Last active
September 15, 2025 13:09
-
-
Save r0t0shell/2171bce94ab073fd1a5b78784e56817b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ "$EUID" -ne 0 ]; then | |
| echo "This script must be run as root or under sudo". | |
| echo "Attempting privilege escalation..." | |
| exec sudo "$0" "$@" | |
| fi | |
| # Set name of user running this script. | |
| if [ -n "$SUDO_USER" ]; then | |
| IUSR="$SUDO_USER" | |
| else | |
| IUSR="$USER" | |
| fi | |
| OSFAMILY="" | |
| OSRELEASE="" | |
| if [ -f /etc/os-release ]; then | |
| . /etc/os-release | |
| OSFAMILY="$ID" | |
| OSRELEASE="$VERSION_ID" | |
| else | |
| echo "Cannot find OS release information!" | |
| echo "Please contact your system administrator." | |
| exit 1 | |
| fi | |
| SSG="ssg-${OSFAMILY}${OSRELEASE}-ds.xml" | |
| SSG_PATH="" | |
| case "$OSFAMILY" in | |
| ubuntu|debian) | |
| apt update | |
| apt install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications | |
| rm -f /tmp/ssg.zip ./scap-security-guide-* | |
| # Target SSG version | |
| SSG_VERSION="0.1.78" | |
| wget "https://github.com/ComplianceAsCode/content/releases/download/v${SSG_VERSION}/scap-security-guide-${SSG_VERSION}.zip" -O /tmp/ssg.zip | |
| unzip -o /tmp/ssg.zip | |
| # Ubuntu SSGs include the minor version in the filename. | |
| SSG="ssg-${OSFAMILY}$(echo $OSRELEASE | sed 's/\.//g')-ds.xml" | |
| SSG_PATH="./scap-security-guide-${SSG_VERSION}/${SSG}" | |
| ;; | |
| rhel|rocky|centos) | |
| dnf install --refresh openscap-scanner scap-security-guide >/dev/null | |
| SSG="ssg-${OSFAMILY}${OSRELEASE:0:1}-ds.xml" | |
| SSG_PATH="/usr/share/xml/scap/ssg/content/${SSG}" | |
| ;; | |
| *) | |
| echo "Unsupported operating system family." | |
| echo "Please contact your system administrator." | |
| exit 1 | |
| ;; | |
| esac | |
| if [ ! -f $SSG_PATH ]; then | |
| echo "Unsupported OS version detected!" | |
| echo "Please consult your system administrator." | |
| exit 1 | |
| fi | |
| DATESTAMP="$(date +%Y%m%d)" | |
| OUT_RESULTS="STIGVIEWER-$(hostname)-${DATESTAMP}.xml" | |
| OUT_REPORT="STIG-REPORT-$(hostname)-${DATESTAMP}.html" | |
| echo | |
| echo "Using SSG file: $SSG" | |
| echo "Results destination: $(pwd)/$OUT_RESULTS" | |
| echo "Report destination: $(pwd)/$OUT_REPORT" | |
| echo | |
| echo "Enter Y for yes, N or enter for no." | |
| read -r -p "Do you wish to automatically resolve failures? [y/N] " response | |
| EXTRA_ARGS="" | |
| case "$response" in | |
| [yY][eE][sS]|[yY]) | |
| echo "Remediations will be automatically applied." | |
| EXTRA_ARGS="--remediate" | |
| ;; | |
| *) | |
| echo "No remediation will be performed." | |
| ;; | |
| esac | |
| # Run the scanner | |
| oscap xccdf eval --profile stig \ | |
| --stig-viewer $OUT_RESULTS \ | |
| --report $OUT_REPORT \ | |
| $EXTRA_ARGS \ | |
| "$SSG_PATH" | |
| # Change the owner of output files to the initial user. | |
| chown $IUSR: $OUT_RESULTS $OUT_REPORT | |
| echo | |
| echo "Process completed. Please see the output files:" | |
| echo "$(pwd)/$OUT_RESULTS" | |
| echo "$(pwd)/$OUT_REPORT" | |
| echo | |
| echo "Your security officer may require \"$OUT_RESULTS\" as part of your compliance checklist." | |
| echo "Opening report in 5..." | |
| echo | |
| sleep 5 | |
| # Open the output file in a desktop environment, if there is one. | |
| xdg-open "$(pwd)/$OUT_REPORT" 2>/dev/null >&2 | |
| xdg-open "$(pwd)" 2>/dev/null >&2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment