This article is 100% meat free, 100% peanut free, and 100% Ai free.
I like to use a tool called openscap. There are others. Ansible also has a good script.
You need to install it, for rpm-based systems it looks like this.
For deb/apt based-systems it looks like this.
Next, we need to find out what scan profiles are available for your flavor of Linux.
We can see quite a few in here. debian, ubuntu, fedora, redhat, opensuse, and a few others.
The name of the xml file should make it obvious which distro it's for.
Now we need to run a command to see what scan profiles are available for your distro.
In my case, I'm using fedora, so I would use this command
That returns some output that looks like this.
Obviously if you're using a different distro, it will look a little different for you.
But notice under the "Profiles" section it lists four profiles I can use to scan.
There is a common one, a standard one, and a general purpose one, there is also one for PCI.
You can use any one of the profiles you want, but I'm just going to pick the common (CUSP) one for
this scan. Just replace the profile name with whichever one you want to use.
So, to scan my system, I would use.
I need to enter both the profile and the xml file where the profile is referenced.
This can take a while to run depending on the speed on your computer and how many packages you have installed.
Note: This doesn't fix anything for you ( that's another article maybe )
It just shows you where the potential security problems might be.
Now as you watch all this scrolling by, you'll notice it's a pretty big report. How do we make this more manageable?
You can output the results as an html file and view it in your browser. It normally places this the directory you ran the command from.
I like to use a tool called openscap. There are others. Ansible also has a good script.
You need to install it, for rpm-based systems it looks like this.
Code:
dnf install -y openscap openscap-perl openscap-python3 openscap-scanner openscap-utils openscap-report oscap-anaconda-addon
For deb/apt based-systems it looks like this.
Code:
apt-get install openscap openscap-perl python3-openscap openscap-utils
Next, we need to find out what scan profiles are available for your flavor of Linux.
Code:
ls /usr/share/xml/scap/ssg/content/
ssg-al2023-ds.xml ssg-chromium-ds.xml ssg-fedora-ds.xml ssg-ol7-ds.xml ssg-rhcos4-ds.xml ssg-sle15-ds.xml
ssg-alinux2-ds.xml ssg-cs10-ds.xml ssg-firefox-ds.xml ssg-ol8-ds.xml ssg-rhel10-ds.xml ssg-slmicro5-ds.xml
ssg-alinux3-ds.xml ssg-cs9-ds.xml ssg-kylinserver10-ds.xml ssg-ol9-ds.xml ssg-rhel8-ds.xml ssg-ubuntu1604-ds.xml
ssg-anolis23-ds.xml ssg-debian11-ds.xml ssg-macos1015-ds.xml ssg-openembedded-ds.xml ssg-rhel9-ds.xml ssg-ubuntu1804-ds.xml
ssg-anolis8-ds.xml ssg-debian12-ds.xml ssg-ocp4-ds.xml ssg-openeuler2203-ds.xml ssg-rhv4-ds.xml ssg-ubuntu2004-ds.xml
ssg-centos8-ds.xml ssg-eks-ds.xml ssg-ol10-ds.xml ssg-opensuse-ds.xml ssg-sle12-ds.xml ssg-ubuntu2204-ds.xml
We can see quite a few in here. debian, ubuntu, fedora, redhat, opensuse, and a few others.
The name of the xml file should make it obvious which distro it's for.
Now we need to run a command to see what scan profiles are available for your distro.
In my case, I'm using fedora, so I would use this command
Code:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
That returns some output that looks like this.
Code:
Document type: Source Data Stream
Imported: 2024-11-13T16:00:00
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-fedora-xccdf.xml
Status: draft
Generated: 2024-12-04
Resolved: true
Profiles:
Title: CUSP - Common User Security Profile for Fedora Workstation
Id: xccdf_org.ssgproject.content_profile_cusp_fedora
Title: OSPP - Protection Profile for General Purpose Operating Systems
Id: xccdf_org.ssgproject.content_profile_ospp
Title: PCI-DSS v3.2.1 Control Baseline for Fedora
Id: xccdf_org.ssgproject.content_profile_pci-dss
Title: Standard System Security Profile for Fedora
Id: xccdf_org.ssgproject.content_profile_standard
Referenced check files:
ssg-fedora-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-fedora-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-fedora-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-fedora-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-dictionary.xml
Obviously if you're using a different distro, it will look a little different for you.
But notice under the "Profiles" section it lists four profiles I can use to scan.
There is a common one, a standard one, and a general purpose one, there is also one for PCI.
You can use any one of the profiles you want, but I'm just going to pick the common (CUSP) one for
this scan. Just replace the profile name with whichever one you want to use.
So, to scan my system, I would use.
Code:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cusp_fedora /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
I need to enter both the profile and the xml file where the profile is referenced.
This can take a while to run depending on the speed on your computer and how many packages you have installed.
Note: This doesn't fix anything for you ( that's another article maybe )
It just shows you where the potential security problems might be.
Now as you watch all this scrolling by, you'll notice it's a pretty big report. How do we make this more manageable?
Code:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cusp_fedora --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
You can output the results as an html file and view it in your browser. It normally places this the directory you ran the command from.
Last edited: