openSUSE Leap 16
Sponsored Link

OpenSCAP : Install2025/12/10
 

Install OpenSCAP which is the security audit and vulnerability scanning tool based on SCAP (Security Content Automation Protocol).

For details about SCAP, refer to the site below.
⇒ https://csrc.nist.gov/projects/security-content-automation-protocol 

OVAL  (Open Vulnerability and Assessment Language)

XCCDF (Extensible Configuration Checklist Description Format)

OCIL  (Open Checklist Interactive Language)

CPE   (Common Platform Enumeration)

CCE   (Common Configuration Enumeration)

CVE   (Common Vulnerabilities and Exposures)

CVSS  (Common Vulnerability Scoring System)
[1] Install OpenSCAP command line tool and SCAP Security Guide for Linux.
dlp:~ #
zypper -n install openscap openscap-utils openscap-content openscap-report
[2] SCAP Security Guide is installed under the [/usr/share/openscap] directory.
dlp:~ #
ll /usr/share/openscap 

total 68
drwxr-xr-x. 1 root root    96 Dec 10 10:37 cpe
lrwxrwxrwx. 1 root root    22 Jan  9  2025 scap-oval.xml -> scap-yast2sec-oval.xml
lrwxrwxrwx. 1 root root    23 Jan  9  2025 scap-xccdf.xml -> scap-yast2sec-xccdf.xml
-rw-r--r--. 1 root root 39063 Jan  9  2025 scap-yast2sec-oval.xml
-rw-r--r--. 1 root root 17766 Jan  9  2025 scap-yast2sec-xccdf.xml
drwxr-xr-x. 1 root root    62 Dec 10 10:37 schemas
drwxr-xr-x. 1 root root   648 Dec 10 10:37 xsl
# display description for each content

dlp:~ #
oscap info /usr/share/openscap/scap-yast2sec-xccdf.xml 

Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2025-01-09T01:49:37
Status: draft
Generated: 2012-07-24
Resolved: false
Profiles:
        Title: Default vanilla kernel hardening
                Id: Default
Referenced check files:
        scap-yast2sec-oval.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
[3] Scan CentOS System with [oscap] command.
Scan result is renerated as HTML report, you should verify it and try to apply recommended settings as much as possible.
# xccdf : specify [xccdf] module
# ⇒ available modules : info, xccdf, oval, ds, cpe, cvss, cve, cvrf
# [--profile] : specify profile
# ⇒ available profiles are on the result you run [oscap info] command above
# [--results] : output file
# [--report] : output HTML report
dlp:~ #
oscap xccdf eval \
--profile Default \
--report xccdf-leap-16.html \
/usr/share/openscap/scap-yast2sec-xccdf.xml 


--- Starting Evaluation ---

Title   sysctl net.ipv4.ip_forward must be 0
Rule    rule-sysctl-ipv4-forward
Result  pass

Title   sysctl net.ipv4.tcp_syncookies must be 1
Rule    rule-sysctl-ipv4-tcpsyncookies
Result  pass

Title   sysctl net.ipv6.conf.all.forwarding must be 0
Rule    rule-sysctl-ipv6-all-forward
Result  pass

Title   sysctl net.ipv6.conf.default.forwarding must be 0
Rule    rule-sysctl-ipv6-default-forward
Result  pass

Title   kernel config CONFIG_SYN_COOKIES must be y
Rule    rule-kernel-syncookies
Result  fail

Title   file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999
Rule    rule-pwd-maxdays
Result  fail
.....
.....
Matched Content