ComplianceAsCode / content

Welcome! The purpose of this project is to create *security policy content* for various platforms — *Red Hat Enterprise Linux*, *Fedora*, *Ubuntu*, *Debian*, *SUSE Linux Enterprise Server (SLES)*,... — as well as products — *Firefox*,... We aim to make it as easy as possible to write new and maintain existing security content in all the commonly used formats. • ComplianceAsCode Documentation • ComplianceAsCode Blog • Online Workshops - Perfect as a starting point • Profiles in ComplianceAsCode - online HTML guides for each profile We build security content in various formats         *"SCAP content"* refers to documents in the *XCCDF*, *OVAL* and *SCAP source data stream* formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. For general use, we recommend *SCAP source data streams* because they contain all the data you need to evaluate and put machines into compliance. The data streams are part of our release ZIP archives. *"Ansible content"* refers to Ansible playbooks generated from security profiles. These can be used both in check-mode to evaluate compliance, as well as run-mode to put machines into compliance. We publish these on *Ansible Galaxy* as well as in release ZIP archives. *"Bash fix files"* refers to *Bash* scripts generated from security profiles. These are meant to be run on machines to put them into compliance. We recommend using other formats but understand that for some deployment scenarios bash is the only option. Why? We want multiple organizations to be able to efficiently develop security content. By taking advantage of the powerful build system of this project, we avoid as much redundancy as possible. The build system combines the easy-to-edit YAML rule files with OVAL checks, Ansible task snippets, Bash fixes, and other files. Templating is provided at every step to avoid boilerplate. Security identifiers (CCE, NIST ID, STIG, ...) appear in all of our output formats but are all sourced from the YAML rule files. We understand that depending on your organization's needs you may need to use a specific security content format. We let you choose. --- We use an OpenControl-inspired YAML rule format for input. Write once and generate security content in XCCDF, Ansible, and others. Scan targets Our security content can be used to scan bare-metal machines, virtual machines, virtual machine images (qcow2 and others), containers (including Docker), and container images. We use platform checks to detect whether we should or should not evaluate some of the rules. For example: separate partition checks make perfect sense on bare-metal machines but go against recommended practices on containers. Installation From packages The preferred method of installation is via the package manager of your distribution. On *Red Hat Enterprise Linux* and *Fedora* you can use: On Debian (sid), you can use: From release ZIP files Download pre-built SSG zip archive from the release page. Each zip file is an archive with ready-made SCAP source data streams. From source If ComplianceAsCode is not packaged in your distribution (it may be present there as package), or if the version that is packaged is too old, you need to build the content yourself and install it via . Please see the Developer Guide document for more info. We also recommend opening an issue on that distributions bug tracker to voice interest. Usage We assume you have installed ComplianceAsCode system-wide into a standard location from current upstream sources as instructed in the previous section. There are several ways to consume ComplianceAsCode content, we will only go through a few of them here. tool The tool is a low-level command line interface that comes from the OpenSCAP project. It can be used to scan the local machine. After evaluation, the file will contain all results in a reusable *result data stream* (ARF) format, will contain a human-readable report that can be opened in a browser. Replace the profile with other profile of your choice, you can display all possible choices using: Please see the OpenSCAP website for more information. SCAP Workbench The SCAP Workbench is a graphical user interface for SCAP evaluation and customization. It is suitable for scanning a single machine, either local or remote (via SSH). New versions of SCAP Workbench have SSG integration and will automatically offer it when the application is started. Please see the SCAP Workbench website for more information. tool comes bundled with OpenSCAP 1.2.3 and later. It allows scanning a remote machine via SSH with an interface resembling the tool. The following command evaluates a machine with IP with content stored on the local machine. Keep in mind that has to be installed on the remote machine but the SSG content doesn't need to be. Ansible To see a list of available Ansible Playbooks, run: These Ansible Playbooks are generated from *SCAP* profiles available for the products. To apply the playbook on your local machine run: (*THIS WILL CHANGE CONFIGURATION OF THE MACHINE!*) Each of the Ansible Playbooks contains instructions on how to deploy them. Here is a snippet of the instructions: Bash To see a list of available Bash scripts, run: These Bash scripts are generated from *SCAP* profiles available for the products. Similar to Ansible Playbooks, each of the Bash scripts contain instructions on how to deploy them. Support The SSG mailing list can be found at https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide. If you encounter issues with OpenSCAP or SCAP Workbench, use https://www.redhat.com/mailman/listinfo/open-scap-list If you prefer more interactive contact with the community, you can join us on Gitter and IRC: • Gitter: https://gitter.im/Compliance-As-Code-The/content • IRC: join the IRC channel on . A little bit of history This proj…