For those, not yet using openscap-scanner
on their systems, OpenSCAP is an security auditing framework that utilizes the Extensible Configuration Checklist Description Format (XCCDF) and the openscap-scanner
executes over the security profile on a target system.
One gotcha, I have a Mac, and the tool is not natively supported on the Mac. I decided to use it through a fedora
container running in Podman.
Here are the steps to running on a Mac with complianceascode/content
‘s release.
Steps
- Download the Docker File
- Build the Image
$ podman build -f Dockerfile -t ocp-power.xyz/compliance/openscap-wrapper:latest
...
- Download the content files scap-security-guide-0.1.65.zip
$ curl -O -L https://github.com/ComplianceAsCode/content/releases/download/v0.1.65/scap-security-guide-0.1.65.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 130M 100 130M 0 0 2752k 0 0:00:48 0:00:48 --:--:-- 5949k
- Unzip the
scap-security-guide-0.1.65.zip
file.
$ unzip scap-security-guide-0.1.65.zip
- Rename the directory
scap-security-guide-0.1.65
toscap
$ mv scap-security-guide-0.1.65 scap
- List the profiles in a specific XML.
$ podman run --rm -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap info --profiles /scap/ssg-ocp4-ds.xml
xccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmark
xccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmark
xccdf_org.ssgproject.content_profile_e8:Australian Cyber Security Centre (ACSC) Essential Eight
xccdf_org.ssgproject.content_profile_high-node:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
xccdf_org.ssgproject.content_profile_high:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
xccdf_org.ssgproject.content_profile_moderate-node:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
xccdf_org.ssgproject.content_profile_moderate:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
xccdf_org.ssgproject.content_profile_nerc-cip-node:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level
xccdf_org.ssgproject.content_profile_nerc-cip:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level
xccdf_org.ssgproject.content_profile_pci-dss-node:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
xccdf_org.ssgproject.content_profile_pci-dss:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
- Details on the profile
$ podman run --rm -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap info --profile xccdf_org.ssgproject.content_profile_cis-node /scap/ssg-ocp4-ds.xml
Document type: Source Data Stream
Imported: 2022-12-02T19:09:36
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ocp4-xccdf.xml
Generated: (null)
Version: 1.3
Profile
Title: CIS Red Hat OpenShift Container Platform 4 Benchmark
Id: xccdf_org.ssgproject.content_profile_cis-node
Description: This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.1. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of. This profile is applicable to OpenShift versions 4.6 and greater.
- Now, I can run more advanced commands on the profiles on my Mac.
$ podman run --rm -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap oval generate report /scap/ssg-ocp4-ds.xml 2>&1
References
Notes
Note, I found I had to do the following on my Mac to get the volume to mount.
$ podman machine stop
$ podman machine set --rootful
$ podman machine start
$ sudo /opt/homebrew/Cellar/podman/4.3.1/bin/podman-mac-helper install
$ podman machine stop; podman machine start
Leave a Reply