Rescanning an Instance for Compliance

Use the SCC or OpenSCAP tool to scan the instance to verify it remains compliant.

Changes to an Oracle Linux STIG Image instance (such as installing other applications or adding new configuration settings) can affect compliance. We recommend scanning to check that the instance is compliant after any changes. In addition, you might need to perform subsequent scans to check for regular, quarterly DISA STIG updates.

Using the OpenSCAP Tool

The OpenSCAP tool is available in Oracle Linux and certified by the National Institute of Standards and Technologies (NIST).

  1. Sign in to your Oracle Linux STIG Image instance.
  2. Install the openscap-scanner package.
    sudo yum install openscap-scanner
  3. Identify the XCCDF or datastream file to use for the scan.

    To use the SSG "stig" profile:

    1. Install the scap-security-guide package.
      sudo yum install scap-security-guide
    2. Locate the file to use for the scan found in /usr/share/xml/scap/ssg/content.
    To use the Oracle Linux DISA STIG Benchmark:
    1. Go to https://public.cyber.mil/stigs/downloads/".
    2. Search for Oracle Linux and download the appropriate DISA STIG Benchmark file.
    3. Unzip the file after downloading it.
  4. To perform a scan, run the following command:
    sudo oscap xccdf eval --profile profile-name \
    --results=path-to-results.xml --oval-results \
    --report=path-to-report.html \
    --check-engine-results \
    --stig-viewer=path-to-stig-viewer-report.xml \
    path-to-xccdf-document

    For other options that you can use with the oscap command, see Using OpenSCAP to Scan for Vulnerabilities in the Oracle® Linux 7: Security Guide and Oracle Linux 8: Using OpenSCAP for Security Compliance.

  5. Check the path-to-report.html file for the evaluation results.

Using the SCC Tool

The SCC tool is the official tool for checking government compliance and can be used to scan an Oracle Linux STIG Image instance.

Important

To scan Arm architecture (aarch64), you must use SCC version 5.5 or later.

For instructions on using the SCC tool, see the SCAP Tools table at https://public.cyber.mil/stigs/scap/.

  1. Obtain the SCC tool from the table at https://public.cyber.mil/stigs/scap/.
  2. Install the tool.
    unzip scc-5.4.2_rhel7_sles12-15_oracle-linux7_x86_64_bundle.zip
    cd scc-5.4.2_rhel7_x86_64/
    rpm -i scc-5.4.2.rhel7.x86_64.rpm
  3. Zip the SCAP content .xml file before importing in to the SCC tool.

    For the SSG "stig" profile:

    zip ssg_content.zip /usr/share/xml/scap/ssg/content/xml-document
    /opt/scc/cscc -is ssg_content.zip

    For the Oracle Linux DISA STIG Benchmark:

    zip scap_content.zip path-to-disa-benchmark-xml-document
    /opt/scc/cscc -is scap_content.zip
  4. Configure SCC to scan against the imported content
    /opt/scc/cscc --config
  5. Perform the scan using the command line menu:
    1. Enter 1 to configure SCAP content.
    2. Enter clear and then enter the number that matches the imported SCAP content.

      In the following example, you would enter 2 for the imported SCAP content for Oracle Linux 7.

      SCC 5.4.2 Available SCAP Content                        [Version]  [Date]    
      1.  [ ]  Mozilla_Firefox_RHEL                           005.003    2021-06-09
      2.  [X]  OL-7                                           0.1.54     2021-09-23
      3.  [ ]  Oracle_Linux_7_STIG                            002.004    2021-06-14
      4.  [ ]  RHEL_6_STIG                                    002.002    2020-12-04
      5.  [ ]  RHEL_7_STIG                                    003.004    2021-06-14
      6.  [ ]  RHEL_8_STIG                                    001.002    2021-06-14
      7.  [ ]  SLES_12_STIG                                   002.004    2021-06-14
      
    3. Enter 0 to return to the main menu.
    4. Enter 2 to configure the SCAP profile.
    5. Enter 1 to select the profile. Verify "stig" is selected.
      Available Profiles for OL-7
      
      1.  [ ] no_profile_selected
      2.  [X] stig
    6. Return to the main menu. Enter 9 to save changes and perform a scan on the system.
      The scan might take 25 to 30 minutes.