If you choose the draft DISA STIG security policy when installing Centos 7 you can run the OSCAP security audit tool to check your configuration. The command to do so is not obvious and is not well-documented. [Here I would like to insert a long rant about the abysmal quality of technical documentation, especially the documentation of open source tools but I will save that for another post.]
Here is the method that worked for me:
- In a console and as root run
yum install openscap-scanner
- Change to the directory in which you would like the audit report saved. For example,
- Then run oscap with the following options:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
This will take a minute or so and print results as it runs its checks. When its done you can view an HTML version of results by opening report.html in a browser.
You can find the current draft STIG configuration rules here.