Updating DISA STIG for RHEL 8 to newer benchmarks

This document provides information about the hotfix containing Red Hat Linux 8 Benchmark Version 1 Release 0.1. This template contains implementation for 266 rules that can be installed on TrueSight Server Automation 21.02 or later versions.

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Ensure that all compliance content provided by BMC in your environment is at least updated to version 21.02.
  • Save backup copies of the sensors folders, which are present on all Application Servers in your environment. The sensors folders contain extended object scripts and is located at the following path:
    <Application_Server_installation_directory >/share/sensors

Step 1: Downloading and installing the files

  1. Download the DISA-RedHat8 and extended_objects packages from the following FTP location:

     Click here to expand checksum related infromation

     Verify the downloaded content by using the following check sums.

    Sr.No

    File Name

    MD5SUM

    1

    DISA - RedHat 8.zip

    46c8ac386fc0b3840f29258d96bb0209

    2

    extended_objects.zip

    00186f167a831555e792808b2fa96abe

  2. Move the DISA-RedHat8 package to the server where the TrueSight Server Automation console is installed.
  3. Extract the contents from the extended_objects package and move them to a temporary location on all Application Servers.
  4. Replace the extended object scripts in the following directory on all the Application Servers:
    <Application_Server_installation_directory>/share/sensors/

Step 2: Importing the Compliance Content

  1. Log in to the TrueSight Server Automation console.
  2. Right-click Component Templates and click Import

  3. Select the Import (Version-neutral) option.

  4. From the directory where you extracted the template files, select the DISA - RedHat 8 zip package and click Next.




  5. To import the templates, select DISA - Red Hat Enterprise Linux 8, and click Next.



    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.

  6. Navigate to the last screen of the wizard and click Finish.



    The template is imported successfully.

Rules within the template

The following are the details of the 267 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provides remediation - 190

  • Rules that check for compliance but do not provide remediation - 58

  • Rules that do not check for compliance and do not provide remediation - 19

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 208

  • Rules Divided into two parts - (11 Rules divided into 2 parts) so (11 * 2) = 22

  • Rules Divided into three parts - (1 Rule divided into 3 parts) so (1 * 3) = 3

  • Rules Divided into four parts - (6 Rules is divided into 4 parts) so (6 * 4) = 24

  • Rules Divided into ten parts - (1 Rule is divided into 10 parts) so (1 * 10) = 10

So, the current rule count as per DISA - Red Hat Enterprise Linux 8 template after running the compliance job is 267 (208 + 22 + 3+ 24 + 10).

The following tables list the rules with no compliance checks or remediation along with comments.

Rules with compliance checks but no remediation

Rule IDs

Comments

RHEL-08-020070, RHEL-08-030180, RHEL-08-010120, RHEL-08-010140,  RHEL-08-010150, RHEL-08-040030, RHEL-08-020250, RHEL-08-040070, RHEL-08-040110, RHEL-08-040330,RHEL-08-020070Remediation might move the system into an irrecoverable state.
RHEL-08-010050, RHEL-08-020080, RHEL-08-010070, RHEL-08-020240, RHEL-08-040040, RHEL-08-010160, RHEL-08-010200, RHEL-08-030650, RHEL-08-010400, RHEL-08-010430, RHEL-08-010460, RHEL-08-010470, RHEL-08-020340, RHEL-08-040300, RHEL-08-040310Editing file entries require manual intervention to take effect.
RHEL-08-020020, RHEL-08-010020, RHEL-08-010180, RHEL-08-010190, RHEL-08-030620, RHEL-08-030630, RHEL-08-030640, RHEL-08-030740, RHEL-08-010370, RHEL-08-040130, RHEL-08-010380, RHEL-08-010420, RHEL-08-010000, RHEL-08-010530, RHEL-08-010540, RHEL-08-010570, RHEL-08-010580, RHEL-08-010590, RHEL-08-010600, RHEL-08-010610, RHEL-08-010620, RHEL-08-010630, RHEL-08-010640, RHEL-08-010650, RHEL-08-010680, RHEL-08-010710, RHEL-08-010720, RHEL-08-010750, RHEL-08-010800

System administrator is required to approve configuration changes based on the organizational processes and policies.

RHEL-08-010360, RHEL-08-040140

Remediation is dependent on peripheral devices, which can leave the resource inaccessible to the user or service, if automated.
RHEL-08-020030, RHEL-08-020060Need additional information from end user to update system configuration and comply with organizational policies.

 Manual rules - rules without any compliance checks or remediation

Rule IDs

Comments

RHEL-08-010300, RHEL-08-010310, RHEL-08-010320, RHEL-08-010690More of an informational rule that requires manual interpretation. The checklist does not recommend any commands for checking these conditions.
RHEL-08-020000, RHEL-08-010100, RHEL-08-010090, RHEL-08-020090, RHEL-08-040020, RHEL-08-030000, RHEL-08-010010, RHEL-08-040320, RHEL-08-020320, RHEL-08-010700
As an administrator, review these values based on the organization policy.
RHEL-08-020050, RHEL-08-020270, RHEL-08-010030, RHEL-08-040090, RHEL-08-040150

Changing the settings when you are connected to the network can result in being locked out of the system.

Was this page helpful? Yes No Submitting... Thank you

Comments