OpenSCAP is an open source tool for performing automated vulnerability
assessment and policy compliance verification on linux. SCAP, pronounced
“ess-cap”, is the Security Content Automation Protocol which pulls together open
standards for describing vulnerabilities like CVE, CVSS, OVAL, and XCCDF. The
OpenSCAP tool, which is NIST
certified, ingests the SCAP
content and outputs a report of which checks passed and failed.
Let's walkthrough an example of how to audit a RedHat 6 machine against SCAP
content provided by DISA known as the Redhat 6 STIG Benchmark.
First, you need to install OpenSCAP and its dependencies (and I'm installing
wget and unzip so that I can download the STIG and unzip it).
Now with the tool installed we can audit our server against the DISA STIG. The
DISA STIG can be downloaded from DISA’s web
site.
The HTML report that is generated can be viewed in the browser. It summarizes
each rule with a simple pass/fail result. There are details for each rule and
remediation instructions.
Another useful test for RedHat systems is to verify that all of the required
patches have been installed to address the RedHat security advisories, RHSA (you
can subscribe for announcements
here.
Again, you can view the report in the browser to see what patches have been
applied and what patches need to be applied.