Remediating the system

So, we have 20 problems that we need to fix before our system can be considered compliant with Payment Card Industry standards. Let's see how many of them oscap can fix for us:

sudo oscap xccdf eval --remediate --profile pci-dss --results scan-xccdf-remediate-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

This is the same command that I used to perform the initial scan, except that I added the --remediate option, and I'm saving the results to a different file. You'll want to have a bit of patience when you run this command because fixing some problems involves downloading and installing software packages. In fact, even as I type this, oscap is busy downloading and installing the missing AIDE intrusion detection system package.

Okay, the remediation is still running, but I can still show you some of the things that were fixed:

    Disable Prelinking
    disable_prelink
    error
    Install AIDE
    package_aide_installed
    fixed
    Build and Test AIDE Database
    aide_build_database
    fixed
    Configure Periodic Execution of AIDE
    aide_periodic_cron_checking
    fixed
    Verify and Correct File Permissions with RPM
    rpm_verify_permissions
    error

There are a couple of errors because of things that oscap couldn't fix, but that's normal. At least you know about them so that you can try to fix them yourself.

Check this out. Do you remember how in Chapter 2Securing User Accounts, I made you jump through hoops to ensure that users had strong passwords that expire on a regular basis? Well, by applying this OpenSCAP profile, you get all that fixed for you automatically. Here's the first set of items that were fixed:

    Set Password Maximum Age
    accounts_maximum_age_login_defs
    fixed

    Set Account Expiration Following Inactivity
    account_disable_post_pw_expiration
    fixed

    Set Password Strength Minimum Digit Characters
    accounts_password_pam_dcredit
    fixed

    Set Password Minimum Length
    accounts_password_pam_minlen
    fixed

Here's the second set of items that were fixed:


    Set Password Strength Minimum Uppercase Characters
    accounts_password_pam_ucredit
    fixed

    Set Password Strength Minimum Lowercase Characters
    accounts_password_pam_lcredit
    fixed

    Set Deny For Failed Password Attempts
    accounts_passwords_pam_faillock_deny
    fixed

    Set Lockout Time For Failed Password Attempts
    accounts_passwords_pam_faillock_unlock_time
    fixed

So, yeah, OpenSCAP is pretty cool, and even the command-line tools aren't hard to use. However, if you have to use a GUI, we have a tool for that, which we'll look at next.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.41.229