Running OSCAP on Centos 7

If you choose the draft DISA STIG security policy when installing Centos 7 you can run the OSCAP security audit tool to check your configuration. The command to do so is not obvious and is not well-documented. [Here I would like to insert a long rant about the abysmal quality of technical documentation, especially the documentation of open source tools but I will save that for another post.]

Here is the method that worked for me:

  1. In a console and as root run
    yum install openscap-scanner
  2. Change to the directory in which you would like the audit report saved. For example,
    cd /root
  3. Then run oscap with the following options:
    oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

This will take a minute or so and print results as it runs its checks. When its done you can view an HTML version of results by opening report.html in a browser.

You can find the current draft STIG configuration rules here.

Categories: Security, Uncategorized

1 reply

  1. OpenSCAP Error: Unable to open file: ‘/usr/share/ssg-centos7-ds.xml’ [oscap_source.c:284]


Share Your Ideas

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: