First we install the following packages to use the openscap command-line tool: sudo apt-get install libopenscap8 python-openscap
We will also install the SCAP security guide: sudo apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications
Please note that both of these packages come from Universe and are not covered by Ubuntu Advantage by default. Details of the packages can be found here: https://packages.ubuntu.com/search?suite=bionic&searchon=names&keywords=ssg.
However, we would recommend pulling the latest OpenSCAP security guide from github to get the latest scans:
apt-get install cmake make expat libopenscap8 libxml2-utils ninja-build python3-jinja2 python3-yaml xsltproc
git clone https://github.com/ComplianceAsCode/content.git
Then you can build the content for 18.04:
./build_product ubuntu18.04
After installing the command-line tool and the SCAP security guide, the policies can be found in directory:
/usr/share/scap-security-guide/
or if you built from source:
/home/calvinh/content/build/
There is a bug with Debian (ComplianceAsCode/content#2421) which is fixed by the following procedure:
configure openscap to specify its cpe dir to point to scap-security-guide dir, this will permit openscap to use the scap-security-guide cpe files for the xccdf evaluation
OR copy the scap-security-guide ssg-ubuntu1604-cpe*.xml in the default openscap cpe dir (/usr/share/openscap/cpe)
So let's run the command:
sudo cp /home/calvinh/content/build/ssg-ubuntu1804-cpe-dictionary.xml /usr/share/openscap/cpe/openscap-cpe-dict.xml
and to run a scan:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results xccdf_org.ssgproject.content_profile_standard.xml --report xccdf_org.ssgproject.content_profile_standard.html ssg-ubuntu1804-ds-1.2.xml
You should now receive a set of results of the scan.