In this section, we'll work with our CentOS 7 VM.
Now, let's say that we need to ensure that our systems are compliant with Payment Card Industry standards. First, we'll scan the CentOS machine to see what needs remediation (note that the following command is very long and wraps around on the printed page):
sudo oscap xccdf eval --profile pci-dss --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
As we always like to do, let's break this down:
- xccdf eval: The Extensible Configuration Checklist Description Format is one of the languages that we can write security profile rules with. We're going to use a profile that was written in this language to perform an evaluation of the system.
- --profile pci-dss: Here, I specified that I want to use the Payment Card Industry-Data Security Standard profile to evaluate the system.
- --results scan-xccdf-results.xml: I'm going to save the scan results to this .xml format file. When the scan has finished, I'll create a report from this file.
- /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml: This is the file that contains the pci-dss profile.
As the scan progresses, the output will be sent to the screen, as well as to the designated output file. It's a long list of items, so I'll only show you a few of them. Here are a few items that look okay:
Ensure Red Hat GPG Key Installed
ensure_redhat_gpgkey_installed
pass
Ensure gpgcheck Enabled In Main Yum Configuration
ensure_gpgcheck_globally_activated
pass
Ensure gpgcheck Enabled For All Yum Package Repositories
ensure_gpgcheck_never_disabled
pass
Ensure Software Patches Installed
security_patches_up_to_date
notchecked
Here are a couple of items that need to be fixed:
Install AIDE
package_aide_installed
fail
Build and Test AIDE Database
aide_build_database
fail
So, we have GPG encryption installed, which is good. However, it's a bad thing that we don't have the AIDE intrusion detection system installed.
Now that I've run the scan and created an output file with the results, I can build my report:
sudo oscap xccdf generate report scan-xccdf-results.xml > scan-xccdf-results.html
This extracts information from the .xml format file that isn't meant to be read by humans and transfers it to a .html file that you can open in your web browser. (For the record, the report says that there are 20 problems that need to be fixed.)