使用OpenScap对CentOS6进行安全检查

OpenSCAP官网：https://www.open-scap.org/

OpenSCAP提供了很多安全方面的工具，包括配置安全检查和漏洞扫描，可惜CentOS已经很久没有更新OVAL库了，因此理论上来说，CentOS是用不上OpenSCAP的，有一们外国牛人 Waldirio Manhães Pinheiro 解决了配置安全检查这一部分的问题,在此把方法引进国内来，也希望有国内的牛人把漏洞扫描这一块也解决了，毕竟 nessus 还是很贵的

名词解释：

• SCAP（Security Content Automation Protoco l：安全内容自动化协议）
• XCCD (The Extensible Configuration Checklist Description)
• FDCC（Federal Desktop CoreConfiguration：联邦桌面核心配置）
• USGCB（United States Government ConfigurationBaseline：美国政府配置基线）

一、安装

[root@localhost ~]# yum install scap-security-guide -y

二、修改配置

如果使用的是 redhat 则可以跳过此步

[root@localhost ~]# sed -i -e "s#<platform>Red Hat Enterprise Linux 6</platform>#<platform>CentOS 6</platform>##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml
[root@localhost ~]# sed -i -e "s#cpe:/o:redhat:enterprise_linux:6#cpe:/o:centos:centos:6##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml
[root@localhost ~]# sed -i -e "s#cpe:/o:redhat:enterprise_linux#cpe:/o:centos:centos##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
[root@localhost ~]#

三、执行检查

3.1 选一个profile

[root@storage ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2017-01-12T10:42:00
Status: draft
Generated: 2016-05-11
Resolved: true
Profiles:
    standard
    CS2
    common
    server
    stig-rhel6-server-upstream
    usgcb-rhel6-server
    rht-ccp
    CSCF-RHEL6-MLS
    C2S
    pci-dss
    nist-cl-il-al

在这里我们选用 usgcb-rhel6-server

3.2 执行检查

[root@localhost ~]# oscap xccdf eval --profile usgcb-rhel6-server \
--results ~/usgcb-rhel6-server.xml \
--report ~/usgcb-rhel6-server.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

上面的 usgcb-rhel6-server.html 适合人类阅读

四、输出结果

Title   Ensure /var Located On Separate Partition
Rule    partition_for_var
Ident   CCE-26639-5
Ident   DISA FSO RHEL-06-000002
Result  fail

Title   Ensure /var/log Located On Separate Partition
Rule    partition_for_var_log
Ident   CCE-26215-4
Ident   DISA FSO RHEL-06-000003
Result  fail

Title   Ensure /var/log/audit Located On Separate Partition
Rule    partition_for_var_log_audit
Ident   CCE-26436-6
Ident   DISA FSO RHEL-06-000004
Result  fail

Title   Ensure /home Located On Separate Partition
Rule    partition_for_home
Ident   CCE-26557-9
Ident   DISA FSO RHEL-06-000007
Result  fail

Title   Add noexec Option to Removable Media Partitions
Rule    mount_option_noexec_removable_partitions
Ident   CCE-27196-5
Ident   DISA FSO RHEL-06-000271
Result  fail

Title   Disable the Automounter
Rule    service_autofs_disabled
Ident   CCE-26976-1
Ident   DISA FSO RHEL-06-000526
Result  pass


.....后面还有很多.....

五、查看报告文件

把生成的 usgcb-rhel6-server.html 报告文件取回本地用浏览器打开，或者把它扔到WEB服务器上

点击标题，可看查看解决方案

六、参考

• 利用SCAP有效进行主机安全管理
• redhat帮助文档：典型的合规策略

七、附件下载

• CIS CentOS Linux 6 Benchmark v2.0.1.pdf
• CIS CentOS Linux 7 Benchmark v2.1.0.pdf
• 更多下载