Updating DISA STIG for RHEL 8 to newer benchmarks
This document provides information about the hotfix containing Red Hat Linux 8 Benchmark Version 1 Release 0.1. This template contains implementation for 266 rules that can be installed on TrueSight Server Automation 21.02 or later versions.
Before you begin
Before you install this hotfix, ensure that you perform the following:
- Ensure that all compliance content provided by BMC in your environment is at least updated to version 21.02.
- Save backup copies of the sensors folders, which are present on all Application Servers in your environment. The sensors folders contain extended object scripts and is located at the following path:
Step 1: Downloading and installing the files
Download the DISA-RedHat8 and extended_objects packages from the following FTP location:
Click here to expand checksum related infromation
Verify the downloaded content by using the following check sums.
DISA - RedHat 8.zip
- Move the DISA-RedHat8 package to the server where the TrueSight Server Automation console is installed.
- Extract the contents from the extended_objects package and move them to a temporary location on all Application Servers.
- Replace the extended object scripts in the following directory on all the Application Servers:
Step 2: Importing the Compliance Content
- Log in to the TrueSight Server Automation console.
- Right-click Component Templates and click Import.
- Select the Import (Version-neutral) option.
- From the directory where you extracted the template files, select the DISA - RedHat 8 zip package and click Next.
To import the templates, select DISA - Red Hat Enterprise Linux 8, and click Next.
Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.
Navigate to the last screen of the wizard and click Finish.
The template is imported successfully.
Rules within the template
The following are the details of the 267 rules provided in the zip package. It contains the following types of rules:
Rules that check for compliance and provides remediation - 190
Rules that check for compliance but do not provide remediation - 58
Rules that do not check for compliance and do not provide remediation - 19
The following are the details of the rules that are divided into parts:
Rules not divided into parts - 208
Rules Divided into two parts - (11 Rules divided into 2 parts) so (11 * 2) = 22
Rules Divided into three parts - (1 Rule divided into 3 parts) so (1 * 3) = 3
Rules Divided into four parts - (6 Rules is divided into 4 parts) so (6 * 4) = 24
Rules Divided into ten parts - (1 Rule is divided into 10 parts) so (1 * 10) = 10
So, the current rule count as per DISA - Red Hat Enterprise Linux 8 template after running the compliance job is 267 (208 + 22 + 3+ 24 + 10).
The following tables list the rules with no compliance checks or remediation along with comments.
Rules with compliance checks but no remediation
|RHEL-08-020070, RHEL-08-030180, RHEL-08-010120, RHEL-08-010140, RHEL-08-010150, RHEL-08-040030, RHEL-08-020250, RHEL-08-040070, RHEL-08-040110, RHEL-08-040330,RHEL-08-020070||Remediation might move the system into an irrecoverable state.|
|RHEL-08-010050, RHEL-08-020080, RHEL-08-010070, RHEL-08-020240, RHEL-08-040040, RHEL-08-010160, RHEL-08-010200, RHEL-08-030650, RHEL-08-010400, RHEL-08-010430, RHEL-08-010460, RHEL-08-010470, RHEL-08-020340, RHEL-08-040300, RHEL-08-040310||Editing file entries require manual intervention to take effect.|
|RHEL-08-020020, RHEL-08-010020, RHEL-08-010180, RHEL-08-010190, RHEL-08-030620, RHEL-08-030630, RHEL-08-030640, RHEL-08-030740, RHEL-08-010370, RHEL-08-040130, RHEL-08-010380, RHEL-08-010420, RHEL-08-010000, RHEL-08-010530, RHEL-08-010540, RHEL-08-010570, RHEL-08-010580, RHEL-08-010590, RHEL-08-010600, RHEL-08-010610, RHEL-08-010620, RHEL-08-010630, RHEL-08-010640, RHEL-08-010650, RHEL-08-010680, RHEL-08-010710, RHEL-08-010720, RHEL-08-010750, RHEL-08-010800|
System administrator is required to approve configuration changes based on the organizational processes and policies.
|Remediation is dependent on peripheral devices, which can leave the resource inaccessible to the user or service, if automated.|
|RHEL-08-020030, RHEL-08-020060||Need additional information from end user to update system configuration and comply with organizational policies.|
Manual rules - rules without any compliance checks or remediation
|RHEL-08-010300, RHEL-08-010310, RHEL-08-010320, RHEL-08-010690||More of an informational rule that requires manual interpretation. The checklist does not recommend any commands for checking these conditions.|
|RHEL-08-020000, RHEL-08-010100, RHEL-08-010090, RHEL-08-020090, RHEL-08-040020, RHEL-08-030000, RHEL-08-010010, RHEL-08-040320, RHEL-08-020320, RHEL-08-010700||As an administrator, review these values based on the organization policy.|
|RHEL-08-020050, RHEL-08-020270, RHEL-08-010030, RHEL-08-040090, RHEL-08-040150|
Changing the settings when you are connected to the network can result in being locked out of the system.