使用OpenScap对CentOS6进行安全检查
OpenSCAP官网:https://www.open-scap.org/
OpenSCAP提供了很多安全方面的工具,包括配置安全检查和漏洞扫描,可惜CentOS已经很久没有更新oval库了,因此理论上来说,CentOS是用不上OpenSCAP的,有一们外国牛人 Waldirio Manhães Pinheiro 解决了配置安全检查这一部分的问题,在此把方法引进国内来,也希望有国内的牛人把漏洞扫描这一块也解决了,毕竟 nessus 还是很贵的
名词解释:
- SCAP(Security Content Automation Protoco l:安全内容自动化协议)
- XCCD (The Extensible Configuration Checklist Description)
- FDCC(Federal Desktop CoreConfiguration:联邦桌面核心配置)
- USGCB(United States Government ConfigurationBaseline:美国政府配置基线)
一、安装
[root@localhost ~]# yum install scap-security-guide -y
二、修改配置
如果使用的是 redhat 则可以跳过此步
[root@localhost ~]# sed -i -e "s#<platform>Red Hat Enterprise Linux 6</platform>#<platform>CentOS 6</platform>##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml [root@localhost ~]# sed -i -e "s#cpe:/o:redhat:enterprise_linux:6#cpe:/o:centos:centos:6##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml [root@localhost ~]# sed -i -e "s#cpe:/o:redhat:enterprise_linux#cpe:/o:centos:centos##g" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml [root@localhost ~]#
三、执行检查
3.1 选一个profile
[root@storage ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2017-01-12T10:42:00
Status: draft
Generated: 2016-05-11
Resolved: true
Profiles:
standard
CS2
common
server
stig-rhel6-server-upstream
usgcb-rhel6-server
rht-ccp
CSCF-RHEL6-MLS
C2S
pci-dss
nist-cl-il-al
在这里我们选用 usgcb-rhel6-server
3.2 执行检查
[root@localhost ~]# oscap xccdf eval --profile usgcb-rhel6-server \ --results ~/usgcb-rhel6-server.xml \ --report ~/usgcb-rhel6-server.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
上面的 usgcb-rhel6-server.html 适合人类阅读
四、输出结果
Title Ensure /var Located On Separate Partition Rule partition_for_var Ident CCE-26639-5 Ident disA FSO RHEL-06-000002 Result fail Title Ensure /var/log Located On Separate Partition Rule partition_for_var_log Ident CCE-26215-4 Ident disA FSO RHEL-06-000003 Result fail Title Ensure /var/log/audit Located On Separate Partition Rule partition_for_var_log_audit Ident CCE-26436-6 Ident disA FSO RHEL-06-000004 Result fail Title Ensure /home Located On Separate Partition Rule partition_for_home Ident CCE-26557-9 Ident disA FSO RHEL-06-000007 Result fail Title Add noexec Option to Removable Media Partitions Rule mount_option_noexec_removable_partitions Ident CCE-27196-5 Ident disA FSO RHEL-06-000271 Result fail Title disable the Automounter Rule service_autofs_disabled Ident CCE-26976-1 Ident disA FSO RHEL-06-000526 Result pass .....后面还有很多.....
五、查看报告文件
把生成的 usgcb-rhel6-server.html 报告文件取回本地用浏览器打开,或者把它扔到WEB服务器上
