SUSE Manager and openSCAP: 200 security rules made for you
OpenSCAP is an opensource tool to test and verify security compliance against a set of rules.
Did you know that SUSE provides more than 200 rules in its own SCAP Security Guide?
See French version
Of course there is the SLES Hardening Guide but there is a lot of other security certifications like STIG DISA, CIS Benchmark or Gouv recommendations.
SUSE publish an openSCAP file with roughly 200 rules to test your GNU/Linux boxes against those certifications.
Follow this guide to download and scan your computers in a minute.
Download the SSG on SUSE MANAGER
First step is to download the SSG from SUSE website in order to push it via salt to all our SLES boxes.
mkdir -p /srv/salt/ssg-sles/ cd /srv/salt/ssg-sles/ wget ftp://ftp.suse.com/pub/projects/security/STIG/SLES_12_SCAP_BETA/ssg-sle12-ds.xml
Create a Configuration Channel with Salt
Thanks to Salt integration in SUSE Manager we can install all the openscap RPM and push our SSG file with a simple state file.
In SUMA go to Configuration > Configuration Channels > + Create State Channel
Name: Openscap Commons
Label: openscap-commons
Description: Openscap RPMs pour SLES et RH/Centos
SLS Contents:
openscap_packages: file.managed: - name: /usr/local/share/ssg-sle12-ds.xml - source: salt://ssg-sles/ssg-sle12-ds.xml - makedirs: true - user: root - group: root - mode: '0644' pkg.installed: - pkgs: - openscap - openscap-utils - spacewalk-oscap {% if grains['os_family'] == 'Suse' %} - openscap-content {% endif %} {% if grains['os_family'] == 'RedHat' %} - scap-security-guide {% endif %}
Then click Create Config Channel
Add systems to the configuration channel
Now that our Channel is set up we can add target systems.
In Configuration > Overview Click on Openscap Commons
In Systems > Target Systems select the boxes where you need to install RPMs and push the SSG rules file.
Then click Subscribe systems
Launch the first openSCAP Audit
Show time. We are ready to schedule an audit and verify the security state of our SLES (or CentOS)
Select a System and go to Audit > Schedule
For SLES box:
Command-line Arguments: –profile xccdf_org.ssgproject.content_profile_stig-sle12-disa
File System Path: /usr/local/share/ssg-sle12-ds.xml
For RHEL or CentOS box:
Command-line Arguments: –profile xccdf_org.ssgproject.content_profile_standard
File System Path: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
At last got to Audit > List Scans
After a few moment when all 200 rules had been tested the result shows up.
Have a nice day.
Related Articles
Feb 06th, 2023
No comments yet