![]() The other important files are the “DataStream” files, the scap content-the files containing the information to scan the system for compliance with a benchmark that can have several profiles. They are not meant to be modified by the user. You can check the content of the RPM using this command: rpm -qlp scap-security-guide-0.1. The package contains files that are used for the supported remediation method Ansible, bash and anaconda: /usr/share/scap-security-guide/ansible/ /usr/share/scap-security-guide/bash/ /usr/share/scap-security-guide/kickstart/ Note: these files are managed by Red Hat OpenSCAP security team and used automatically by oscap tool when using the remediation feature. The command is: yum install openscap-scanner scap-security-guideįrom a RHEL 8.3 server, we can find more information about the scap-security-guide package:Īt the time of writing, the latest version of that package was: scap-security-guide-0.1. It is a GUI, which allows modifications of the policies, among other features that won’t be covered in this blog post. Optionally, you can install another package called scap-workbench. Scap-workbench : The GUI allowing modifications of the policies, among other features.įor the following explanation it is required to install these packages using yum: openscap-scanner scap-security-guide Scap-security-guide : This contains the "source datastream" files containing the profiles, and the files required for remediation like Red Hat Ansible Automation Platform playbooks or Bash scripts. Openscap-scanner : The scanner (it contains the tool oscap ). There is a dedicated security team at Red Hat managing the related packages, in particular: The OpenSCAP project provides a variety of hardening guides and configuration baselines developed by the open source community, allowing you to choose a security policy that best suits the needs of your organization, regardless of its size. The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. ![]() In the following illustration one can see that, at the time of writing, CIS has made one version benchmark available for Red Hat Enterprise Linux (RHEL) 8, version 1.0.0. That is why Red Hat produces the scap-security-guidelines package, which contains what is necessary to scan for compliance, automate and remediate the results. ![]() These benchmarks, even if they were to be available, do not contain the automation and remediation steps required to change a server state to reach compliance. They do offer some benchmarks in an XCCDF 1 format, that can be used by tools, but they are reserved for paying members. The benchmarks, offered free for CIS members in the form of PDFs, are not directly usable by a scanning tool, but they are human readable. In particular, it produces benchmarks, which are “configuration guidelines for various technology groups to safeguard systems against today evolving cyber threat" in the words of the CIS. The CIS (Center for Internet Security) produces various cyber security related services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |