OpenSCAP on CentOS 7 – Installing from source
OpenSCAP on CentOS 7
Installing from source
Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment.
Install required components
On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files. Since we like to use Git, let’s start with that and obtain the source code of OpenSCAP:
mkdir /root/openscap-build && cd /root/openscap-build yum install git git clone https://github.com/OpenSCAP/openscap.git cd openscap/
Next is installing the related components to build the toolkit:
yum install gcc yum install autoconf automake libtool yum install libcurl-devel libxml2-devel libxslt-devel pcre-devel swig yum install python-devel
To support as much as possible, we want to install some additional components. They are not needed for everything, but depending on the system may be useful (e.g. RPM for CentOS).
yum install rpm-devel libselinux-devel systemd-devel GConf2-devel
We skip isaconf, as this is related to Solaris.
Build OpenSCAP from source
Time to build OpenSCAP from the source files:
make clean && ./autogen.sh && ./configure && make
If everything went fine, it should end with leaving the directories and a successful compilation (something like this):
make: Leaving directory `/root/openscap/openscap/swig/python2' Making all in python3 make: Entering directory `/root/openscap/openscap/swig/python3' make: Nothing to be done for `all'. make: Leaving directory `/root/openscap/openscap/swig/python3' make: Entering directory `/root/openscap/openscap/swig' make: Nothing to be done for `all-am'. make: Leaving directory `/root/openscap/openscap/swig' make: Leaving directory `/root/openscap/openscap/swig' make: Entering directory `/root/openscap/openscap' make: Leaving directory `/root/openscap/openscap' make: Leaving directory `/root/openscap/openscap'
So if the build was successful, we can optionally install the toolkit:
In our case there are some builds between what the original CentOS 7 package provided and the newer compiled binary in /usr/local/bin:
[root@localhost openscap]# /bin/oscap -V | grep oscap
OpenSCAP command line tool (oscap) 1.0.3
[root@localhost openscap]# /usr/local/bin/oscap -V | grep oscap
OpenSCAP command line tool (oscap) 1.2.0