[SOLVED] OSCAP scan using RHEL STIG

Support for security such as Firewalls and securing linux
Post Reply
eng3
Posts: 2
Joined: 2021/05/30 06:23:17

[SOLVED] OSCAP scan using RHEL STIG

Post by eng3 » 2021/05/30 06:26:31

I'm trying to run an oscap scan. I'd like to use the RHEL DISA STIG but I get not applicable for all of them.

I suspect this should be possible by modifying certain files but not sure how.

I'd appreciate any help in this area.

eng3
Posts: 2
Joined: 2021/05/30 06:23:17

Re: OSCAP scan using RHEL STIG

Post by eng3 » 2021/05/30 16:59:10

ok, after some trial and error, I did the following:

Code: Select all

sed -i 's/cpe.rhel:def:8/cpe:centos:def:8'/g /usr/share/openscap/cpe/*
sed -i 's/cpe.rhel:def:8/cpe:centos:tst:8'/g /usr/share/openscap/cpe/*
sed -i 's/redhat:enterprise_linux:8/centos:centos:8'/g /usr/share/openscap/cpe/*
sed -i 's/redhat:enterprise_linux:8/centos:centos:8'/g /usr/share/xml/scap/ssg/content/*
Last edited by eng3 on 2021/07/06 15:33:40, edited 1 time in total.

scottro
Forum Moderator
Posts: 2556
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: OSCAP scan using RHEL STIG

Post by scottro » 2021/05/31 00:31:26

Thanks for coming back and letting us know how you got it working. I'll mark it solved for others who come upon it while searching.
New users should check the FAQ and Read Me First pages

IICODECll
Posts: 3
Joined: 2020/10/13 00:28:36

Re: [SOLVED] OSCAP scan using RHEL STIG

Post by IICODECll » 2021/06/28 14:39:32

Here is a process I followed for v0.1.50, but it works for the latest release (v0.1.54) as well:

To tailor an SSG profile, use the scap-workbench utility to customize your environment. Follow the prompts on the screen. Begin by selecting the appropriate operating system (e.g., CentOS 8).

Red Hat Enterprise Linux 8 may include many different profiles. However, you may notice there are only two profiles for CentOS Linux, namely:
  • PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 (122)
  • Standard System Security Profile for Red Hat Enterprise Linux 8 (57)
We will need to build the latest SCAP content baseline for the derivatives of Red Hat Enterprise Linux. The desired baselines will need to be manually added to the build process. I leveraged the DISA STIG baseline, so the changes are as followed:

Code: Select all

git clone https://github.com/ComplianceAsCode/content.git ssg-content
git checkout v0.1.50
First, we'll add "stig" to the standard profile and then build the RHEL 8 derivatives.

Code: Select all

sed -i $'s/standard_profiles =.*/standard_profiles = [\'standard\', \'pci-dss\', \'desktop\', \'server\', \'stig\']/' ssg/constants.py
./build_product --derivatives rhel8
Next, let's correct some points of failure:

Code: Select all

sed -i.bak 's/\^\/boot\/efi\/EFI\/(redhat|fedora)\/grub.cfg\$/\^\/boot\/efi\/EFI\/(redhat|fedora|centos)\/grub.cfg\$/g' build/ssg-centos8-ds*.xml
sed -i 's/\/boot\/efi\/EFI\/redhat\//\/boot\/efi\/EFI\/centos\//g' build/ssg-centos8-ds*.xml
sed -i 's/gelocation/geolocation/g' build/ssg-centos8-ds*.xml
Let's verify the derivatives contain the desired SSG profile exists:

Code: Select all

oscap info build/ssg-centos8-ds.xml
		Profiles:
			Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: Standard System Security Profile for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_standard
			Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_stig

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: [SOLVED] OSCAP scan using RHEL STIG

Post by sml » 2021/06/28 17:03:03

Unfortunately, your sed expressions suffer from LTS. More readable would be

Code: Select all

sed -i "/^standard_profiles =/s/]/, 'stig']/" ssg/constants.py
and

Code: Select all

sed -Ei 's|(/boot/efi/EFI/)redhat/|\1centos/|g' build/ssg-centos8-ds*.xml

Post Reply