使用OpenSCAP对CentOS6进行安全检查

使用OpenScap对CentOS6进行安全检查

OpenSCAP官网：https://www.open-scap.org/

OpenSCAP提供了很多安全方面的工具，包括配置安全检查和漏洞扫描，可惜CentOS已经很久没有更新OVAL库了，因此理论上来说，CentOS是用不上OpenSCAP的，有一们外国牛人

Waldirio Manhães Pinheiro

解决了配置安全检查这一部分的问题,在此把方法引进国内来，也希望有国内的牛人把漏洞扫描这一块也解决了，毕竟

nessus

还是很贵的

名词解释：

SCAP（Security Content Automation Protoco l：安全内容自动化协议）

XCCD (The Extensible Configuration Checklist Description)

FDCC（Federal Desktop CoreConfiguration：联邦桌面核心配置）

USGCB（United States Government ConfigurationBaseline：美国政府配置基线）

一、安装

[root@localhost ~]# yum install scap-security-guide -y

二、修改配置

如果使用的是

redhat

则可以跳过此步

[root@localhost ~]# sed -i -e "s#<platform>Red Hat Enterprise Linux 6</platform>#<platform>CentOS 6</platform>##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml
[root@localhost ~]# sed -i -e "s#cpe:/o:redhat:enterprise_linux:6#cpe:/o:centos:centos:6##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml
[root@localhost ~]# sed -i -e "s#cpe:/o:redhat:enterprise_linux#cpe:/o:centos:centos##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
[root@localhost ~]#

三、执行检查

3.1 选一个profile

[root@storage ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2017-01-12T10:42:00
Status: draft
Generated: 2016-05-11
Resolved: true
Profiles:
standard
CS2
common
server
stig-rhel6-server-upstream
usgcb-rhel6-server
rht-ccp
CSCF-RHEL6-MLS
C2S
pci-dss
nist-cl-il-al

在这里我们选用

usgcb-rhel6-server

3.2 执行检查

[root@localhost ~]# oscap xccdf eval --profile usgcb-rhel6-server \
--results ~/usgcb-rhel6-server.xml \
--report ~/usgcb-rhel6-server.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

上面的

usgcb-rhel6-server.html

适合人类阅读

四、输出结果

Title   Ensure /var Located On Separate Partition
Rule    partition_for_var
Ident   CCE-26639-5
Ident   DISA FSO RHEL-06-000002
Result  fail

Title   Ensure /var/log Located On Separate Partition
Rule    partition_for_var_log
Ident   CCE-26215-4
Ident   DISA FSO RHEL-06-000003
Result  fail

Title   Ensure /var/log/audit Located On Separate Partition
Rule    partition_for_var_log_audit
Ident   CCE-26436-6
Ident   DISA FSO RHEL-06-000004
Result  fail

Title   Ensure /home Located On Separate Partition
Rule    partition_for_home
Ident   CCE-26557-9
Ident   DISA FSO RHEL-06-000007
Result  fail

Title   Add noexec Option to Removable Media Partitions
Rule    mount_option_noexec_removable_partitions
Ident   CCE-27196-5
Ident   DISA FSO RHEL-06-000271
Result  fail

Title   Disable the Automounter
Rule    service_autofs_disabled
Ident   CCE-26976-1
Ident   DISA FSO RHEL-06-000526
Result  pass

.....后面还有很多.....

五、查看报告文件

把生成的

usgcb-rhel6-server.html

报告文件取回本地用浏览器打开，或者把它扔到WEB服务器上

点击标题，可看查看解决方案

六、参考

利用SCAP有效进行主机安全管理

redhat帮助文档：典型的合规策略

七、附件下载

CIS CentOS Linux 6 Benchmark v2.0.1.pdf

CIS CentOS Linux 7 Benchmark v2.1.0.pdf

更多下载