https://www.redhat.com/en/blog/center-internet-security-cis-compliance-red-hat-enterprise-linux-using-openscap
[root@cis-bench content]# subscription-manager repos –enable ansible-2.9-for-rhel-8-x86_64-rpms
[root@cis-bench content]# yum clean all
[root@cis-bench content]# yum repolist
[root@cis-bench content]# yum list all
[root@cis-bench content]# dnf install ansible
[root@cis-bench content]# yum install openscap-scanner scap-security-guide
for checking:
————-
[root@cis-bench content]# cd /usr/share/scap-security-guide
[root@cis-bench content]# ls -lart
/usr/share/scap-security-guide/ansible/
/usr/share/scap-security-guide/bash/
/usr/share/scap-security-guide/kickstart/
for checking:
————-
[root@cis-bench content]#cd /usr/share/xml/scap/ssg/content
[root@cis-bench content]# ls -lart | grep ssg-rhel8
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Read the data stream file containing profiles
———————————————-
[root@cis-bench content]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep “Title:”
WARNING: Datastream component ‘scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2’ points out to the remote ‘https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2’. Use ‘–fetch-remote-resources’ option to download it.
WARNING: Skipping ‘https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2’ file which is referenced from datastream
Title: ANSSI-BP-028 (enhanced)
Title: ANSSI-BP-028 (high)
Title: ANSSI-BP-028 (intermediary)
Title: ANSSI-BP-028 (minimal)
Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 – Server
Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 – Server
Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 – Workstation
Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 – Workstation
Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Title: Australian Cyber Security Centre (ACSC) Essential Eight
Title: Health Insurance Portability and Accountability Act (HIPAA)
Title: Australian Cyber Security Centre (ACSC) ISM Official
Title: Protection Profile for General Purpose Operating Systems
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Title: DISA STIG for Red Hat Enterprise Linux 8
Title: DISA STIG with GUI for Red Hat Enterprise Linux 8
[root@cis-bench content]# oscap info –profiles /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component ‘scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2’ points out to the remote ‘https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2’. Use ‘–fetch-remote-resources’ option to download it.
WARNING: Skipping ‘https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2’ file which is referenced from datastream
xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced:ANSSI-BP-028 (enhanced)
xccdf_org.ssgproject.content_profile_anssi_bp28_high:ANSSI-BP-028 (high)
xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary:ANSSI-BP-028 (intermediary)
xccdf_org.ssgproject.content_profile_anssi_bp28_minimal:ANSSI-BP-028 (minimal)
xccdf_org.ssgproject.content_profile_cis:CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 – Server
xccdf_org.ssgproject.content_profile_cis_server_l1:CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 – Server
xccdf_org.ssgproject.content_profile_cis_workstation_l1:CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 – Workstation
xccdf_org.ssgproject.content_profile_cis_workstation_l2:CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 – Workstation
xccdf_org.ssgproject.content_profile_cui:Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
xccdf_org.ssgproject.content_profile_e8:Australian Cyber Security Centre (ACSC) Essential Eight
xccdf_org.ssgproject.content_profile_hipaa:Health Insurance Portability and Accountability Act (HIPAA)
xccdf_org.ssgproject.content_profile_ism_o:Australian Cyber Security Centre (ACSC) ISM Official
xccdf_org.ssgproject.content_profile_ospp:Protection Profile for General Purpose Operating Systems
xccdf_org.ssgproject.content_profile_pci-dss:PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
xccdf_org.ssgproject.content_profile_stig:DISA STIG for Red Hat Enterprise Linux 8
xccdf_org.ssgproject.content_profile_stig_gui:DISA STIG with GUI for Red Hat Enterprise Linux 8
Generate a result file and a html report using OpenSCAP scanner tool
——————————————————————–
[root@cis-bench content]# mkdir cis_fix
[root@cis-bench content]# oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_cis_server_l1 –results /root/cis_fix/scan_results.xml –report /root/cis_fix/scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
[root@cis-bench content]# oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_cis –results /root/cis_fix/scan_results_l2.xml –report /root/cis_fix/scan_report_l2.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
generate fix
———–
[root@cis-bench content]# oscap xccdf generate fix –fix-type ansible –output /root/cis_fix/PlaybookToRemediate.yml –result-id “” /root/cis_fix/scan_results.xml
[root@cis-bench content]# oscap xccdf generate fix –fix-type ansible –output /root/cis_fix/PlaybookToRemediate_l2.yml –result-id “” /root/cis_fix/scan_results_l2.xml
Run the fix
———–
[root@cis-bench content]# ansible-playbook -i “localhost,” -c local /root/cis_fix/PlaybookToRemediate.yml ansible-playbook -i “localhost,” -c local /root/cis_fix/PlaybookToRemediate_l2.yml