Last active
January 2, 2024 02:16
-
-
Save dmccuk/b3533c2bc10f68a9c431c81c6f7cf166 to your computer and use it in GitHub Desktop.
install and configure OpenScap to work on Centos 8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Install the required packages: | |
| sudo yum install openscap-scanner scap-security-guide | |
| ### Can we run a report? | |
| sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | |
| first scan gives “notapplicable” | |
| ### Now do this… | |
| sudo cp /usr/share/openscap/cpe/openscap-cpe-dict.xml /usr/share/openscap/cpe/openscap-cpe-dict.xml.dist | |
| sudo cp /usr/share/openscap/cpe/openscap-cpe-oval.xml /usr/share/openscap/cpe/openscap-cpe-oval.xml.dist | |
| sudo curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-dict.xml -o /usr/share/openscap/cpe/openscap-cpe-dict.xml | |
| sudo curl -L https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/cpe/openscap-cpe-oval.xml -o /usr/share/openscap/cpe/openscap-cpe-oval.xml | |
| ### Does it work yet? | |
| sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | |
| Still no… | |
| ### Now do this… | |
| sudo sed -i \ | |
| -e 's|idref="cpe:/o:redhat:enterprise_linux|idref="cpe:/o:centos:centos|g' \ | |
| -e 's|ref_id="cpe:/o:redhat:enterprise_linux|ref_id="cpe:/o:centos:centos|g' \ | |
| /usr/share/xml/scap/ssg/content/ssg-rhel*.xml | |
| It replaces redhat:enterprise with centos:centos | |
| Now it works! | |
| ### List all the different profiles available: | |
| oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | |
| ### Run the report to check against the CIS benchmark: | |
| sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | |
| ### Check the report. | |
Hi Domfi,
Thanks for your message. I did this demo a while ago now, but I'll go through what you've said and check your suggestions. It may warrant another Demo video. In the mean time, anyone else checking out this Gist will see your comment and can incorporate your suggestions into their work.
Thanks
Dennis
I am also checking the gist
Really good, just what I needed. thx :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for your gist! I'm currently evaluating oscap and was disappointed, that only PCI-DSS was available for Centos 8.
I have a question and a suggestion: I think changing the ssg-rhel*.xml files is enough. Are the curl calls necessary?
Also the files will be overridden by future updates of the system. Maybe writing new files to /usr/share/xml/scap/ssg-dmccuk is better?
And for me I added
sed -i 's@/boot/efi/EFI/redhat/@/boot/efi/EFI/centos/@g' /usr/share/xml/scap/ssg/content/ssg-rhel*.xmlto make tests of grub.cfg working.