STIG (Security Technical Implementation Guide) - стандарт министерства обороны США (DOD)
https://access.redhat.com/blogs/766093/posts/1976103
http://manpages.ubuntu.com/manpages/zesty/man8/scap-workbench.8.html
http://www.public.navy.mil/spawar/Atlantic/Technology/Pages/SCAP.aspx
https://github.com/OpenSCAP/scap-security-guide/tree/master/Ubuntu/16.04
https://conklin.io/assessing-centos-7-with-openscap/
https://public.cyber.mil/?s=ubuntu

sudo apt-get install cmake build-essential openssh-client util-linux libopenscap-dev qtbase5-dev git asciidoctor 
git clone https://github.com/OpenSCAP/scap-workbench
cd scap-workbench/
mkdir build; cd build
cmake ../
make

Best practice to scan the CentOS?

Q:
How can we use the DISA RHEL 7 STIG against CentOS box?
Do we need to make modification in the RHEL 7 STIG? If so, steps to do that?

A:
As long as the /etc/redhat-release file has the 'release 7' text in it, it should work. If CentOS does not have the /etc/redhat-release file, you can do one of the following…

• Create a /etc/redhat-release file and add 'CentOS Linux release 7' into it.
• Download the audit file, and the line ' file : “/etc/redhat-release”' to ' file : “/etc/centos-release”'