OpenSCAP on CentOS 7 – Installing from source
Installing from source
Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment.
Install required components
On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files. Since we like to use Git, let’s start with that and obtain the source code of OpenSCAP:
mkdir /root/openscap-build && cd /root/openscap-build
yum install git
git clone https://github.com/OpenSCAP/openscap
cd openscap/
Next is installing the related components to build the toolkit:
yum install gcc
yum install autoconf automake libtool
yum install libcurl-devel libxml2-devel libxslt-devel pcre-devel swig
yum install python-devel
Optional components
To support as much as possible, we want to install some additional components. They are not needed for everything, but depending on the system may be useful (e.g. RPM for CentOS).
yum install rpm-devel libselinux-devel systemd-devel GConf2-devel
We skip isaconf, as this is related to Solaris.
Build OpenSCAP from source
Time to build OpenSCAP from the source files:
make clean && ./autogen.sh && ./configure && make
If everything went fine, it should end with leaving the directories and a successful compilation (something like this):
Making all in python3
make[3]: Entering directory `/root/openscap/openscap/swig/python3'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/root/openscap/openscap/swig/python3'
make[3]: Entering directory `/root/openscap/openscap/swig'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/root/openscap/openscap/swig'
make[2]: Leaving directory `/root/openscap/openscap/swig'
make[2]: Entering directory `/root/openscap/openscap'
make[2]: Leaving directory `/root/openscap/openscap'
make[1]: Leaving directory `/root/openscap/openscap'
So if the build was successful, we can optionally install the toolkit:
make install
In our case there are some builds between what the original CentOS 7 package provided and the newer compiled binary in /usr/local/bin:
# /bin/oscap -V | grep oscap
OpenSCAP command line tool (oscap) 1.0.3
# /usr/local/bin/oscap -V | grep oscap
OpenSCAP command line tool (oscap) 1.2.0
Happy auditing!