OpenSCAP
OpenSCAP (1.2k β) is a tool that can automatically scan if a hardening guide was applied and even automatically apply the guide.
OpenSCAP works on a hardening guide generated by the Compliance As Code (CAC) project. It generates an XML file per product, such as ssg-debian11-ds.xml
for Debian 11
. Download existing XMLs here.
To install OpenSCAP on Debian 10:
$ sudo apt-get update && sudo apt-get install libopenscap8
To check if openscap is installed:
$ oscap -V | head -n 1
OpenSCAP command line tool (oscap) X.Y.Z
Basic Usage
Check if a guide is valid
You may want to check if the XML is valid. If there is no output, then the XML may be valid.
$ oscap ds sds-validate ssg-xxx-ds.xml
Select A Guide
Each XML file is divided into profiles which usually correspond to a guide adapted for a kind of target (ex: CIS Guide for Workstations).
$ oscap info ssg-xxx-ds.xml
[...]
Profiles:
Title: Standard System Security Profile for Parrot Linux
Id: xccdf_org.ssgproject.content_profile_standard
Compliance scan
To check if a system is hardened given a profile, and a guide:
$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
ssg-xxx-ds.xml
You can add more options right before the XML.
- To generate an HTML report, add
--report report.html
. - To add verbosity, add
--verbose INFO
π‘ You can test a remote system using oscap-ssh
, as long as the target has openscap installed. Refer to the manual.
π You can use a GUI called scap-workbench (0.2k β).