====== Redhat compliance CIS ======

https://www.redhat.com/en/blog/center-internet-security-cis-compliance-red-hat-enterprise-linux-using-openscap

Install the package scap-security-guide to check compliance and remediation

=== Check ===

Get more information on the profile related to CIS, using the profile id (visible after the Title in the ssg-rhel8-ds.xml file): xccdf_org.ssgproject.content_profile_cis
  oscap info --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Generate a result file and a html report using OpenSCAP scanner tool, CIS Benchmark version 1.0.0
  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

<cli>
# oscap xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
--- Starting Evaluation ---

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-80844-4
Result  fail

Title   Enable Dracut FIPS Module
Rule    xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Ident   CCE-82155-3
Result  fail

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-80942-6
Result  fail

Title   Install crypto-policies package
Rule    xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Ident   CCE-82723-8
Result  pass

Title   Configure BIND to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Ident   CCE-80934-3
Result  notapplicable
...
</cli>


=== Remediation ===

  /usr/share/scap-security-guide/ansible/
  /usr/share/scap-security-guide/bash/
  /usr/share/scap-security-guide/kickstart/
  
Remediate using ansible
  oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml