Scanning the system

In this section, we'll work with our CentOS 7 VM. 

This procedure works the same for CentOS 8. As we'll see later, Ubuntu 18.04 has a completely different set of profiles, but other than that, the procedure will still be the same.

Now, let's say that we need to ensure that our systems are compliant with Payment Card Industry standards. First, we'll scan the CentOS machine to see what needs remediation (note that the following command is very long and wraps around on the printed page):

sudo oscap xccdf eval --profile pci-dss --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

As we always like to do, let's break this down:

  • xccdf eval: The Extensible Configuration Checklist Description Format is one of the languages that we can write security profile rules with. We're going to use a profile that was written in this language to perform an evaluation of the system.
  • --profile pci-dss: Here, I specified that I want to use the Payment Card Industry-Data Security Standard profile to evaluate the system.
  • --results scan-xccdf-results.xml: I'm going to save the scan results to this .xml format file. When the scan has finished, I'll create a report from this file.
  • /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml: This is the file that contains the pci-dss profile.

As the scan progresses, the output will be sent to the screen, as well as to the designated output file. It's a long list of items, so I'll only show you a few of them. Here are a few items that look okay:

    Ensure Red Hat GPG Key Installed
    ensure_redhat_gpgkey_installed
    pass

    Ensure gpgcheck Enabled In Main Yum Configuration
    ensure_gpgcheck_globally_activated
    pass

    Ensure gpgcheck Enabled For All Yum Package Repositories
    ensure_gpgcheck_never_disabled
    pass

    Ensure Software Patches Installed
    security_patches_up_to_date
    notchecked

Here are a couple of items that need to be fixed:

    Install AIDE
    package_aide_installed
    fail

    Build and Test AIDE Database
    aide_build_database
    fail

So, we have GPG encryption installed, which is good. However, it's a bad thing that we don't have the AIDE intrusion detection system installed.

Now that I've run the scan and created an output file with the results, I can build my report:

sudo oscap xccdf generate report scan-xccdf-results.xml > scan-xccdf-results.html

This extracts information from the .xml format file that isn't meant to be read by humans and transfers it to a .html file that you can open in your web browser. (For the record, the report says that there are 20 problems that need to be fixed.)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.174.195