Note: This Quickstart is fragile and may fail
Note: This quickstart only works with AMI ami-76817c1e
(Amazon Linux 2014.03 HVM)
# Download OpenSCAP RPMs for Amazon Linux. (Thanks to Owen for building the RPMs)
# Note: This is experimental, no signing yet of RPMs
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-debuginfo-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-devel-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-engine-sce-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-engine-sce-devel-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-extra-probes-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.comm/amzn/x86_64/openscap-python-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-utils-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/python-lxml-2.2.3-1.1.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/python-lxml-debuginfo-2.2.3-1.1.amzn1.x86_64.rpm
# Retrieve CentOS SCAP-Security-Guide RPM
#(expired) wget http://mirror.centos.org/centos/6/os/x86_64/Packages/scap-security-guide-0.1.18-3.el6.noarch.rpm
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/scap-security-guide-0.1.21-3.el6.noarch.rpm
# Alternate source of SCAP-Security-Guide
# wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/amzn/noarch/scap-security-guide-0.1.18-3.amzn1.noarch.rpm
# wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/amzn/noarch/openscap-content-1.0.8-2.amzn1.noarch.rpm
# Install the OpenSCAP RPMs using localinstall method
sudo yum --nogpgcheck localinstall -y *.rpm
# Install SCAP-Security-Guide
# sudo yum install --enablerepo=epel scap-security-guide -y
# Install Lynx
sudo yum install lynx -y
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash
# Set a password for root
sudo passwd root
# Switch to root so scanner can run all tests properly
su -
# Create a directory and cd into it
mkdir myfisma
cd myfisma
# Initialize the directory
govready init
# Import Amazon cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/master/templates/ssg-amzn2014.03.2hvm-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/master/templates/ssg-amzn2014.03.2hvm-cpe-oval.xml
# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-amzn2014.03.2hvm-cpe-dictionary.xml:' GovReadyfile
# Update ssg-rhel6-xccdf.xml to include CPE definition for Amazon Linux
# Note: This sed statement is fragile if ssg-rhel6-xccdf.xml format changes.
sed -i "/cpe:\/o:redhat:enterprise_linux:6::client/a \ <platform idref=\"cpe:\/o:amazon:linux:2014:3:hvm\"/>" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
# Run a scan
govready scan
# List results
ls -l scans
# View a report - from the command line, old school style using lynx browser
# Example - your file name may differ
lynx scans/test-results-0820-0220.html
# Run fix script generated by most recent OpenSCAP scan
govready fix
# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare
# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail
# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs
# See available profiles (e.g., baselines)
govready profiles
# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server
# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh