Hey guys,

Just a quick follow up on my talk last night.

SCAP is Security Content Automation Protocol

http://scap.nist.gov/

Various bodies make xml files that describe tests, they publish xccdf files that have all of the "things to test" 

Big Database of checks here: https://web.nvd.nist.gov/view/ncp/repository

RedHat supports this and ships with all the required open source software ( rhel 6 and 7):

  • openscap
  • openscap-utils
  • openscap-scanner
  • scap-security-guide


    • For RHEL6:

    The files for STIG for RHEL6

    http://iasecontent.disa.mil/stigs/zip/Oct2015/U_RedHat_6_V1R9_STIG_SCAP_1-1_Benchmark.zip

    unzip that stuff and run:

    /usr/bin/oscap xccdf eval --results /var/www/html/STIG-rhsa-results-oval-before.xml --report /var/www/html/STIG-rhsa-oval-report-before.html /root/STIG/U_RedHat_6_V1R9_STIG_SCAP_1-1_Benchmark-xccdf.xml

    For RHEL7

    it's even easier:

    install all  the same packages:

    Then:

    /usr/bin/oscap xccdf eval --results /var/www/html/ssg-rhel7-results-before.xml --report /var/www/html/ssg-rhel7-report-before.html --profile xccdf_org.ssgproject.content_profile_rht-ccp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

    Here is the redhat 7 documentation

    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sect-Using_oscap.html

    I've attached a sample RHEL7 report ( the rhel 6 one is not as sexeh )

    If you have any questions , let me know.

    David