Applying Remediations

The hardened Oracle Linux STIG Image can't be configured for all the recommended guidance. You must manually finalize any configurations not included in the Oracle Linux STIG Image instance.

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the corresponding Oracle Linux Security Technical Implementation Guide.

Important

Some changes to the image might affect the instance's default Oracle Cloud Infrastructure account. If you decide to enforce a rule, study the information about each rule and the reasons for exclusion to fully understand the potential impact on the instance.

Using the Checklist to View Additional Configurations

Use the checklists provided with the Oracle Linux STIG image to view additional "Release Notes" on areas of guidance not included in the image, which might require additional configuration. The release notes identify additional configurations that might affect the instances default Oracle Cloud Infrastructure account.

Accessing the Checklist

The Oracle Linux STIG image includes DISA STIG Viewer checklists for both the DISA STIG Benchmark and SCAP Security Guide (SSG) "stig" profile aligned with DISA STIG for Oracle Linux. These checklists are located in the /usr/share/xml/stig directory. See Revision History for the specific filename associated with each release.

  • OL<release>_SSG_STIG_<stig-version>_CHECKLIST_RELEASE.ckl - checklist for DISA STIG for Oracle Linux using the SSG "stig" profile scan results.
  • OL<release>_DISA_BENCHMARK_<stig-version>_CHECKLIST_RELEASE.ckl - checklist for DISA STIG Benchmark for Oracle Linux using the SCC Oracle_Linux_<release>_STIG profile scan results.

Viewing the Checklist Release Notes

  1. Download the DISA STIG Viewer tool from: https://public.cyber.mil/stigs/srg-stig-tools/
  2. Open the STIG Viewer tool.
  3. Under Checklist, select Open Checklist from File... and navigate to the checklist file.
  4. Expand the Filter Panel and add the following filter:
    • Must Match: ALL
    • Filter by: Keyword
    • Filter type: Inclusive (+) Filter
    • Keyword: Oracle Release Notes
  5. The release notes offer additional information for the rules:
    • Open - Rules which have been excluded or deemed out of scope.
      • Excluded - Rules which might affect the instance's default Oracle Cloud Infrastructure account and have been excluded from remediation for the Oracle Linux STIG Image.
      • Out of Scope - Rules which are out of scope for remediation on the current release but might be considered for remediation in a future release.
    • Not Applicable - Rules which have been deemed not applicable to the Oracle Linux STIG Image.
    • Not reviewed - Rules which are out of scope for remediation on the current release but might be considered for remediation in a future release.
  6. For each rule, ensure you fully understand the implications to the instance before applying remediation.