Red Hat Enterprise Linux 8 DISA STIG

Print This Post Print This Post

DISA has released a draft STIG for RHEL 8 and it’s already been incorporated into the SCAP Security Guide (SSG), the open source tool for scanning systems against SCAP definitions. I can’t find the source document but the content was added to the SSG GitHub repo by an official Red Hat account.

The file states:

This profile contains configuration checks that align to the
[DRAFT] DISA STIG for Red Hat Enterprise Linux 8.

In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of
Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:

- Red Hat Enterprise Linux Server
- Red Hat Enterprise Linux Workstation and Desktop
- Red Hat Enterprise Linux for HPC
- Red Hat Storage
- Red Hat Containers with a Red Hat Enterprise Linux 8 image

You can see the commits here. The files need to be compiled before they can be used by any SCAP tools! Follow the directions to compile the content. Not only will the definitions be compiled, but Ansible and Bash scripts as well to remediate RHEL 8 hosts. I’ve only attempted to scan with the OpenSCAP tool and it worked fine. I was also able to run the Bash remediation script without issues. Make sure to back up your host before running the remediation script. It WILL break things!

This release is only a draft and should not be used in production systems without a huge amount of testing.