Securing RHEL/CentOS with a STIG Script

Please note that RHEL/CentOS 6 is now End-Of-Life and thus no longer receiving security updates since December 31, 2020!  If you're still using RHEL/CentOS 6, please upgrade to a newer revision or another distro...NOW!

This document and tool, while very useful during RHEL/CentOS 6's lifetime, is now relegated to historical status.

I originally wrote this in early 2013 because I got sick and tired of spending three and a half hours per box to lock it down. At the time, not only had NSA/DISA not devised a STIG script, but there wasn't even a NIST document for RHEL 6 yet!

Therefore, I decided to write one. :-)

In so doing, I used NIST's public SNAC guide for RHEL 5 to tell me which issues/CVE's to address, and I adapted that information for RHEL/CentOS 6. My development machine was CentOS 6, since that's where I prototype, but--as you might expect-- it also has been tested and, by design, works just as well on RHEL 6.

The design is as follows. First, you use the KickStart script to do the initial partitioning and OS installation. Then, after installation, you run the lockdown script to finish the securing of the OS. This is a standard BASH script.

By the way, both components of this STIG script are hereby licensed under the GNU GPL, version 3 or, at your option, any later version as published by the Free Software Foundation.  So feel free to download it and use it as much as you wish.  Matter of fact, that's the point!

The KickStart Script; this does the initial installation
The Post-Reboot Lockdown Script; run this immediately after installation via the KickStart script