Viewing the profile files

On either of the CentOS machines, you'll see the profile files in the /usr/share/xml/scap/ssg/content/ directory.

Curiously, on the Ubuntu machine, you'll see some outdated Fedora and RHEL profiles in the /usr/share/openscap/ directory. (Why they're there, I have no clue.) In the /usr/share/scap-security-guide directory, you'll see application profiles for Firefox, the Java Runtime Environment, and Webmin. You'll also see profiles for the Ubuntu operating system, but they're for Ubuntu 16.04. (Really, is it that hard to include up-to-date profiles for Ubuntu 18.04?) The profile files are in .xml format, and each one contains one or more profiles that you can apply to the system. For example, here are some from the CentOS 7 machine:

[donnie@localhost content]$ pwd
/usr/share/xml/scap/ssg/content
[donnie@localhost content]$ ls -l
total 50596
-rw-r--r--. 1 root root  6734643 Oct 19 19:40 ssg-centos6-ds.xml
-rw-r--r--. 1 root root  1596043 Oct 19 19:40 ssg-centos6-xccdf.xml
-rw-r--r--. 1 root root 11839886 Oct 19 19:41 ssg-centos7-ds.xml
-rw-r--r--. 1 root root  2636971 Oct 19 19:40 ssg-centos7-xccdf.xml
-rw-r--r--. 1 root root      642 Oct 19 19:40 ssg-firefox-cpe-dictionary.xml
. . .
-rw-r--r--. 1 root root 11961196 Oct 19 19:41 ssg-rhel7-ds.xml
-rw-r--r--. 1 root root   851069 Oct 19 19:40 ssg-rhel7-ocil.xml
-rw-r--r--. 1 root root  2096046 Oct 19 19:40 ssg-rhel7-oval.xml
-rw-r--r--. 1 root root  2863621 Oct 19 19:40 ssg-rhel7-xccdf.xml
[donnie@localhost content]$

CentOS 8 doesn't have any centos8 profiles, but it does come with rhel8 profiles, which don't work on CentOS. (Or, at least, that's the way it was in January 2020, with both CentOS 8.0 and CentOS 8.1.) We can see the rhel8 profiles here:

[donnie@localhost content]$ ls -l
total 5490
. . .
. . .
-rw-r--r--. 1 root root 1698 May 14 01:05 ssg-rhel8-cpe-dictionary.xml
-rw-r--r--. 1 root root 59226 May 14 01:05 ssg-rhel8-cpe-oval.xml
-rw-r--r--. 1 root root 6969395 May 14 01:05 ssg-rhel8-ds.xml
-rw-r--r--. 1 root root 1139859 May 14 01:05 ssg-rhel8-ocil.xml
-rw-r--r--. 1 root root 1941100 May 14 01:05 ssg-rhel8-oval.xml
-rw-r--r--. 1 root root 3719713 May 14 01:05 ssg-rhel8-xccdf.xml
[donnie@localhost content]$

The command-line utility for working with OpenSCAP is oscap. On our CentOS 7 machine, let's use this with the info switch to view information about any of the profile files. Let's look at the ssg-centos7-xccdf.xml file:

[donnie@localhost content]$ sudo oscap info ssg-centos7-xccdf.xml
. . .
Profiles:
    standard
    pci-dss
    C2S
    rht-ccp
    common
    stig-rhel7-disa
    stig-rhevh-upstream
    ospp-rhel7
    cjis-rhel7-server
    docker-host
    nist-800-171-cui
. . .

Here, we can see that this file contains 11 different profiles that we can apply to the system. Among them, you can see profiles for stig and pci-dss, just as we had for the auditing rules. And, if you're running Docker containers, the docker-host profile would be extremely handy.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.244.216