Install the package scap-security-guide to check compliance and remediation
Get more information on the profile related to CIS, using the profile id (visible after the Title in the ssg-rhel8-ds.xml file): xccdf_org.ssgproject.content_profile_cis
oscap info --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Generate a result file and a html report using OpenSCAP scanner tool, CIS Benchmark version 1.0.0
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
# oscap xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml --- Starting Evaluation --- Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Ident CCE-80844-4 Result fail Title Enable Dracut FIPS Module Rule xccdf_org.ssgproject.content_rule_enable_dracut_fips_module Ident CCE-82155-3 Result fail Title Enable FIPS Mode Rule xccdf_org.ssgproject.content_rule_enable_fips_mode Ident CCE-80942-6 Result fail Title Install crypto-policies package Rule xccdf_org.ssgproject.content_rule_package_crypto-policies_installed Ident CCE-82723-8 Result pass Title Configure BIND to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy Ident CCE-80934-3 Result notapplicable ...
/usr/share/scap-security-guide/ansible/ /usr/share/scap-security-guide/bash/ /usr/share/scap-security-guide/kickstart/
Remediate using ansible
oscap xccdf generate fix --fix-type ansible --output PlaybookToRemediate.yml --result-id "" scan_results.xml