Step 1. Log into your server running CentOS 6.x. If a command does not work, run with sudo
Step 2. Add epel RPM repository CentOS 6
su -c 'rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm'
Alternatively:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sudo rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
Step 3. Install openSCAP
yum install -y openscap openscap-utils openscap-content
Step 4. Install SCAP Security Guide
yum install -y scap-security-guide
Running openSCAP system scan
Here’s an example of running openSCAP against the
cd ~/
oscap xccdf eval --profile usgcb-rhel6-server \
--results ~/usgcb-rhel6-server.xml \
--report ~/usgcb-rhel6-server.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml ; true
Command-line Arguments:
Optional arguments to the oscap command, either:
–profile PROFILE: Specifies a particular profile from the XCCDF document.
Profiles are determined by the Profile tag in the XCCDF XML file. Use the oscap command to see a list of profiles within a given XCCDF file, for example:
$ oscap info /usr/local/share/scap/dist_sles11_scap-sles11-oval.xml Document type: XCCDF Checklist Checklist version: 1.1 Status: draft Generated: 2011-10-12 Imported: 2012-11-15T22:10:41 Resolved: false Profiles: SLES11-Default
If not specified, the default profile is used. Some early versions of OpenSCAP in require that you use the –profile option or the scan will fail.
–skip-valid: Do not validate input and output files. You can use this option to bypass the file validation process if you do not have well-formed XCCDF content.
Path to XCCDF Document:
This is a required field. The path parameter points to the XCCDF content location on the client system. For example: /usr/local/scap/dist_rhel6_scap-rhel6-oval.xml