Applying OpenSCAP policies with oscap

The Security Content Automation Protocol (SCAP) was created by the US National Institute of Standards and Technology (NIST). It consists of hardening guides, hardening templates, and baseline configuration guides for setting up secure systems. OpenSCAP is a set of FOSS tools that can be used to implement SCAP. It consists of the following:

  • Security profiles that you can apply to a system. There are different profiles for meeting the requirements of several different certifying agencies.
  • Security guides to help with the initial setup of your system.
  • The oscap command-line utility to apply security templates.
  • On systems that have a desktop interface, you have SCAP Workbench, a GUI-type utility.

You can install OpenSCAP on either the Red Hat or the Ubuntu distros, but it's much better implemented on the Red Hat distro. For one thing, when you install a Red Hat-type operating system, you can choose to apply a SCAP profile during installation. You can't do that with Ubuntu. RHEL 7, RHEL 8, and CentOS 7 come with a fairly complete set of ready-to-use profiles. CentOS 8 comes with profiles for CentOS 7, but not for CentOS 8. Ubuntu 18.04 comes with outdated profiles for Ubuntu 16.04, and none for Ubuntu 18.04. That's okay, though. I'll show you how to get the appropriate profiles for both CentOS 8 and Ubuntu 18.04. 

When doing initial system builds, it's desirable to follow a security checklist that's appropriate for your scenario. Then, use OpenSCAP to monitor for changes. I'll tell you more about security checklists at the end of Chapter 14, Security Tips and Tricks for the Busy Bee.

All right: let's learn how to install OpenSCAP and how to use the command-line utility that's common to both of our distros.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.183.150