This project contains integration code that assists with managing OpenSCAP scans across a fleet of instances. The example deployment template automates the creation of a demonstration environment meant to show a working example of the automation process.
The kay takeaways from this demonstration are as follows:
Automating compliance auditing is the only way to meet established goals at scale
Customized organizational policies are supported through the user of a tailoring file
The publishing of metrics and failure events supports customized organizational processes and responses
The folks at OpenSCAP/RedHat have a number of additional tools to manage servers at scale which can schedule and ingest scan result content. This project is meant to demonstrate lightweight alternative approaches with an emphasis on integration with AWS services.
The project includes a Makefile that automates the creation of the RPM using a Docker container. Docker must be installed already on your machine.
The RPM requires that the AWS CLI be installed but does not require that you do it using the official RPMs. If you don’t have a preference then ensuring you have the EPEL repo configured and installing using commands like the following is the easiest method to install onto your servers.
yum -y install epel-release yum -y install awscli openscap-aws
There is a CloudFormation template in the examples directory that can be used to demonstrate the capability. The default settings will create 3 EC2 micro sized instances which each cost about a cent per hour.
Before deploying the CloudFormation template complete the following steps
Ensure you have both
dockerinstalled on your workstation
Create an S3 bucket to hold your custom tailoring file and the RPM
Accept all the defaults and keep the bucket permissions set to private
make rpmand upload the rpm file found in the src/rpm/RPMS/noarch directory to your S3 bucket
If you regularly manage your systems via RPM you might have a custom RPM repo already created into which you’d add this RPM instead of uploading to your configuration S3 bucket
Review, update and upload the tailoring file located in the /src/rpm/SOURCES directory into the S3 bucket