I'm trying to run an oscap scan. I'd like to use the RHEL DISA STIG but I get not applicable for all of them.
I suspect this should be possible by modifying certain files but not sure how.
I'd appreciate any help in this area.
[SOLVED] OSCAP scan using RHEL STIG
Re: OSCAP scan using RHEL STIG
ok, after some trial and error, I did the following:
Code: Select all
sed -i 's/cpe.rhel:def:8/cpe:centos:def:8'/g /usr/share/openscap/cpe/*
sed -i 's/cpe.rhel:def:8/cpe:centos:tst:8'/g /usr/share/openscap/cpe/*
sed -i 's/redhat:enterprise_linux:8/centos:centos:8'/g /usr/share/openscap/cpe/*
sed -i 's/redhat:enterprise_linux:8/centos:centos:8'/g /usr/share/xml/scap/ssg/content/*
Last edited by eng3 on 2021/07/06 15:33:40, edited 1 time in total.
Re: OSCAP scan using RHEL STIG
Thanks for coming back and letting us know how you got it working. I'll mark it solved for others who come upon it while searching.
New users should check the FAQ and Read Me First pages
Re: [SOLVED] OSCAP scan using RHEL STIG
Here is a process I followed for v0.1.50, but it works for the latest release (v0.1.54) as well:
To tailor an SSG profile, use the scap-workbench utility to customize your environment. Follow the prompts on the screen. Begin by selecting the appropriate operating system (e.g., CentOS 8).
Red Hat Enterprise Linux 8 may include many different profiles. However, you may notice there are only two profiles for CentOS Linux, namely:
First, we'll add "stig" to the standard profile and then build the RHEL 8 derivatives.
Next, let's correct some points of failure:
Let's verify the derivatives contain the desired SSG profile exists:
To tailor an SSG profile, use the scap-workbench utility to customize your environment. Follow the prompts on the screen. Begin by selecting the appropriate operating system (e.g., CentOS 8).
Red Hat Enterprise Linux 8 may include many different profiles. However, you may notice there are only two profiles for CentOS Linux, namely:
- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 (122)
- Standard System Security Profile for Red Hat Enterprise Linux 8 (57)
Code: Select all
git clone https://github.com/ComplianceAsCode/content.git ssg-content
git checkout v0.1.50
Code: Select all
sed -i $'s/standard_profiles =.*/standard_profiles = [\'standard\', \'pci-dss\', \'desktop\', \'server\', \'stig\']/' ssg/constants.py
./build_product --derivatives rhel8
Code: Select all
sed -i.bak 's/\^\/boot\/efi\/EFI\/(redhat|fedora)\/grub.cfg\$/\^\/boot\/efi\/EFI\/(redhat|fedora|centos)\/grub.cfg\$/g' build/ssg-centos8-ds*.xml
sed -i 's/\/boot\/efi\/EFI\/redhat\//\/boot\/efi\/EFI\/centos\//g' build/ssg-centos8-ds*.xml
sed -i 's/gelocation/geolocation/g' build/ssg-centos8-ds*.xml
Code: Select all
oscap info build/ssg-centos8-ds.xml
Profiles:
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_pci-dss
Title: Standard System Security Profile for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_standard
Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_stig
Re: [SOLVED] OSCAP scan using RHEL STIG
Unfortunately, your sed expressions suffer from LTS. More readable would be
and
Code: Select all
sed -i "/^standard_profiles =/s/]/, 'stig']/" ssg/constants.py
Code: Select all
sed -Ei 's|(/boot/efi/EFI/)redhat/|\1centos/|g' build/ssg-centos8-ds*.xml