linux:compliance_cis
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
linux:compliance_cis [2024/09/19 23:09] manu created |
linux:compliance_cis [2025/07/08 15:32] (current) manu |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| Install the package scap-security-guide to check compliance and remediation | Install the package scap-security-guide to check compliance and remediation | ||
| + | The task used from this role installs the following packages: | ||
| + | openscap | ||
| + | scap-security-guide | ||
| + | openscap-scanner | ||
| + | === Check === | ||
| + | |||
| + | Get more information on the profile related to CIS, using the profile id (visible after the Title in the ssg-rhel8-ds.xml file): xccdf_org.ssgproject.content_profile_cis | ||
| + | oscap info --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | ||
| + | |||
| + | Generate a result file and a html report using OpenSCAP scanner tool, CIS Benchmark version 1.0.0 | ||
| + | oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | ||
| + | |||
| + | <cli> | ||
| + | # oscap xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml | ||
| + | --- Starting Evaluation --- | ||
| + | |||
| + | Title Install AIDE | ||
| + | Rule xccdf_org.ssgproject.content_rule_package_aide_installed | ||
| + | Ident CCE-80844-4 | ||
| + | Result fail | ||
| + | |||
| + | Title Enable Dracut FIPS Module | ||
| + | Rule xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | ||
| + | Ident CCE-82155-3 | ||
| + | Result fail | ||
| + | |||
| + | Title Enable FIPS Mode | ||
| + | Rule xccdf_org.ssgproject.content_rule_enable_fips_mode | ||
| + | Ident CCE-80942-6 | ||
| + | Result fail | ||
| + | |||
| + | Title Install crypto-policies package | ||
| + | Rule xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | ||
| + | Ident CCE-82723-8 | ||
| + | Result pass | ||
| + | |||
| + | Title Configure BIND to use System Crypto Policy | ||
| + | Rule xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy | ||
| + | Ident CCE-80934-3 | ||
| + | Result notapplicable | ||
| + | ... | ||
| + | </cli> | ||
| + | |||
| + | |||
| + | === Remediation === | ||
| + | |||
| + | /usr/share/scap-security-guide/ansible/ | ||
| + | /usr/share/scap-security-guide/bash/ | ||
| + | /usr/share/scap-security-guide/kickstart/ | ||
| + | | ||
| + | Remediate using ansible | ||
| + | oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml | ||
linux/compliance_cis.1726780176.txt.gz ยท Last modified: 2024/09/19 23:09 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
