Security Technical Implementation Guide (STIG) Tool for the DB System

This article describes the STIG tool, a Python script, for DB Systems provisioned using Oracle Linux 7.

A Security Technical Implementation Guide (STIG) is a document written by the Defense Information Systems Agency (DISA) that provides guidance on configuring a system to meet cybersecurity standards for deployment within the Department of Defense's (DoD) IT network systems. STIG requirements help secure the network against cybersecurity threats by focusing on infrastructure and network security to mitigate vulnerabilities.

The STIG tool, a Python script, is used to ensure security compliance with DISA's Oracle Linux 7 STIG. This tool:

  • makes the base image of the DB System compliant with the Oracle Linux 7 STIG,
  • embeds certain STIG rules into the system that can be activated after provisioning when required to address security compliance requirements,
  • categorizes the embedded rules, enabling you to view and monitor the rules in the following categories:

    • Static rules that are included in the base image,
    • DoD rules that are optionally activated after provisioning when needed to meet U.S. Department of Defense compliance standards, and
    • Runtime rules that are activated after provisioning when needed and are intended for use by all users needing to harden security for DB Systems (including users outside of the U.S. Department of Defense),
  • provides a rollback capability, enabling you to roll back a DB System to a state with no configuration modifications made by the script, and
  • provides a compliance check capability, enabling you to see how many of the rules are successfully passed by the DB System.

Acquire the STIG Tool

The STIG tool is provided for all newly provisioned DB Systems. The STIG tool is provided in the following OS directory location on DB System nodes: /opt/oracle/dcs/bin/dbcsstig

Updated versions of the STIG tool will be available for download from the Oracle Technology Network (OTN). Updated versions of the STIG tool are also provided when you update the DB System agent.

Use the STIG Tool

Use the following syntax for the STIG tool:
dbcsstig --<operation><category>
For example:
dbcsstig --fix dod

Command Reference

Operations

Table 6-5 Operations

Operation Parameter Definition
--check, -c Checks for compliance with rules included in the specified category.
--fix, -f Applies fixes for rules included in the specified category.
--rollback, -rb Rolls back system configuration changes implemented by the STIG tool.
--version, -v Provides version information for the STIG tool script.
--help, -h Provides command-line help information.

Rule Categories

Table 6-6 Rule Categories

Category Parameter Definition
static To specify rules included in the base image of the DB System.
dod To specify rules required for compliance with DISA's Oracle Linux 7 STIG.
runtime To specify rules activated after provisioning for general security hardening.
all To specify all rules.