{"id":13506809,"url":"https://github.com/ComplianceAsCode/content","last_synced_at":"2025-03-30T05:31:29.661Z","repository":{"id":16526251,"uuid":"19279458","full_name":"ComplianceAsCode/content","owner":"ComplianceAsCode","description":"Security automation content in SCAP, Bash, Ansible, and other formats","archived":false,"fork":false,"pushed_at":"2024-10-28T16:54:02.000Z","size":103546,"stargazers_count":2182,"open_issues_count":281,"forks_count":695,"subscribers_count":126,"default_branch":"master","last_synced_at":"2024-10-29T15:38:25.609Z","etag":null,"topics":["ansible","application-security","cce","compliance","cpe","cybersecurity","hardening","information-security","ospp","oval","pci-dss","scap","security","security-automation","security-hardening","security-profile","security-tools","stig","usgcb","xccdf"],"latest_commit_sha":null,"homepage":"https://complianceascode.readthedocs.io/en/latest/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ComplianceAsCode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-04-29T14:32:02.000Z","updated_at":"2024-10-28T16:54:07.000Z","dependencies_parsed_at":"2023-09-27T20:47:41.312Z","dependency_job_id":"0ebdb626-eddf-4c3d-b6d4-e013e82aca9e","html_url":"https://github.com/ComplianceAsCode/content","commit_stats":null,"previous_names":[],"tags_count":71,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Fcontent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Fcontent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Fcontent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ComplianceAsCode%2Fcontent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ComplianceAsCode","download_url":"https://codeload.github.com/ComplianceAsCode/content/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245868266,"owners_count":20685607,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","application-security","cce","compliance","cpe","cybersecurity","hardening","information-security","ospp","oval","pci-dss","scap","security","security-automation","security-hardening","security-profile","security-tools","stig","usgcb","xccdf"],"created_at":"2024-08-01T01:00:58.185Z","updated_at":"2025-03-30T05:31:24.648Z","avatar_url":"https://github.com/ComplianceAsCode.png","language":"Shell","readme":"# Welcome!\n\n[![Docs](https://img.shields.io/readthedocs/complianceascode)](https://complianceascode.readthedocs.io/en/latest/)\n[![Release](https://img.shields.io/github/release/ComplianceAsCode/content.svg)](https://github.com/ComplianceAsCode/content/releases/latest)\n[![Nightly ZIP Status](https://github.com/ComplianceAsCode/content/actions/workflows/nightly_build.yml/badge.svg)](https://nightly.link/ComplianceAsCode/content/workflows/nightly_build/master/Nightly%20Build.zip)\n[![Maintainability](https://api.codeclimate.com/v1/badges/62c1f8d8064b2163db3e/maintainability)](https://codeclimate.com/github/ComplianceAsCode/content/maintainability)\n[![Stats, Guides, Tables](https://github.com/ComplianceAsCode/content/actions/workflows/gh-pages.yaml/badge.svg)](https://complianceascode.github.io/content-pages/)\n[![Join the chat at https://gitter.im/Compliance-As-Code-The/content](https://badges.gitter.im/Compliance-As-Code-The/content.svg)](https://gitter.im/Compliance-As-Code-The/content?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-908a85?logo=gitpod)](https://gitpod.io/#https://github.com/ComplianceAsCode/content)\n\n\nThe purpose of this project is to create *security policy content* for various\nplatforms \u0026mdash; *Red Hat Enterprise Linux*, *Fedora*, *Ubuntu*, *Debian*, *SUSE Linux Enterprise Server (SLES)*,... \u0026mdash;\nas well as products \u0026mdash; *Firefox*, *Chromium*, ...\nWe aim to make it as easy as possible to write new and maintain existing\nsecurity content in all the commonly used formats.\n\n* [ComplianceAsCode Documentation](https://complianceascode.readthedocs.io/)\n* [ComplianceAsCode Blog](https://complianceascode.github.io/)\n* [Online Workshops](docs/workshop/README.adoc) - Perfect as a starting point\n* [Profiles in ComplianceAsCode](https://complianceascode.github.io/content-pages/guides/index.html) - online HTML guides for each profile\n\n\n## We build security content in various formats\n\n![NIST logo](docs/readme_images/nist_logo.svg \"NIST logo\") \u0026nbsp; \u0026nbsp; ![Ansible logo](docs/readme_images/ansible_logo.svg \"Ansible logo\") \u0026nbsp; \u0026nbsp; ![Bash logo](docs/readme_images/bash_logo.png \"Bash logo\")\n\n*\"SCAP content\"* refers to documents  in the *XCCDF*, *OVAL* and\n*SCAP source data stream* formats.  These documents can be presented\nin different forms and by different organizations to meet their security\nautomation and technical implementation needs.  For general use, we\nrecommend *SCAP source data streams* because they contain all the data you\nneed to evaluate and put machines into compliance. The data streams are\npart of our release ZIP archives.\n\n*\"Ansible content\"* refers to Ansible playbooks generated from security\nprofiles.  These can be used both in check-mode to evaluate compliance,\nas well as run-mode to put machines into compliance.  We publish these\non *Ansible Galaxy* as well as in release ZIP archives.\n\n*\"Bash fix files\"* refers to *Bash* scripts generated from security\nprofiles.  These are meant to be run on machines to put them into\ncompliance.  We recommend using other formats but understand that for\nsome deployment scenarios bash is the only option.\n\n### Why?\n\nWe want multiple organizations to be able to efficiently develop security\ncontent. By taking advantage of the powerful build system of this project,\nwe avoid as much redundancy as possible.\n\nThe build system combines the easy-to-edit YAML rule files with OVAL checks,\nAnsible task snippets, Bash fixes, and other files. Templating is provided\nat every step to avoid boilerplate. Security identifiers\n(CCE, NIST ID, STIG, ...) appear in all of our output formats but are all\nsourced from the YAML rule files.\n\nWe understand that depending on your organization's needs you may need\nto use a specific security content format. We let you choose.\n\n![Build system schema](docs/readme_images/build_schema.svg \"Build system schema\")\n\n---\nWe use an OpenControl-inspired YAML rule format for input. Write once and\ngenerate security content in XCCDF, Ansible, and others.\n\n```YAML\ntitle: 'Configure The Number of Allowed Simultaneous Requests'\n\ndescription: |-\n    The \u003ctt\u003eMaxKeepAliveRequests\u003c/tt\u003e directive should be set and configured to\n    \u003csub idref=\"var_max_keepalive_requests\" /\u003e or greater by setting the following\n    in \u003ctt\u003e/etc/httpd/conf/httpd.conf\u003c/tt\u003e:\n    \u003cpre\u003eMaxKeepAliveRequests {{{ xccdf_value(\"var_max_keepalive_requests\") }}}\u003c/pre\u003e\n\nrationale: |-\n    Resource exhaustion can occur when an unlimited number of concurrent requests\n    are allowed on a web site, facilitating a denial of service attack. Mitigating\n    this kind of attack will include limiting the number of concurrent HTTP/HTTPS\n    requests per IP address and may include, where feasible, limiting parameter\n    values associated with keepalive, (i.e., a parameter used to limit the amount of\n    time a connection may be inactive).\n\nseverity: medium\n\nidentifiers:\n    cce: \"80551-5\"\n```\n\n### Scan targets\n\nOur security content can be used to scan bare-metal machines, virtual machines,\nvirtual machine images (qcow2 and others), containers (including Docker), and\ncontainer images.\n\nWe use platform checks to detect whether we should or should not evaluate some\nof the rules. For example: separate partition checks make perfect sense on bare-metal\nmachines but go against recommended practices on containers.\n\n## Installation\n\n### From packages\n\nThe preferred method of installation is via the package manager of your\ndistribution. On *Red Hat Enterprise Linux* and *Fedora* you can use:\n\n```bash\nyum install scap-security-guide\n```\n\nOn Debian (sid), you can use:\n\n```bash\napt install ssg-debian  # for Debian guides\napt install ssg-debderived  # for Debian-based distributions (e.g. Ubuntu) guides\napt install ssg-nondebian  # for other distributions guides (RHEL, Fedora, etc.)\napt install ssg-applications  # for application-oriented guides (Firefox, JBoss, etc.)\n```\n\n### From release ZIP files\n\nDownload pre-built SSG zip archive from\n[the release page](https://github.com/ComplianceAsCode/content/releases/latest).\nEach zip file is an archive with ready-made SCAP source data streams.\n\n\n### From source\n\nIf ComplianceAsCode is not packaged in your distribution (it may be present there as `scap-security-guide` package), or if the\nversion that is packaged is too old, you need to build the content yourself\nand install it via `make install`. Please see the [Developer Guide](https://complianceascode.readthedocs.io/en/latest/manual/developer/02_building_complianceascode.html)\ndocument for more info. We also recommend opening an issue on that distributions\nbug tracker to voice interest.\n\n## Usage\n\nWe assume you have installed ComplianceAsCode system-wide into a\nstandard location from current upstream sources as instructed in the previous section.\n\nThere are several ways to consume ComplianceAsCode content, we will only\ngo through a few of them here.\n\n### `oscap` tool\n\nThe `oscap` tool is a low-level command line interface that comes from\nthe OpenSCAP project. It can be used to scan the local machine.\n\n```bash\noscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml\n```\n\n\u003ca href=\"docs/readme_images/report_sample.png\"\u003e\u003cimg align=\"right\" width=\"250\" src=\"docs/readme_images/report_sample.png\" alt=\"Evaluation report sample\"\u003e\u003c/a\u003e\n\nAfter evaluation, the `arf.xml` file will contain all results in a reusable\n*result data stream* (ARF) format, `report.html` will contain a human-readable\nreport that can be opened in a browser.\n\nReplace the profile with other profile of your choice, you can display\nall possible choices using:\n\n```bash\noscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml\n```\n\nPlease see the [OpenSCAP](https://www.open-scap.org/) website for more information.\n\n### SCAP Workbench\n\nThe SCAP Workbench is a graphical user interface for SCAP evaluation and\ncustomization. It is suitable for scanning a single machine, either local\nor remote (via SSH). New versions of SCAP Workbench have SSG integration\nand will automatically offer it when the application is started.\n\nPlease see the [SCAP Workbench](https://www.open-scap.org/tools/scap-workbench/) website for more information.\n\n### `oscap-ssh` tool\n\n`oscap-ssh` comes bundled with OpenSCAP 1.2.3 and later. It allows scanning\na remote machine via SSH with an interface resembling the `oscap` tool.\n\nThe following command evaluates a machine with IP `192.168.1.123` with content\nstored on the local machine. Keep in mind that `oscap` has to be installed on the\nremote machine but the SSG content doesn't need to be.\n\n```bash\noscap-ssh root@192.168.1.123 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml\n```\n\n### Ansible\n\nTo see a list of available Ansible Playbooks, run:\n\n```bash\nls /usr/share/scap-security-guide/ansible/\n```\n\nThese Ansible Playbooks are generated from *SCAP* profiles available for the products.\n\nTo apply the playbook on your local machine run:\n(*THIS WILL CHANGE CONFIGURATION OF THE MACHINE!*)\n\n```bash\nansible-playbook -i \"localhost,\" -c local /usr/share/scap-security-guide/ansible/rhel9-playbook-ospp.yml\n```\n\nEach of the Ansible Playbooks contains instructions on how to deploy them. Here\nis a snippet of the instructions:\n\n```YAML\n...\n# This file was generated by OpenSCAP 1.2.16 using:\n#   $ oscap xccdf generate fix --profile rht-ccp --fix-type ansible sds.xml\n#\n# This script is generated from an OpenSCAP profile without preliminary evaluation.\n# It attempts to fix every selected rule, even if the system is already compliant.\n#\n# How to apply this remediation role:\n# $ ansible-playbook -i \"192.168.1.155,\" playbook.yml\n# $ ansible-playbook -i inventory.ini playbook.yml\n...\n```\n\n### Bash\nTo see a list of available Bash scripts, run:\n\n```bash\n# ls /usr/share/scap-security-guide/bash/\n...\nrhel8-script-hipaa.sh\nrhel8-script-ospp.sh\nrhel8-script-pci-dss.sh\n...\n```\n\nThese Bash scripts are generated from *SCAP* profiles available for the products.\nSimilar to Ansible Playbooks, each of the Bash scripts contain instructions on how to deploy them.\n\n## Support\n\nThe SSG mailing list can be found at [https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide](https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide).\n\nIf you encounter issues with OpenSCAP or SCAP Workbench, use [https://www.redhat.com/mailman/listinfo/open-scap-list](https://www.redhat.com/mailman/listinfo/open-scap-list)\n\nIf you prefer more interactive contact with the community, you can join us on Gitter and IRC:\n- Gitter: https://gitter.im/Compliance-As-Code-The/content\n- IRC: join the `#openscap` IRC channel on `libera.chat`.\n\n## A little bit of history\n\nThis project started in 2011 as a collaboration between United States Government agencies and commercial operating system vendors.\nThe original name was SCAP Security Guide, commonly abbreviated as SSG.\nThe original scope was to create SCAP data streams. Over time, it grew into the\nbiggest open-source beyond-SCAP content project.\n\nThe next few years saw the introduction of not just government-specific security\nprofiles but also commercial, such as PCI-DSS and CIS.\n\nLater, the industry starts moving towards different security content formats,\nsuch as Ansible, Puppet, and Chef InSpec. The community reacted by evolving the\ntooling and helped transform SSG into a more general-purpose security content\nproject. This change happened over time in 2017 and 2018. In September 2018, we\ndecided to change the name of the project to `ComplianceAsCode`, in order to avoid confusion.\n\nWe envision that the future will be format-agnostic. That's why opted for an\nabstraction instead of using XCCDF for the input format.\n\n## Contributors\nThis project is welcome to new contributors. We are continually trying to remove the complexities to make contributions easier and more enjoyable for everyone. This is a nice project and a friendly community.\n\nThere are many ways to contribute. Check the documentation for more details:\nhttps://complianceascode.readthedocs.io/en/latest/manual/developer/01_introduction.html\n\nCheck the updated list of [Contributors](Contributors.md).\n","funding_links":[],"categories":["Shell","Wikis/Guides:","stig","ansible"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FComplianceAsCode%2Fcontent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FComplianceAsCode%2Fcontent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FComplianceAsCode%2Fcontent/lists"}