Add-on Information
Version: 0.4
Overview
This site provides an Add-On product that can be used on SLE 15 SP3 to apply (evaluate or remediate) STIG rules.
Details
The SLE 15 STIG Add-On product installs an apply-stig-rules package which contains an apply-stig-rules script, a default configuration file, and an apply-stig-rules systemd service that runs on first boot.
The apply-stig-rules script invokes the oscap command using options
provided in the /etc/apply-stig-rules/override.conf file (if it exists),
or in the /etc/apply-stig-rules/default.conf file (if override.conf
file does not exist). Using an override.conf file allows for custom
configuration without modifying the default configuration file.
The /etc/apply-stig-rules configuration files can be used to set the
SCAP content file, the action to be taken (eval or remediation), and
a tailoring file (to disable specific rules in the content file). The
apply-stig-rules default configuration sets "content-file" to the
scap-security-guide ssg-sle15-ds.xml file, sets "action" to "eval",
and does not include any tailoring file. Note that care should be
taken before setting "action" to "remediate", since applying STIG rule
remediations can result in a system that is secure to the point of being
unusable.
The apply-stig-rules script writes oscap output to
/var/log/apply-stig-rules/apply-stig-rules-<timestamp>.results
and debug output to
/var/log/apply-stig-rules/apply-stig-rules-<timestamp>.log
Platforms
- SUSE Linux Enterprise 15 Service Pack 3
Architectures
- x86_64
Media Details
| Add-on Product ISO Image | |
|---|---|
| File: | stig-sle15sp3-x86_64-0.4.iso |
| Size | 534 kB |
| MD5 Checksum | a46dc4dbb3f969153346a7eb2cb1add4 |
| SHA256 Checksum | 64efc067db539281ebb6636f936ccb3b60b810a52bac0bbf6879f20526a229d3 |
Installation
Add-on installation
Installing the Add-On during SLE interactive install: Use the Add-On Products portion of the SLE installation to add the ISO image (above) or the online installation repository. Note that installing the Add-On during a SLE interactive install will use the ssg-apply default configuration; using a custom configuration is only supported during an AutoYaST install (see below).
Installing the Add-On on a running system: Use the YaST Add-On Products module to add the ISO image (above) or the online installation repository. Note that in this case, the ssg-apply first-boot service will be run on the next boot.
Installing the Add-On via AutoYaST: Use the AutoYaST profile add_on_products section to add the iso image or its contents. To apply a custom configuration for the ssg-apply script, use the AutoYast profile files section to install an /etc/ssg-apply/override.conf file.
Package names and versions
The following packages are provided with this add-on product: