-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathevaluate_scap_0.1.76.sh
233 lines (185 loc) · 7.86 KB
/
evaluate_scap_0.1.76.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
#!/usr/bin/env bash
########################################################################################
## This script evaluates the SCAP profile rules from the scap-security-guide v0.1.76, ##
## downloaded from github (https://github.com/ComplianceAsCode/content) ##
## The script generates a "remediation" script and guide for each profile ##
## ##
## Usage: ./evaluate_scap_0.1.76.sh >> scap_0.1.76.log 2>> scap_0.1.76.log & ##
## ##
########################################################################################
# Set scap-security-guide version
VERSION="0.1.76"
################
## OS Version ##
################
# (rl9,rhel9,centos9,almalinux8,ol9,ol8,ubuntu2004,debian10,sles15,opensuse15,amzn2)
# Rocky Linux 9 (missed in v0.1.73)
#OS=rl9
# Rocky Linux 8
#OS=rl8
# Redhat Linux 9
OS="rhel9"
# Redhat Linux 8
#OS=rhel8
#####################################
## Report directory and file formt ##
#####################################
# Target directory
#TARGETDIR=/root/openscap_data/${OS}
TARGETDIR="${HOME}/openscap_data"
# Check if target directory exists
if [ ! -d "${TARGETDIR}" ]; then
# Create target directory
mkdir -p "${TARGETDIR}"
fi
# Hostname of the system
HOST=$(hostname)
# Date format YYYY-MM-DD (2024-04-08)
DATE=$(date +%F)
#######################################
## Download profile from remote site ##
#######################################
# scap-security-guide-0.1.76.tar.bz2
# scap-security-guide-0.1.76.zip
# Use content from download
CONTENT="${TARGETDIR}/scap-security-guide-${VERSION}"
# Check if wget is installed
if [ -x "$(command -v wget)" ]; then
# Check if unzip is installed
if [ -x "$(command -v unzip)" ]; then
# Download scap-security-guide with wget
wget "https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.zip" -P "${TARGETDIR}"
# Check if tar is installed
elif [ -x "$(command -v tar)" ]; then
# Download scap-security-guide with wget (alternative)
wget "https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.tar.bz2" -P "${TARGETDIR}"
else
# Display message
echo "Please install unzip or tar"
fi
# Check if curl is installed
elif [ -x "$(command -v curl)" ]; then
# Check if unzip is installed
if [ -x "$(command -v unzip)" ]; then
# Download scap-security-guide with cURL
curl -o "${TARGETDIR}/scap-security-guide-${VERSION}.zip" -L "https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.zip"
# Check if tar is installed
elif [ -x "$(command -v tar)" ]; then
# Download scap-security-guide with cURL (alternative)
curl -o "${TARGETDIR}/scap-security-guide-${VERSION}.tar.bz2" -L "https://github.com/ComplianceAsCode/content/releases/download/v${VERSION}/scap-security-guide-${VERSION}.tar.bz2"
else
# Display message
echo "Please install unzip or tar"
fi
else
# Display message
echo "Please install wget or curl"
fi
#####################
## Extract profile ##
#####################
# Check if unzip is installed
if [ -x "$(command -v unzip)" ]; then
# Unzip scap-security-guide
unzip -o "${TARGETDIR}/scap-security-guide-${VERSION}.zip" -d "${TARGETDIR}"
# Check if tar is installed
elif [ -x "$(command -v tar)" ]; then
# Unzip scap-security-guide (alternative)
tar -xvjf "${TARGETDIR}/scap-security-guide-${VERSION}.tar.bz2" -C "${TARGETDIR}"
else
# Display message
echo "Please install unzip or tar"
fi
# Extract the list of profiles from the downloaded profile
oscap info --fetch-remote-resources "${CONTENT}/ssg-${OS}-ds.xml" | grep profile | sed 's+.*profile_++'
##################
## Profile list ##
##################
# The following array processes all available profiles,
# comment out the ones that are not needed
PARRAY=(
#################
## rhel9 / rl9 ##
#################
# oscap info "/usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml"
# oscap info "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"
## Generated: 2024-04-08
# ANSSI-BP-028 (enhanced)
#anssi_bp28_enhanced
# ANSSI-BP-028 (high)
#anssi_bp28_high
# ANSSI-BP-028 (intermediary)
#anssi_bp28_intermediary
# ANSSI-BP-028 (minimal)
#anssi_bp28_minimal
# CCN Red Hat Enterprise Linux 9 - Advanced
#ccn_advanced
# CCN Red Hat Enterprise Linux 9 - Basic
#ccn_basic
# CCN Red Hat Enterprise Linux 9 - Intermediate
#ccn_intermediate
# CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
#cis
# CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
#cis_server_l1
# CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
#cis_workstation_l1
# CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
#cis_workstation_l2
# DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
## Committee on National Security Systems Instruction (CNSSI) No. 1253, Security
## Categorization and Control Selection for National Security Systems on security
## controls to meet low confidentiality, low integrity, and low assurance.
#cui
# Australian Cyber Security Centre (ACSC) Essential Eight
#e8
# Health Insurance Portability and Accountability Act (HIPAA)
#hipaa
# Australian Cyber Security Centre (ACSC) ISM Official
#ism_o
# Protection Profile for General Purpose Operating Systems
#ospp
# PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9
#pci-dss
# DISA STIG for Red Hat Enterprise Linux 9
#stig
# DISA STIG with GUI for Red Hat Enterprise Linux 9
stig_gui
)
###################
## Evaluate SCAP ##
###################
# Evaluate each profile
for PROFILE in "${PARRAY[@]}"; do
# Display the profile
printf "\n#### %s ####\n\n" "${PROFILE}"
# Evaluate each profile against oval downloaded from RedHat
oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_"${PROFILE}" \
--results "${TARGETDIR}"/"${HOST}"-"${DATE}"-"${PROFILE}".xml \
--report "${TARGETDIR}"/"${HOST}"-"${DATE}"-"${PROFILE}".html \
"${CONTENT}"/ssg-"${OS}"-ds.xml
# Generate remediation script for each profile
oscap xccdf generate fix --template urn:xccdf:fix:script:sh \
--profile xccdf_org.ssgproject.content_profile_"${PROFILE}" \
--output "${TARGETDIR}"/remediation-"${HOST}"-"${DATE}"-"${PROFILE}".sh \
"${CONTENT}"/ssg-${OS}-ds.xml
# Generate Guide for each profile
oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_"${PROFILE}" \
--output "${TARGETDIR}"/scap-security-guide-"${VERSION}"-"${HOST}"-"${DATE}"-"${PROFILE}".html \
"${CONTENT}"/ssg-${OS}-ds.xml
done
###########################################################
## Create zip/tar for all results, scripts, guides, etc. ##
###########################################################
# Check if zip is installed
if [ -x "$(command -v zip)" ]; then
# Create zip with all results, scripts, guides, etc.
zip -r "${HOST}"-"${DATE}"-scap_"${VERSION}".zip "${TARGETDIR}"/"${HOST}"/"${HOST}"-"${DATE}"-*.xml "${TARGETDIR}"/"${HOST}"/"${HOST}"-"${DATE}"-*.html "${TARGETDIR}"/"${HOST}"/remediation-"${HOST}"-"${DATE}"-*.sh "${TARGETDIR}"/"${HOST}"/scap-security-guide-"${VERSION}"-"${HOST}"-"${DATE}"-*.html
# Check if tar is installed
elif [ -x "$(command -v tar)" ]; then
# Create tar with all results, scripts, guides, etc.
tar -cvzf "${HOST}"-"${DATE}"-scap_"${VERSION}".tar.gz "${TARGETDIR}"/"${HOST}"/"${HOST}"-"${DATE}"-*.xml "${TARGETDIR}"/"${HOST}"/"${HOST}"-"${DATE}"-*.html "${TARGETDIR}"/"${HOST}"/remediation-"${HOST}"-"${DATE}"-*.sh "${TARGETDIR}"/"${HOST}"/scap-security-guide-"${VERSION}"-"${HOST}"-"${DATE}"-*.html
else
# Display message
echo "Please install zip or tar"
fi