gregelin
commented
9 years ago RHEL 7 64-bit (ami-12663b7a) on AWS EC-2 quick start
Red Hat Enterprise Linux 7.1 (HVM), SSD Volume Type - ami-12663b7a
Note: You will be logged in as ec2-user with sudo privileges b/c you are in AWS.
# Update nss to pre-emptively avoid problems with EPEL certificates (https://github.com/GovReady/govready/issues/64)
# Alternate if epel installed: sudo yum --disablerepo="epel" update nss -y
sudo yum clean all
sudo yum update nss -y
sudo yum install scap-security-guide -y
# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash
# Note: GovReady will report OpenSCAP install failed b/c OpenSCAP already installed.
# Switch to root so scanner can run all tests properly
# It's OK. You are using a non-production vm, right?
sudo su -
cd /home/ec2-user/
# Create a directory and cd into it
mkdir myfisma && cd myfisma
# Initialize the directory
govready init
# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:rhel6:rhel7:' GovReadyfile
# Change profile
govready profile rht-ccp
# Run a scan
govready scan
# List results
ls -l scans
# View repoort from most recent scan
lynx scans/results.html
# Run fix script generated by most recent OpenSCAP scan
govready fix
# Scan again
govready scan
# Compare before and after scans. Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare
# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail
# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule sshd_disable_root_login
# See available profiles (e.g., baselines)
govready profiles
# Run a scan for a different profile (e.g., baseline)
govready scan <profile>
GovReady install and scab-security-guide install seem to put in RHEL6 content.