Security Technical Implementation Guide (STIG) Tool for Virtual Machine DB systems

This topic describes a python script, referred to as the STIG tool, for Oracle Cloud Infrastructure virtual machine DB systems provisioned using Oracle Linux 7. The STIG tool is used to ensure security compliance with DISA's Oracle Linux 7 STIG. The script does the following:

  • Makes the base image of the virtual machine DB system compliant with the Oracle Linux 7 STIG
  • Embeds certain STIG rules into the system that can be activated after provisioning when required to meeting security compliance standards
  • Categorizes the embedded rules, allowing you to view and monitor the rules in the following categories:

    • Static: Rules included in the base image
    • DoD: Rules optionally activated after provisioning when needed to meet U.S. Department of Defense compliance standards
    • Runtime: Rules activated after provisioning when needed. Intended for use by all users needing to harden security for virtual machine DB systems (including users outside of the U.S. Department of Defense).
  • Provides a rollback capability, allowing you to roll back a DB system to a state with no configuration modifications made by the script
  • Provides a compliance check capability, allowing you to see how many of the scripts rules are successfully passed by the DB system

Acquiring the STIG Tool

The STIG tool is provided for all newly-provisioned virtual machine DB systems. Updated versions of the STIG tool will be available for download from the Oracle Technology Network (OTN) . Updated versions of the STIG tool are also provided as available when you update the DB system agent.

Using the STIG Tool

Use the following syntax for the STIG tool:

dbcsstig --<operation> <category>

For example:

dbcsstig --fix dod

Command Reference

Operations

Operation Parameter Definition
--check, -c Checks for compliance with rules included in specified category
--fix, -f Applies fixes for rules included in specified category
--rollback, -rb Rolls back system configuration changes implemented by the STIG tool
--version, -v Provides version information for the STIG tool script
--help, -h Provides command line help information

Rule Categories

Category Parameter Definition
static Used to specify rules included in the base image of the virtual machine DB system
dod Used to specify rules required for compliance with DISA's Oracle Linux 7 STIG
runtime Used to specify rules activated after provisioning for general security hardening
all Used to specify all rule