Oracle Linux STIG Image
The Oracle Linux STIG Image is an implementation of Oracle Linux that follows the Security Technical Implementation Guide (STIG).
With the STIG image, you can configure an Oracle Linux instance in Oracle Cloud Infrastructure that follows certain security standards and requirements set by the Defense Information Systems Agency (DISA).
- What's a STIG?
- How's STIG Compliance Assessed?
- Compliance Targets
- Applying Remediations
- Rescanning an Instance for Compliance
- Revision History for Oracle Linux STIG Images
Oracle updates the Oracle Linux STIG Image regularly with the latest security errata. This document is updated whenever the STIG benchmark changes, or when changes in the security guidance require manual configuration of the image. See Revision History for Oracle Linux STIG Images for specific changes made in each release.
Any changes made to an Oracle Linux STIG Image instance (such as installing other applications or modifying the configuration settings) might impact the compliance score. After making any changes, rescan the instance to check for compliance
What's a STIG?
A Security Technical Implementation Guide (STIG) is a document written by the Defense Information Systems Agency (DISA). It provides guidance on configuring a system to meet cybersecurity requirements for deployment within the Department of Defense (DoD) IT network systems. STIG requirements help secure the network against cybersecurity threats by focusing on infrastructure and network security to mitigate vulnerabilities. Compliance with STIGs is a requirement for DoD agencies, or any organization that's a part of the DoD information networks (DoDIN).
The Oracle Linux STIG image helps automate compliance by providing a hardened version of the standard Oracle Linux image. The image is hardened to follow STIG guidelines. However, the image can't meet all STIG requirements and might require additional manual remediation.
Downloading the Latest STIG
DISA provides quarterly updates to the STIGs. This documentation was created using the latest STIG available at the time of publication. However, always use the latest STIG when assessing your system.
Download the latest at STIG https://public.cyber.mil/stigs/downloads/. Search for Oracle Linux and then download the appropriate zip file.
Optionally, use the DISA STIG Viewer from https://public.cyber.mil/stigs/srg-stig-tools/. Then, import in the STIG's xccdf.xml file to view the STIG rules.
How's STIG Compliance Assessed?
Compliance assessment often begins with a scan using a Security Content Automation Protocol (SCAP) compliance checker tool. The tool uses a STIG (uploaded in SCAP format) to analyze the security of a system. However, the tool doesn't always test for all rules within a STIG and some STIGs might not have SCAP versions. In these cases, an auditor needs to check the system manually for compliance by going through the STIG rules not covered by the tool.
The following tools are available for automating compliance assessment:
-
SCAP Compliance Checker (SCC): A tool developed by DISA that can run an evaluation using either the DISA STIG Benchmark or an OpenSCAP upstream profile. Commonly, the DISA STIG Benchmark is used for compliance scanning when using the SCC tool.
Important
To scan Arm architecture (aarch64), you must use SCC version 5.5 or later. -
OpenSCAP: An open source utility available through yum that can run an evaluation using either the DISA STIG Benchmark or an OpenSCAP upstream profile. Oracle Linux distributes an SCAP Security Guide (SSG) package that contains system release specific profiles. For example, the SCAP datastream
ssg-ol7-ds.xmlfile provided by the SSG package includes the DISA STIG for Oracle Linux 7 profile. One advantage to using the OpenSCAP tool is that SSG provides Bash or Ansible scripts to automate remediation and bring the system to a compliant state.Caution
Automatic remediation using scripts might lead to undesired system configuration or make a system nonfunctional. Test the remediation scripts in a nonproduction environment.
See Rescanning an Instance for Compliance for information on running the compliance tools and generating a scan report.
Compliance Targets
The Oracle Linux STIG image contains additional remediations for rules not addressed by the DISA STIG Benchmark. Use the SSG "stig" profile aligned with DISA STIG for Oracle Linux to extend automation on the previously unaddressed rules and determine compliance against the complete DISA STIG.
Two DISA STIG Viewer checklist files are provided with the image, which are based on scan results from SCC and OpenSCAP. The checklist for the DISA STIG Benchmark uses the SCC scan results, while the checklist for the SSG "stig" profile uses the OpenSCAP scan results. These checklists contain comments by Oracle for areas of the image that don't meet guidance. See Using the Checklist to View Additional Configurations.
The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.
Oracle Linux 8
Oracle Linux 8 STIG images follow the DISA security standards and are hardened according to the Oracle Linux 8 DISA STIG. For the latest Oracle Linux 8 STIG Image release, the compliance target is the DISA STIG for Oracle Linux 8 Ver 1, Rel 10. The scap-security-guide package (minimum version 0.1.73-1.0.1) available through yum contains the SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 10.
- Compliance Information for Oracle Linux 8.10 September 2024 STIG images:
-
Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 10
- Checklist Compliance Score for x86_64: 74.63%
- Checklist Compliance Score for aarch64: 74.55%
Target: DISA STIG for Oracle Linux 8 Ver 1, Rel 8 Benchmark profile
- Checklist Compliance Score for x86_64: 80.57%
- Checklist Compliance Score for aarch64: 80.57%
Oracle Linux 7 (extended support)
Oracle Linux 7 STIG images follow the DISA security standards and are hardened according to the Oracle Linux 7 DISA STIG. For the latest Oracle Linux 7 STIG Image release, the compliance target has transitioned to the DISA STIG Ver 3, Rel 1. The scap-security-guide package (minimum version 0.1.73-1.0.3) available through yum contains the SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Version 3, Release 1.
- Compliance Information for Oracle Linux 7.9 February 2025 STIG images:
-
Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Ver 3, Rel 1
- Checklist Compliance Score x86_64: 81.65%
- Checklist Compliance Score aarch64: 81.65%
Target: DISA STIG for Oracle Linux 7 Ver 3, Rel 1 Benchmark profile
- Checklist Compliance Score x86_64: 91.71%
- Checklist Compliance Score aarch64: 91.71%
Note
The STIG standard from DISA had no significant changes, other than wording, between Oracle Linux 7 Ver 3, Rel 1 and Oracle Linux 7 Ver 2, Rel 14. Because of this, any system compliant with Oracle Linux 7 Ver 2, Rel 14 is also compliant with Oracle Linux 7 Ver 3, Rel 1.
Creating and Connecting to an Instance
More Information
Use these resources for additional information on the Oracle Linux STIG Image.
-
Department of Defense web resources at https://public.cyber.mil/.
-
For DISA STIG and SCAP catalogs, see the following resources:
-
STIG catalog at https://public.cyber.mil/stigs/.
-
SCAP catalog at https://public.cyber.mil/stigs/scap/.
-