Skip to content

Latest commit

 

History

History
99 lines (70 loc) · 4.64 KB

Quickstart-Amazon-Linux-openscap1.0.8.md

File metadata and controls

99 lines (70 loc) · 4.64 KB

Amazon Linux (2014.03 HVM ami-76817c1e) quickstart (64 bit)

Note: This Quickstart is fragile and may fail

Note: This quickstart only works with AMI ami-76817c1e (Amazon Linux 2014.03 HVM)

# Download OpenSCAP RPMs for Amazon Linux. (Thanks to Owen for building the RPMs)
# Note: This is experimental, no signing yet of RPMs

wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-debuginfo-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-devel-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-engine-sce-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-engine-sce-devel-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-extra-probes-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.comm/amzn/x86_64/openscap-python-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/openscap-utils-1.0.8-2.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/python-lxml-2.2.3-1.1.amzn1.x86_64.rpm
wget http://c8a44eea0cdc23b7463e-ee42454716106089a169830ef1c408ef.r15.cf5.rackcdn.com/amzn/x86_64/python-lxml-debuginfo-2.2.3-1.1.amzn1.x86_64.rpm

# Retrieve CentOS SCAP-Security-Guide RPM

#(expired) wget http://mirror.centos.org/centos/6/os/x86_64/Packages/scap-security-guide-0.1.18-3.el6.noarch.rpm
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/scap-security-guide-0.1.21-3.el6.noarch.rpm

# Alternate source of SCAP-Security-Guide
# wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/amzn/noarch/scap-security-guide-0.1.18-3.amzn1.noarch.rpm
# wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/amzn/noarch/openscap-content-1.0.8-2.amzn1.noarch.rpm

# Install the OpenSCAP RPMs using localinstall method
sudo yum --nogpgcheck localinstall -y *.rpm

# Install SCAP-Security-Guide
# sudo yum install --enablerepo=epel scap-security-guide -y

# Install Lynx
sudo yum install lynx -y

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Set a password for root
sudo passwd root


# Switch to root so scanner can run all tests properly
su -

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Import Amazon cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/master/templates/ssg-amzn2014.03.2hvm-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/master/templates/ssg-amzn2014.03.2hvm-cpe-oval.xml

# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-amzn2014.03.2hvm-cpe-dictionary.xml:' GovReadyfile

# Update ssg-rhel6-xccdf.xml to include CPE definition for Amazon Linux
# Note: This sed statement is fragile if ssg-rhel6-xccdf.xml format changes.
sed  -i "/cpe:\/o:redhat:enterprise_linux:6::client/a \  <platform idref=\"cpe:\/o:amazon:linux:2014:3:hvm\"/>" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

# Run a scan
govready scan

# List results
ls -l scans

# View a report - from the command line, old school style using lynx browser
# Example - your file name may differ
lynx scans/test-results-0820-0220.html

# Run fix script generated by most recent OpenSCAP scan
govready fix

# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh