Skip to content

CIS / Oscap

!!!CAUTION!!! - This may break your system. Please practice on test server, not production. CIS - Center For Internet Security provides easy to use benchmarks to secure a system. OSCAP is the cli tool from OpenScap that utilizes the Open Security Automation Protocol to secure Linux servers. 

 # More options at: https://github.com/ComplianceAsCode/content/ 
 # Make sure that you have a password set, CIS3/oscap enforces the use of a password to use sudo. 
 # All CIS & Oscap break the passwd, adduser, and deluser commands. Breaks Usb Access. See the fix below ( No fix yet USB.) 
 # CIS Level 1 with the passwd pam fix, works the best.
 # CIS Level 2 breaks auditd, unresolved.
 # CIS Level 3 & Oscap, lock me out of the system and unable to use sudo, unresolved.

CAUTION: CIS Level1 - Ubuntu 20.04 Server

 $ curl -sSL https://raw.githubusercontent.com/decyphertek-io/bash/main/ubuntu2004-script-cis_level1_server.sh | sudo bash

CAUTION: CIS Level2 - Ubuntu 20.04 Server

 $ curl -sSL https://raw.githubusercontent.com/decyphertek-io/bash/main/ubuntu2004-script-cis_level2_server.sh | sudo bash

CAUTION: CIS Level3/Stig V1R1 - Ubuntu 20.04 Server

 $ curl -sSL https://raw.githubusercontent.com/decyphertek-io/bash/main/ubuntu2004-script-stig-cis_level3_server.sh | sudo bash

Oscap - Install

 $ sudo apt install -y libopenscap8 ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications unzip
 $ wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.67/scap-security-guide-0.1.67.zip
 $ unzip -q scap-security-guide-0.1.67.zip
 $ sudo mkdir /opt/ssg/
 $ mkdir ~/ssg-reports/
 $ sudo mv scap-security-guide-0.1.67 /opt/ssg/
 $ sudo rm -rf scap-security-guide-0.1.67.zip

CAUTION: Oscap - Quick Remediation

 $ sudo oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig \
 /opt/ssg/scap-security-guide-0.1.63/ssg-ubuntu2004-ds.xml > ~/ssg-reports/ssg-ubuntu2004-ds.txt
 $ cat ~/ssg-reports/ssg-ubuntu2004-ds.txt

Optional

 # All CIS & Oscap break the passwd, adduser, and deluser commands. The fix .
 $ sudo sed -i 's/password requisite pam_pwhistory\.so remember=5  use_authtok/#password requisite pam_pwhistory\.so remember=5  use_authtok/g' /etc/pam.d/common-password 
 $ sudo sed -i 's/password requisite pam_pwquality\.so retry=3/#password requisite pam_pwquality\.so retry=3/g' /etc/pam.d/common-password

References

 https://www.open-scap.org/
 https://manpages.ubuntu.com/manpages/xenial/man8/oscap.8.html
 https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq
 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-using_openscap_to_remediate_the_system
 https://askubuntu.com/questions/1390222/passwd-module-is-unknown
 https://adamtheautomator.com/openscap/