Run a SCAP Security Audit on CentOS 6


Here is how to run the SCAP security audit on CentOS 6. I haven’t yet decided how to best integrate this test in my tool chain. I am torn between using this clunky and complex XML based tool or simply redoing it serverspec.

This post shows how to run it. It produces a very interesting report.

  1. Install the EPEL repository
  2. Install the SCAP packages: yum install openscap-utils scap-security-guide -y
  3. Run this command: oscap xccdf eval --profile common \
    --report ~/report.html \
    --results ~/results.xml \
    --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Then open report.html in a web browser to see how you did. You can use your automated CM tool to correct the problems in your base configuration.



Categories: Security

Tags: ,

6 replies

  1. This command will not produce any results on CentOS as the xccdf file uses CPE validation and will see that CentOS is not RHEL6 and the evaluations will show as not applicable. I’m sure there is likely a workaround but I have not been able to figure it out yet, I’m guessing you could just run the oval definitions instead skipping xccdf.

    Like

    • I should re-check my instructions in case something has changed but it did produce a report on CentOS 6.4 with no problem. I don’t use this method anymore since I scripted all same the tests using the Ruby based ServerSpec framework. You can see the code on GitHub.

      Like

      • Thanks Aaron, I’ll check out ServerSpec, I am really interested in finding a hardening script to tighten up images before deployment, although I haven’t been able to find anything to handle the special partitioning requirements of the STIG’s, does ServerSpec handle partitioning as well?

        Like

      • Hi James,

        ServerSpec doesn’t but I use kickstart to create the STIG required partitions. You can see my kickstart file here: https://github.com/aaron868/management/blob/master/roles/kickstart-server/templates/host.cfg.j2. I use Ansible to make the changes so you will see Ansible variables in the file (in the form {{ x }}). I then use ServerSpec and my STIG script to validate that the partitions are correctly configured.

        This works well for me and it can be entirely automated using Ansible and a CI server like Bamboo (or Jenkins).

        Cheers,
        Aaron

        Like

  2. The xml files can be modified to successfully run on CentOS (testen on 6.6). See https://www.redhat.com/archives/spacewalk-list/2014-November/msg00007.html

    Like

Share Your Ideas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: