2 Replies Latest reply on Jul 9, 2013 11:19 AM by Bill Robinson

    DISA STIG compliance checking and remediation - RHEL

      Our site has the need to perform DISA STIG compliance checking for the newer RHEL5 and RHEL6 guidance released from DISA.


      We would like to utilize the BSA reporting server to report results to our internal customers.  Additionally we want to be able to remediation servers per individual STIG check.


      After my initial look at the SCAP content in BL, it appears that it's results are not exported to the reporting server.  The only way I can think of to accomplish this task is to write my own component template to perform compliance checks and remediation.  This is a large task and I do not want to "re-invent the wheel".


      Does anyone have suggestions for a solution for performing STIG compliance with selective remediation?

        • 1. Re: DISA STIG compliance checking and remediation - RHEL
          Joe Piotrowski

          You are correct. DISA offers SCAP analysis which you can download and plug into BSA and immediately run against your servers. But the results aren't captured on the BDSSA side and, if I'm not mistaken, you have to export the results per individual server in an XML format. You can't get an overall environment results report. And you don't get remediation.


          In order to get the reports in BDSSA and have selective remediation you need to create your own STIG compliance within BSA with Component Templates and BLPackages.


          I recently did this but for Windows 2008 R2 servers, not RHEL. This is obviously time consuming. One of our architects wrote some code that at least created the framework for me (automatically created all the Rules with a default rule based on the DISA STIG text) and I went back in and modified the rules and created remediation packages as I went along.


          If you go this route I can see if I can make that content available for public use.

          • 2. Re: DISA STIG compliance checking and remediation - RHEL
            Bill Robinson

            The SCAP standard does not have a reporting spec - that said i believe it's something we are looking at.  SCAP also does not provide a remediation spec either, which is why you cannot remediate w/ scap.


            we are working on providing updates to the ct-based stig checks, though i don't have an eta on that.  for now the best bet would be updating the existing templates w/ the most recent stig changes.