CentOS

I'm trying to run an oscap scan. I'd like to use the RHEL DISA STIG but I get not applicable for all of them.

I suspect this should be possible by modifying certain files but not sure how.

I'd appreciate any help in this area.

ok, after some trial and error, I did the following:

Code: Select all

sed -i 's/cpe.rhel:def:8/cpe:centos:def:8'/g /usr/share/openscap/cpe/*
sed -i 's/cpe.rhel:def:8/cpe:centos:tst:8'/g /usr/share/openscap/cpe/*
sed -i 's/redhat:enterprise_linux:8/centos:centos:8'/g /usr/share/openscap/cpe/*
sed -i 's/redhat:enterprise_linux:8/centos:centos:8'/g /usr/share/xml/scap/ssg/content/*

Thanks for coming back and letting us know how you got it working. I'll mark it solved for others who come upon it while searching.

Here is a process I followed for v0.1.50, but it works for the latest release (v0.1.54) as well:

To tailor an SSG profile, use the scap-workbench utility to customize your environment. Follow the prompts on the screen. Begin by selecting the appropriate operating system (e.g., CentOS 8).

Red Hat Enterprise Linux 8 may include many different profiles. However, you may notice there are only two profiles for CentOS Linux, namely:

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 (122)
Standard System Security Profile for Red Hat Enterprise Linux 8 (57)

We will need to build the latest SCAP content baseline for the derivatives of Red Hat Enterprise Linux. The desired baselines will need to be manually added to the build process. I leveraged the DISA STIG baseline, so the changes are as followed:

Code: Select all

git clone https://github.com/ComplianceAsCode/content.git ssg-content
git checkout v0.1.50

First, we'll add "stig" to the standard profile and then build the RHEL 8 derivatives.

Code: Select all

sed -i $'s/standard_profiles =.*/standard_profiles = [\'standard\', \'pci-dss\', \'desktop\', \'server\', \'stig\']/' ssg/constants.py
./build_product --derivatives rhel8

Next, let's correct some points of failure:

Code: Select all

sed -i.bak 's/\^\/boot\/efi\/EFI\/(redhat|fedora)\/grub.cfg\$/\^\/boot\/efi\/EFI\/(redhat|fedora|centos)\/grub.cfg\$/g' build/ssg-centos8-ds*.xml
sed -i 's/\/boot\/efi\/EFI\/redhat\//\/boot\/efi\/EFI\/centos\//g' build/ssg-centos8-ds*.xml
sed -i 's/gelocation/geolocation/g' build/ssg-centos8-ds*.xml

Let's verify the derivatives contain the desired SSG profile exists:

Code: Select all

oscap info build/ssg-centos8-ds.xml
		Profiles:
			Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: Standard System Security Profile for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_standard
			Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_stig

Unfortunately, your sed expressions suffer from LTS. More readable would be

Code: Select all

sed -i "/^standard_profiles =/s/]/, 'stig']/" ssg/constants.py

and

Code: Select all

sed -Ei 's|(/boot/efi/EFI/)redhat/|\1centos/|g' build/ssg-centos8-ds*.xml

CentOS

[SOLVED] OSCAP scan using RHEL STIG

[SOLVED] OSCAP scan using RHEL STIG

Re: OSCAP scan using RHEL STIG

Re: OSCAP scan using RHEL STIG

Re: [SOLVED] OSCAP scan using RHEL STIG

Re: [SOLVED] OSCAP scan using RHEL STIG