Complementing the DISA benchmark using the SSG content

Updated 11 Sept 2023

Some organizations must use the official DISA benchmark. However, the STIG profile provided by the SCAP Security Guide has a larger automated coverage than the official DISA benchmark, which reduces the manual efforts to check and remediate the gaps not covered in the official DISA benchmark. This article provides the solution to the problem.

Environment:

Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8

Resolution:

You can complement the official DISA benchmark using the SCAP Security Guide (SSG) content. Red Hat automated the process to create a tailored profile composed of the STIG profile delivered in SSG but excluding all the rules already covered by the official DISA benchmark. With this automated tailored file, you can increase the compliance coverage of the systems.

The scap-security-guide package includes the tailored files for RHEL 8.6 and newer. If you use RHEL 7 or RHEL 8.5 and earlier, you can download a corresponding tailored file attached to this article.

For example, if you download the rhel8_stig_delta_tailoring.xml file in the /tmp directory, use the following command on your RHEL 8 system:

$ oscap xccdf eval --profile stig --report /tmp/report.html --tailoring-file /tmp/rhel8_stig_delta_tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

To check the results, enter:

$ firefox /tmp/report.html

SBR

Security Vulnerabilities

Product(s)

Red Hat Enterprise Linux

Category

Secure

Components

openscap

Article Type

General