wiki:Rhel5DraftStigGettingStarted
Warning: Can't synchronize with repository "(default)" (/srv/svn/aqueduct does not appear to be a Subversion repository.). Look in the Trac log for more information.
Last modified 7 months ago Last modified on 09/25/13 22:55:58

How to use the Red Hat Enterprise Linux 5 STIG

Note that the content provided on this page is for informational purposes only and no warranty is implied. As with anything downloaded from the Internet, the downloader is responsible for reviewing the content before applying it to a system.

STIG'ing a RHEL 5 system in 10 easy steps

  1. Install RHEL 5.

-Please take note of DISA Partitioning requirements during installation.

  1. Install git. Git is used to check out a copy of the lockdown scripts from the Aqueduct source code repository. Providing the Aquaduct lockdown scripts as cryptographically signed RPMs is a future goal of the Aqueduct, but git is used in the mean time.
    [root@host ~]# yum install git
    
  2. Create a directory where you would like to store the Aqueduct lockdown scripts and change to that directory.
    [root@host ~]# mkdir ~/Aqueduct_STIG
    [root@host ~]# chmod 700 ~/Aqueduct_STIG
    [root@host ~]# cd ~/Aqueduct_STIG
    
  3. Use git to export an unrevisioned copy of the Aqueduct lockdown script tree.
    [root@host ~]# git clone ​git://git.fedorahosted.org/git/aqueduct.git 
    
  4. Change directories to rhel-5 and note the two directories. These directories contain the STIG guidance broken into what can be done in an automated manner (prod) and what needs to be done manually (manual-checks). Feel free to explore the contents of both.
    [root@host ~]# cd rhel-5
    [root@host ~]# ls
    manual-checks  prod
    
  5. Change directories to prod and examine the file Aqueduct-STIG.sh. Aqueduct-STIG.sh will run the GEN*.sh lockdown elements in that directory.
    [root@host ~]# cd prod
    [root@host ~]# cat Aqueduct-STIG.sh
    
  6. Examine the GEN*.sh files. Each GEN*.sh file corresponds to a lockdown element in the STIG. Note that each script is intelligently designed to be run multiple times on the same system -- text will be substituted intelligently instead of simply appending content to the end of files. If you observe that this is not the case, you've discovered a bug that should be reported to the ​Aqueduct mailing list.
  7. When you are comfortable with the content provided, run the Aqueduct-STIG.sh script which will run the GEN*.sh scripts in that directory. This will take a few minutes.
    [root@host ~]# ./Aqueduct-STIG.sh
    
  8. 85% done! Once the automated content is complete, complete the STIG lockdown by following the manual guidance in the manual-checks directory.
  9. Provide feedback. Love it? Hate it? Have suggestions for improvement? Let the ​Aqueduct mailing list know!

Known Issues

USB devices are disabled. To enable USB devices backoff the following STIG scripts: GEN008460 and GEN008480