Scanning the system

Now, let's say that we need to ensure that our systems are compliant with Payment Card Industry standards. We'll first scan the CentOS machine to see what needs remediation. (Note that the following command is very long and wraps around on the printed page.)

sudo oscap xccdf eval --profile pci-dss --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

As we always like to do,  let's break this down:

  • xccdf eval: The Extensible Configuration Checklist Description is one of the languages with which we can write security profile rules. We're going to use a profile that was written in this language to perform an evaluation of the system.
  • --profile pci-dss: Here, I specified that I want to use the Payment Card Industry Data Security Standard profile to evaluate the system.
  • --results scan-xccdf-results.xml: I'm going to save the scan results to this .xml format file. When the scan has finished, I'll create a report from this file.
  • /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml: This is the file that contains the pci-dss profile.

As the scan progresses, the output will get sent to the screen as well as to the designated output file.  It's a long list of items, so I'll only show you a few of them:

    Ensure Red Hat GPG Key Installed
    ensure_redhat_gpgkey_installed
    pass

    Ensure gpgcheck Enabled In Main Yum Configuration
    ensure_gpgcheck_globally_activated
    pass

    Ensure gpgcheck Enabled For All Yum Package Repositories
    ensure_gpgcheck_never_disabled
    pass

    Ensure Software Patches Installed
    security_patches_up_to_date
    notchecked

   . . .
   . . .

    Install AIDE
    package_aide_installed
    fail

    Build and Test AIDE Database
    aide_build_database
    fail
. . .
. . .

So, we have GPG encryption installed, which is good. But, it's a bad thing that we don't have the AIDE intrusion detection system installed.

Now that I've run the scan and created an output file with the results, I can build my report:

sudo oscap xccdf generate report scan-xccdf-results.xml > scan-xccdf-results.html

This extracts the information from the .xml format file, which isn't meant for humans to read, and transfers it to a .html file that you can open in your web browser. (For the record, the report says that there are total 20 problems that need to be fixed.)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.79.70