CMS’ ISPG (Information Security and Privacy Group) decided to discontinue funding the customization of MITRE’s Security Automation Framework (SAF) for CMS after September 2023. This repo is now in archive mode, but still accessible. For more information about SAF with current links, see https://security.cms.gov/learn/security-automation-framework-saf

A minimal baseline to scan for all packages that have known CVE (cve.mitre.org) patchable vulnerabilities on your red hat system.

This InSpec compliance profile uses yum updateinfo list cves command to list all packages that have known cve.mitre.org patchable vulnerabilities.

• InSpec at least version 2.*
• yum must be configured correctly on the target.

If needed - install inspec on your 'runner' system - i.e. your orchestration server, your workstation, your bastion host or your instance you wish to evlauate.

a. InSpec has prepackaged installers for all platforms here: https://www.inspec.io/downloads, or

b. If you already have a ruby environment (2.4.x) installed on your 'runner' system - you can just do a simple gem install inspec, or

c. If running in AWS, you can use the AWS SSM suite to run InSpec on your RHEL assets - see the InSpec + SSM documation here: https://aws.amazon.com/blogs/mt/using-aws-systems-manager-to-run-compliance-scans-using-inspec-by-chef/

You will need to download the InSpec Profile to your runner system. You can do this via git or the GitHub Web interface, etc.

a. git clone https://github.cms.gov/ispg-review/rhel_cve_vulnerability_scan_baseline, or

b. Save a Zip or tar.gz copy of the master branch from the Clone or Download button of this project

The profile uses Bundler to manage needed dependencies - so you will need to installed the needed gems via bundler before you run the profile. Change directories to your your cloned inspec profile then do a bundle install.

a. cd rhel_cve_vulnerability_scan_baseline

b. bundle install

InSpec makes it easy to run your tests wherever you need. More options listed here: InSpec cli

# Clone Inspec Profile
$ git clone https://github.cms.gov/ispg-review/rhel_cve_vulnerability_scan_baseline

# Install Gems
$ bundle install

# To run profile locally with cli & json output 
$ inspec exec /path/to/profile --attrs=attributes.yml --reporter cli json:cve_scan-results.json --sudo

# To run profile on a remote target with cli & json output 
$ inspec exec /path/to/profile -t ssh://username@target-ip -i path/to/ssh-cert --reporter cli json:cve_scan-results.json --sudo

For more usage options, see https://github.com/chef/inspec/blob/master/README.md

• Aaron Lippold aaronlippold
• Rony Xavier rx294
• Eugene Aronne ejaronne

• This project is dual-licensed under the terms of the Apache license 2.0 (apache-2.0)