Share

OpenSCAP is an opensource tool to test and verify security compliance against a set of rules.
Did you know that SUSE provides more than 200 rules in its own SCAP Security Guide?

See French version

Of course there is the SLES Hardening Guide but there is a lot of other security certifications like STIG DISA, CIS Benchmark or Gouv recommendations.
SUSE publish an openSCAP file with roughly 200 rules to test your GNU/Linux boxes against those certifications.

Follow this guide to download and scan your computers in a minute.

Download the SSG on SUSE MANAGER

First step is to download the SSG from SUSE website in order to push it via salt to all our SLES boxes.

mkdir -p /srv/salt/ssg-sles/
cd /srv/salt/ssg-sles/
wget ftp://ftp.suse.com/pub/projects/security/STIG/SLES_12_SCAP_BETA/ssg-sle12-ds.xml

Create a Configuration Channel with Salt

Thanks to Salt integration in SUSE Manager we can install all the openscap RPM and push our SSG file with a simple state file.

In  SUMA go to Configuration > Configuration Channels > + Create State Channel

Name: Openscap Commons
Label: openscap-commons
Description: Openscap RPMs pour SLES et RH/Centos

SLS Contents:

openscap_packages:
 file.managed:
 - name: /usr/local/share/ssg-sle12-ds.xml
 - source: salt://ssg-sles/ssg-sle12-ds.xml
 - makedirs: true
 - user: root
 - group: root
 - mode: '0644'
 pkg.installed:
 - pkgs:
 - openscap
 - openscap-utils
 - spacewalk-oscap
 {% if grains['os_family'] == 'Suse' %}
 - openscap-content
 {% endif %}
 {% if grains['os_family'] == 'RedHat' %}
 - scap-security-guide
 {% endif %}

Then click Create Config Channel

Add systems to the configuration channel

Now that our Channel is set up we can add target systems.

In Configuration > Overview Click on Openscap Commons
In Systems > Target Systems select the boxes where you need to install RPMs and push the SSG rules file.

Then click Subscribe systems

Launch the first openSCAP Audit

Show time. We are ready to schedule an audit and verify the security state of our SLES (or CentOS)

Select a System and go to Audit > Schedule

For SLES box:

Command-line Arguments: –profile xccdf_org.ssgproject.content_profile_stig-sle12-disa
File System Path: /usr/local/share/ssg-sle12-ds.xml

For RHEL or CentOS box:

Command-line Arguments: –profile xccdf_org.ssgproject.content_profile_standard
File System Path: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

At last got to Audit > List Scans

After a few moment when all 200 rules had been tested the result shows up.

Have a nice day.

Share
(Visited 1 times, 1 visits today)
Tags: , , , , ,
Category: Automate IT Ops, Compliance, Server, SUSE Linux Enterprise Server, SUSE Manager, SUSE News
This entry was posted Friday, 21 August, 2020 at 8:37 am
You can follow any responses to this entry via RSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet