scan Report Introduction Test Result Result ID Profile Start time End time Benchmark Benchmark version xccdf_org.open-scap_testresult_default-profile (Default profile) 2015-04-10 12:16 2015-02-10 12:16 embedded 1 Target info Targets <name of the Exalytics Machine> Addresses 127.0.x.xx 10.242.xxx.xxx 0:0:0:0:0:0:0:x 2606:b400:2010:504d:210:e0ff:fe46:xxx fe80:0:0:0:210:e0ff:fe46:xxx Applicable platforms cpe:/o:redhat:enterprise_linux:6 Score system score max % bar urn:xccdf:scoring:default 80.79 100.00 80.79% Results overview Rule Results Summary pass fixed fail error not selected not checked not applicable informational unknown total 286 0 68 0 0 0 0 0 0 354 Title Result The system must require authentication upon booting into single-user and maintenance modes. pass The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. fail The system must disable accounts after three consecutive unsuccessful login attempts. pass The root account must be the only account having a UID of 0. pass The root user's home directory must not be the root directory (/). pass The root account's home directory (other than /) must have mode 0700. pass
Parent topic: Hardening an Exalytics Machine