CIS/C2S profile for CentOS7/8 datastreams

[momoah]

Hello,

I notice the CentOS 7/8 datastreams scap-security-guide-0.1.58/ssg-centos7-ds.xml only have pci-dss and standard profiles.

I'm working on manually customising the datastream to include a CIS/C2S profile.

I've spent some time exploring my options, and it seems like just copying/pasting the profile with its rules seems to do the job, but I wonder if there is a cleaner way (maybe with an xml parser).

Also, would there be interest in including the rhel7/8 profiles and their CentOS 7/8 relevant rules in the CentOS7/8 datastreams? I would be happy to help with that.

[momoah]

I'm using these sed commands to extract the Essential 8 and CIS "Server Level 2" profiles and include them into the CentOS 7.0 datastream:

sed -n '/<?xml version="1.0"?>/,${p;/<xccdf-1.2:model system="urn:xccdf:scoring:default"\/>/q}' ssg-centos7-ds.xml > ssg-centos7-ds-cis-e8.xml
sed -n '/<xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_e8">/,${p;/<\/xccdf-1.2:Profile>/q}' ssg-rhel7-ds.xml >> ssg-centos7-ds-cis-e8.xml 
sed -n '/<xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis">/,${p;/<\/xccdf-1.2:Profile>/q}' ssg-rhel7-ds.xml >> ssg-centos7-ds-cis-e8.xml
sed -n '/<xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_pci-dss">/,${p;/<\/ds:data-stream-collection>/q}' ssg-centos7-ds.xml >> ssg-centos7-ds-cis-e8.xml

It seems to do the job:

# oscap info ssg-centos7-ds-cis-e8.xml |grep _profile_
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml' file which is referenced from datastream
				Id: xccdf_org.ssgproject.content_profile_e8
				Id: xccdf_org.ssgproject.content_profile_cis
				Id: xccdf_org.ssgproject.content_profile_pci-dss
				Id: xccdf_org.ssgproject.content_profile_standard

[momoah777]

I've created an ansible role that extracts the profiles from RHEL7 and injects them into CentOS7:
https://github.com/momoah777/centos7_openscap/tree/main/roles/centos7-openscap-profile

[marcusburghardt]

Discussion without any interaction for a long time. Closing.