[GTALUG] SCAP , compliance and you.
David Thornton
northdot9 at gmail.com
Wed Feb 10 14:01:18 UTC 2016
Hey guys,
Just a quick follow up on my talk last night.
SCAP is Security Content Automation Protocol
http://scap.nist.gov/
Various bodies make xml files that describe tests, they publish xccdf files
that have all of the "things to test"
Big Database of checks here: https://web.nvd.nist.gov/view/ncp/repository
RedHat supports this and ships with all the required open source software (
rhel 6 and 7):
- openscap
- openscap-utils
- openscap-scanner
- scap-security-guide
*For RHEL6:*
The files for STIG for RHEL6
http://iasecontent.disa.mil/stigs/zip/Oct2015/U_RedHat_6_V1R9_STIG_SCAP_1-1_Benchmark.zip
unzip that stuff and run:
/usr/bin/oscap xccdf eval --results
/var/www/html/STIG-rhsa-results-oval-before.xml --report
/var/www/html/STIG-rhsa-oval-report-before.html
/root/STIG/U_RedHat_6_V1R9_STIG_SCAP_1-1_Benchmark-xccdf.xml
*For RHEL7*
it's even easier:
install all the same packages:
Then:
/usr/bin/oscap xccdf eval --results
/var/www/html/ssg-rhel7-results-before.xml --report
/var/www/html/ssg-rhel7-report-before.html --profile
xccdf_org.ssgproject.content_profile_rht-ccp
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Here is the redhat 7 documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sect-Using_oscap.html
I've attached a sample RHEL7 report ( the rhel 6 one is not as sexeh )
If you have any questions , let me know.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160210/2a9088df/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160210/2a9088df/attachment-0001.html>
More information about the talk
mailing list