-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathevaluate_scap_0.1.71.sh
148 lines (112 loc) · 4.54 KB
/
evaluate_scap_0.1.71.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/usr/bin/env bash
########################################################################################
## This script evaluates the SCAP profile rules from the scap-security-guide v0.1.71, ##
## downloaded from github (https://github.com/ComplianceAsCode/content) ##
## The script generates a "remediation" script and guide for each profile ##
## ##
## Usage: ./evaluate_scap_0.1.71.sh >> scap_0.1.71.log 2>> scap_0.1.71.log & ##
########################################################################################
## Scap-security-guide version
VERSION=0.1.71
## OS Version
OS=rhel8
# Create directory
##
TARGETDIR=/root/openscap_data
if [ ! -d "$TARGETDIR" ]; then
##
mkdir -p $TARGETDIR
fi
## Hostname
HOST=$(hostname)
## Date
DATE=$(date +%F)
#######################################
## Download profile from remote site ##
#######################################
## Use content from download
CONTENT=${TARGETDIR}/scap-security-guide-${VERSION}
## Check if wget is installed
if [ -x "$(command -v wget)" ]; then
## Download scap-security-guide with wget
wget https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.zip -P ${TARGETDIR}
## Set
CURL=0
else
## Set
CURL=1
fi
## Check if cURL is installed
if [ -x "$(command -v curl)" ] && [ $CURL -eq 1 ]; then
## Download scap-security-guide with cURL
curl -o ${TARGETDIR}/scap-security-guide-${VERSION}.zip -L https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.zip
else
##
dnf install curl -y
## Download scap-security-guide with cURL
curl -o ${TARGETDIR}/scap-security-guide-${VERSION}.zip -L https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.zip
fi
## Check if unzip is installed
if [ -x "$(command -v unzip)" ]; then
## Unzip scap-security-guide
unzip -o ${TARGETDIR}/scap-security-guide-${VERSION}.zip -d ${TARGETDIR}
else
## Install unzip
dnf install unzip -y
## Unzip scap-security-guide
unzip -o ${TARGETDIR}/scap-security-guide-${VERSION}.zip -d ${TARGETDIR}
fi
## To extract the list of profiles
oscap info --fetch-remote-resources ${CONTENT}/ssg-${OS}-ds.xml | grep profile | sed 's+.*profile_++'
## The following array processes all available profiles, comment out the ones that are not needed
PARRAY=(
###########
## rhel8 ##
###########
#anssi_bp28_enhanced
#anssi_bp28_high
#anssi_bp28_intermediary
#anssi_bp28_minimal
#cis
#cis_server_l1
#cis_workstation_l1
#cis_workstation_l2
## Committee on National Security Systems Instruction (CNSSI) No. 1253, Security
## Categorization and Control Selection for National Security Systems on security
## controls to meet low confidentiality, low integrity, and low assurance.
#cui
##
#e8
## Health Insurance Portability and Accountability Act
#hipaa
##
#ism_o
## United States Government Configuration Baseline (USGCB / STIG)
#ospp
## PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8
#pci-dss
## Security Technical Implementation Guide (STIG) for Red Hat Enterprise
#stig
stig_gui
)
##
for PROFILE in "${PARRAY[@]}"; do
## Display the profile
printf "\n#### %s ####\n\n" "${PROFILE}"
## Evaluate each profile against oval downloaded from RedHat
oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_"${PROFILE}" \
--results "${TARGETDIR}"/"${HOST}"-"${DATE}"-"${PROFILE}".xml \
--report "${TARGETDIR}"/"${HOST}"-"${DATE}"-"${PROFILE}".html \
"${CONTENT}"/ssg-"${OS}"-ds.xml;
## Generate remediation script for each profile
oscap xccdf generate fix --template urn:xccdf:fix:script:sh \
--profile xccdf_org.ssgproject.content_profile_"${PROFILE}" \
--output "${TARGETDIR}"/remediation-"${HOST}"-"${DATE}"-"${PROFILE}".sh \
"${CONTENT}"/ssg-${OS}-ds.xml;
## Generate Guide for each profile
oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_"${PROFILE}" \
--output "${TARGETDIR}"/scap-security-guide-"${VERSION}"-"${HOST}"-"${DATE}"-"${PROFILE}".html \
"${CONTENT}"/ssg-${OS}-ds.xml;
done
## Create tar with all results, scripts, guides, etc.
tar -cvzf "${HOST}"-"${DATE}"-scap_"${VERSION}".tar.gz "${TARGETDIR}"/"${HOST}"-"${DATE}"-*.xml "${TARGETDIR}"/"${HOST}"-"${DATE}"-*.html "${TARGETDIR}"/remediation-"${HOST}"-"${DATE}"-*.sh "${TARGETDIR}"/scap-security-guide-"${VERSION}"-"${HOST}"-"${DATE}"-*.html