CentOS 7
Sponsored Link

OpenSCAP : Install2019/12/18

Install OpenSCAP which is the security audit and vulnerability scanning tool based on SCAP (Security Content Automation Protocol).
For details about SCAP, refer to the site below.
⇒ https://csrc.nist.gov/projects/security-content-automation-protocol
OVAL  (Open Vulnerability and Assessment Language)

XCCDF (Extensible Configuration Checklist Description Format)

OCIL  (Open Checklist Interactive Language)

CPE   (Common Platform Enumeration)

CCE   (Common Configuration Enumeration)

CVE   (Common Vulnerabilities and Exposures)

CVSS  (Common Vulnerability Scoring System)

[1] Install OpenSCAP command line tool and SCAP Security Guide for Linux.
[root@dlp ~]#
yum -y install openscap-scanner scap-security-guide
[2] SCAP Security Guide is installed under the [/usr/share/xml/scap/ssg/content] directory.
[root@dlp ~]#
ll /usr/share/xml/scap/ssg/content/

total 115576
-rw-r--r--. 1 root root 15538695 Aug 23 23:22 ssg-centos6-ds.xml
-rw-r--r--. 1 root root  5086947 Aug 23 23:22 ssg-centos6-xccdf.xml
-rw-r--r--. 1 root root 25972220 Aug 23 23:22 ssg-centos7-ds.xml
-rw-r--r--. 1 root root  8156658 Aug 23 23:22 ssg-centos7-xccdf.xml
-rw-r--r--. 1 root root      546 Aug 23 23:21 ssg-firefox-cpe-dictionary.xml

# display description for each content

[root@dlp ~]#
oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2019-08-23T23:22:14
Status: draft
Generated: 2019-08-23
Resolved: true
        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
                Id: pci-dss
        Title: Standard System Security Profile for Red Hat Enterprise Linux 7
                Id: standard
Referenced check files:
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                system: http://scap.nist.gov/schema/ocil/2
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
[3] Scan System with [oscap] command. Usage is like follows.
⇒ $ oscap [options] module eval [module_operation_options_and_arguments]
# for example, scan System with [standard] profile in [xccdf] module and output result to [ssg-centos7-xccdf.html]

[root@dlp ~]#
oscap xccdf eval --profile standard --report ssg-centos7-xccdf.html /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml


Title   Ensure All SUID Executables Are Authorized
Rule    file_permissions_unauthorized_suid
Result  pass

Title   Verify that All World-Writable Directories Have Sticky Bits Set
Rule    dir_perms_world_writable_sticky_bits
Result  pass

Title   Disable the Automounter
Rule    service_autofs_disabled
Result  notapplicable
Matched Content