[GTALUG] SCAP , compliance and you.

[David Thornton]

Hey guys,

Just a quick follow up on my talk last night.

SCAP is Security Content Automation Protocol

http://scap.nist.gov/

Various bodies make xml files that describe tests, they publish xccdf files
that have all of the "things to test"

Big Database of checks here: https://web.nvd.nist.gov/view/ncp/repository

RedHat supports this and ships with all the required open source software (
rhel 6 and 7):

- openscap
- openscap-utils
- openscap-scanner
- scap-security-guide


*For RHEL6:*

The files for STIG for RHEL6

http://iasecontent.disa.mil/stigs/zip/Oct2015/U_RedHat_6_V1R9_STIG_SCAP_1-1_Benchmark.zip

unzip that stuff and run:

/usr/bin/oscap xccdf eval --results
/var/www/html/STIG-rhsa-results-oval-before.xml --report
/var/www/html/STIG-rhsa-oval-report-before.html
/root/STIG/U_RedHat_6_V1R9_STIG_SCAP_1-1_Benchmark-xccdf.xml

*For RHEL7*

it's even easier:

install all  the same packages:

Then:

/usr/bin/oscap xccdf eval --results
/var/www/html/ssg-rhel7-results-before.xml --report
/var/www/html/ssg-rhel7-report-before.html --profile
xccdf_org.ssgproject.content_profile_rht-ccp
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Here is the redhat 7 documentation

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sect-Using_oscap.html

I've attached a sample RHEL7 report ( the rhel 6 one is not as sexeh )

If you have any questions , let me know.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160210/2a9088df/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160210/2a9088df/attachment-0001.html>