TickYouOff
Sign in
Back
🔒

Oracle Linux 7 STIG Checklist (Ver 3, Rel 4)

Medium 16 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist provides a concise, actionable workflow to assess and remediate Oracle Linux 7 systems against the DISA STIG (Ver 3, Rel 4). It’s designed for system administrators and security teams who need to run SCAP/XCCDF scans, apply STIG remediations, and maintain compliance over time.

Source: https://ncp.nist.gov/checklist/948

Progress
0 / 16
  1. Download Oracle Linux 7 STIG benchmark (Ver 3, Rel 4) — Obtain the official STIG from DISA or the NIST checklist repository.
  2. Download SCAP and XCCDF content — Get SCAP 1.3 content, standalone XCCDF, and SCC automated content for OL7.
  3. Download Standalone XCCDF (Ver 3, Rel 5) from DISA/NIST — Use XCCDF for manual review and tools that accept XCCDF inputs.
  4. Download Automated SCC content for Oracle Linux 7 (SCC 5.14) — Use SCC/SCC-compliant content for automated scanners and tools.
  5. Verify system CPE and Oracle Linux 7 version — Confirm cpe:/o:oracle:linux:7.0 (or later) to ensure STIG applicability.
  6. Backup current system and configuration files — Snapshot system and copy /etc, /var/log, and key config files before changes.
  7. Apply all available security patches and updates — Use yum/dnf and reboot if required to bring system up to date.
  8. Run SCAP/XCCDF compliance scan using downloaded content — Run an oscap/SCC scan with the downloaded SCAP/XCCDF content to produce a report.
  9. Review scan results and prioritize findings — Focus remediation on critical and high-severity findings first.
  10. Implement STIG remediations for critical/high findings — Apply configuration changes, packages, or settings required and retest.
  11. Harden services: disable unnecessary daemons and close open ports — Examples: remove/disable telnet, rsh, unused network services, and unneeded packages.
  12. Enable and configure auditd and centralized logging — Ensure audit rules are set and logs are retained and forwarded to a central collector.
  13. Enforce password and account policies per GPOS SRG — Set complexity, lockout, expiration, and minimum age policies as required.
  14. Schedule regular compliance scans and maintenance windows — Automate scans and plan remediation windows to maintain continuous compliance.
  15. Document changes, maintain change control, and record evidence — Keep tickets, config snapshots, and screenshots as proof of remediation.
  16. Track DISA updates and refresh SCC resources regularly — Subscribe to DISA/NIST updates and update local STIG/SCC content when released.
Sign in to save
📝 My Notes