Running OSCAP on Centos 7


If you choose the draft DISA STIG security policy when installing Centos 7 you can run the OSCAP security audit tool to check your configuration. The command to do so is not obvious and is not well-documented. [Here I would like to insert a long rant about the abysmal quality of technical documentation, especially the documentation of open source tools but I will save that for another post.]

Here is the method that worked for me:

  1. In a console and as root run
    yum install openscap-scanner
  2. Change to the directory in which you would like the audit report saved. For example,
    cd /root
  3. Then run oscap with the following options:
    oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

This will take a minute or so and print results as it runs its checks. When its done you can view an HTML version of results by opening report.html in a browser.

You can find the current draft STIG configuration rules here.



Categories: Security, Uncategorized

Share Your Ideas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: