TickYouOff
Sign in
Back
🔒

RHEL 9 STIG Checklist

Medium 21 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps system administrators and security teams apply the DISA RHEL 9 STIG guidance to harden systems and meet compliance requirements. Use it to download official content, test changes in staging, run scans, remediate findings, and document exceptions.

Source: https://ncp.nist.gov/checklist/1072

Progress
0 / 21
  1. Download RHEL 9 STIG SCAP and XCCDF content — Obtain official SCAP 1.3, XCCDF, and automated SCC files from DISA.
  2. Download SCAP 1.3 benchmark for RHEL 9 — Get the specific SCAP 1.3 benchmark (Ver/Rel) for your RHEL 9 build.
  3. Download XCCDF standalone and remediation scripts — Include Ansible/Chef remediations and standalone XCCDF files.
  4. Download automated SCC content for RHEL 9 architectures — Grab x86_64 and AArch64 SCC content when applicable.
  5. Verify file integrity and checksums of downloaded resources — Compare provided SHA hashes to ensure downloads are intact.
  6. Review STIG requirements and applicability — Map STIG controls to your enclave, role, and services.
  7. Test STIG settings in a staging environment — Validate functionality and rollback procedures before production.
  8. Apply OS updates and security patches — Install latest RHEL 9 errata and kernel/security updates.
  9. Enable and enforce SELinux in enforcing mode — Set SELinux to enforcing and resolve policy denials.
  10. Configure and enable firewalld with appropriate zones — Apply least-privilege rules and open only required ports.
  11. Harden SSH: disable root login and require key auth — Set PermitRootLogin no and use PubkeyAuthentication.
  12. Enforce strong password policies and account lockouts — Configure pam_pwquality, password aging, and lockouts.
  13. Configure sudo and remove unnecessary admin accounts — Grant least privilege and audit sudoers changes.
  14. Disable unnecessary services and remove unused packages — Stop and mask services not required by the system role.
  15. Harden kernel parameters via sysctl.conf — Apply RHEL STIG-recommended sysctl values and persist them.
  16. Enable and configure auditd for system auditing — Ensure audit rules capture privileged events and log retention.
  17. Run SCAP/XCCDF compliance scan using downloaded content — Execute automated scan to produce a compliance report.
  18. Review scan report and prioritize remediations — Triage findings by risk and impact for remediation planning.
  19. Remediate findings and apply configuration changes — Implement fixes, using automation where possible, and retest.
  20. Document deviations and obtain AO approval for exceptions — Record accepted risks and authorized exceptions with justification.
  21. Schedule regular automated compliance scans and reporting — Automate periodic scans and export reports for audit trails.
Sign in to save
📝 My Notes