Repository files navigation

The purpose of this project is to createsecurity policy content for variousplatforms —Red Hat Enterprise Linux,Fedora,Ubuntu,Debian,SUSE Linux Enterprise Server (SLES),... —as well as products —Firefox,...We aim to make it as easy as possible to write new and maintain existingsecurity content in all the commonly used formats.

• ComplianceAsCode Documentation
• ComplianceAsCode Blog
• Online Workshops - Perfect as a starting point
• Profiles in ComplianceAsCode - online HTML guides for each profile

"SCAP content" refers to documents in theXCCDF,OVAL andSCAP source data stream formats. These documents can be presentedin different forms and by different organizations to meet their securityautomation and technical implementation needs. For general use, werecommendSCAP source data streams because they contain all the data youneed to evaluate and put machines into compliance. The data streams arepart of our release ZIP archives.

"Ansible content" refers to Ansible playbooks generated from securityprofiles. These can be used both in check-mode to evaluate compliance,as well as run-mode to put machines into compliance. We publish theseonAnsible Galaxy as well as in release ZIP archives.

"Bash fix files" refers toBash scripts generated from securityprofiles. These are meant to be run on machines to put them intocompliance. We recommend using other formats but understand that forsome deployment scenarios bash is the only option.

We want multiple organizations to be able to efficiently develop securitycontent. By taking advantage of the powerful build system of this project,we avoid as much redundancy as possible.

The build system combines the easy-to-edit YAML rule files with OVAL checks,Ansible task snippets, Bash fixes, and other files. Templating is providedat every step to avoid boilerplate. Security identifiers(CCE, NIST ID, STIG, ...) appear in all of our output formats but are allsourced from the YAML rule files.

We understand that depending on your organization's needs you may needto use a specific security content format. We let you choose.

We use an OpenControl-inspired YAML rule format for input. Write once andgenerate security content in XCCDF, Ansible, and others.

title:'Configure The Number of Allowed Simultaneous Requests'description:|-    The <tt>MaxKeepAliveRequests</tt> directive should be set and configured to    <sub idref="var_max_keepalive_requests" /> or greater by setting the following    in <tt>/etc/httpd/conf/httpd.conf</tt>:    <pre>MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}</pre>rationale:|-    Resource exhaustion can occur when an unlimited number of concurrent requests    are allowed on a web site, facilitating a denial of service attack. Mitigating    this kind of attack will include limiting the number of concurrent HTTP/HTTPS    requests per IP address and may include, where feasible, limiting parameter    values associated with keepalive, (i.e., a parameter used to limit the amount of    time a connection may be inactive).severity:mediumidentifiers:cce:"80551-5"

Our security content can be used to scan bare-metal machines, virtual machines,virtual machine images (qcow2 and others), containers (including Docker), andcontainer images.

We use platform checks to detect whether we should or should not evaluate someof the rules. For example: separate partition checks make perfect sense on bare-metalmachines but go against recommended practices on containers.

The preferred method of installation is via the package manager of yourdistribution. OnRed Hat Enterprise Linux andFedora you can use:

yum install scap-security-guide

On Debian (sid), you can use:

apt install ssg-debian# for Debian guidesapt install ssg-debderived# for Debian-based distributions (e.g. Ubuntu) guidesapt install ssg-nondebian# for other distributions guides (RHEL, Fedora, etc.)apt install ssg-applications# for application-oriented guides (Firefox, JBoss, etc.)

Download pre-built SSG zip archive fromthe release page.Each zip file is an archive with ready-made SCAP source data streams.

If ComplianceAsCode is not packaged in your distribution (it may be present there asscap-security-guide package), or if theversion that is packaged is too old, you need to build the content yourselfand install it viamake install. Please see theDeveloper Guidedocument for more info. We also recommend opening an issue on that distributionsbug tracker to voice interest.

We assume you have installed ComplianceAsCode system-wide into astandard location from current upstream sources as instructed in the previous section.

There are several ways to consume ComplianceAsCode content, we will onlygo through a few of them here.

Theoscap tool is a low-level command line interface that comes fromthe OpenSCAP project. It can be used to scan the local machine.

oscap xccdfeval --profile xccdf_org.ssgproject.content_profile_ospp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

After evaluation, thearf.xml file will contain all results in a reusableresult data stream (ARF) format,report.html will contain a human-readablereport that can be opened in a browser.

Replace the profile with other profile of your choice, you can displayall possible choices using:

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Please see theOpenSCAP website for more information.

The SCAP Workbench is a graphical user interface for SCAP evaluation andcustomization. It is suitable for scanning a single machine, either localor remote (via SSH). New versions of SCAP Workbench have SSG integrationand will automatically offer it when the application is started.

Please see theSCAP Workbench website for more information.

oscap-ssh comes bundled with OpenSCAP 1.2.3 and later. It allows scanninga remote machine via SSH with an interface resembling theoscap tool.

The following command evaluates a machine with IP192.168.1.123 with contentstored on the local machine. Keep in mind thatoscap has to be installed on theremote machine but the SSG content doesn't need to be.

oscap-ssh root@192.168.1.123 22 xccdfeval --profile xccdf_org.ssgproject.content_profile_standard --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

To see a list of available Ansible Playbooks, run:

ls /usr/share/scap-security-guide/ansible/

These Ansible Playbooks are generated fromSCAP profiles available for the products.

To apply the playbook on your local machine run:(THIS WILL CHANGE CONFIGURATION OF THE MACHINE!)

ansible-playbook -i"localhost," -clocal /usr/share/scap-security-guide/ansible/rhel9-playbook-ospp.yml

Each of the Ansible Playbooks contains instructions on how to deploy them. Hereis a snippet of the instructions:

...# This file was generated by OpenSCAP 1.2.16 using:#   $ oscap xccdf generate fix --profile rht-ccp --fix-type ansible sds.xml## This script is generated from an OpenSCAP profile without preliminary evaluation.# It attempts to fix every selected rule, even if the system is already compliant.## How to apply this remediation role:# $ ansible-playbook -i "192.168.1.155," playbook.yml# $ ansible-playbook -i inventory.ini playbook.yml...

To see a list of available Bash scripts, run:

# ls /usr/share/scap-security-guide/bash/...rhel8-script-hipaa.shrhel8-script-ospp.shrhel8-script-pci-dss.sh...

These Bash scripts are generated fromSCAP profiles available for the products.Similar to Ansible Playbooks, each of the Bash scripts contain instructions on how to deploy them.

The SSG mailing list can be found athttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guide.

If you encounter issues with OpenSCAP or SCAP Workbench, usehttps://www.redhat.com/mailman/listinfo/open-scap-list

If you prefer more interactive contact with the community, you can join us on Gitter and IRC:

• Gitter:https://gitter.im/Compliance-As-Code-The/content
• IRC: join the#openscap IRC channel onlibera.chat.

This project started in 2011 as a collaboration between United States Government agencies and commercial operating system vendors.The original name was SCAP Security Guide, commonly abbreviated as SSG.The original scope was to create SCAP data streams. Over time, it grew into thebiggest open-source beyond-SCAP content project.

The next few years saw the introduction of not just government-specific securityprofiles but also commercial, such as PCI-DSS and CIS.

Later, the industry starts moving towards different security content formats,such as Ansible, Puppet, and Chef InSpec. The community reacted by evolving thetooling and helped transform SSG into a more general-purpose security contentproject. This change happened over time in 2017 and 2018. In September 2018, wedecided to change the name of the project toComplianceAsCode, in order to avoid confusion.

We envision that the future will be format-agnostic. That's why opted for anabstraction instead of using XCCDF for the input format.

This project is welcome to new contributors. We are continually trying to remove the complexities to make contributions easier and more enjoyable for everyone. This is a nice project and a friendly community.

There are many ways to contribute. Check the documentation for more details:https://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html

Check the updated list ofContributors.