Automation, Programming, SCAP, System Administration Leave a comment

OpenSCAP on CentOS 7 – Installing from source

OpenSCAP on CentOS 7

Installing from source

Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment.

Install required components

On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files. Since we like to use Git, let’s start with that and obtain the source code of OpenSCAP:

mkdir /root/openscap-build && cd /root/openscap-build
yum install git
git clone https://github.com/OpenSCAP/openscap.git
cd openscap/

Next is installing the related components to build the toolkit:

yum install gcc
yum install autoconf automake libtool
yum install libcurl-devel libxml2-devel libxslt-devel pcre-devel swig
yum install python-devel

Optional components

To support as much as possible, we want to install some additional components. They are not needed for everything, but depending on the system may be useful (e.g. RPM for CentOS).

yum install rpm-devel libselinux-devel systemd-devel GConf2-devel

We skip isaconf, as this is related to Solaris.

Build OpenSCAP from source

Time to build OpenSCAP from the source files:

make clean && ./autogen.sh && ./configure && make

If everything went fine, it should end with leaving the directories and a successful compilation (something like this):

make[3]: Leaving directory `/root/openscap/openscap/swig/python2'
Making all in python3
make[3]: Entering directory `/root/openscap/openscap/swig/python3'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/root/openscap/openscap/swig/python3'
make[3]: Entering directory `/root/openscap/openscap/swig'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/root/openscap/openscap/swig'
make[2]: Leaving directory `/root/openscap/openscap/swig'
make[2]: Entering directory `/root/openscap/openscap'
make[2]: Leaving directory `/root/openscap/openscap'
make[1]: Leaving directory `/root/openscap/openscap'

So if the build was successful, we can optionally install the toolkit:

make install

In our case there are some builds between what the original CentOS 7 package provided and the newer compiled binary in /usr/local/bin:

[root@localhost openscap]# /bin/oscap -V | grep oscap
OpenSCAP command line tool (oscap) 1.0.3
[root@localhost openscap]# /usr/local/bin/oscap -V | grep oscap
OpenSCAP command line tool (oscap) 1.2.0

Happy auditing!

 

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package



Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.