This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Chapter 9. Managing Compliance with OpenSCAP

SectionInstalling OpenSCAP
Guided Exercise: Installing OpenSCAP
Scanning and Analyzing Compliance
Guided Exercise: Scanning and Analyzing Compliance
Customizing OpenSCAP Policy
Guided Exercise: Customizing OpenSCAP Policy
Remediating OpenSCAP Issues with Ansible
Guided Exercise: Remediating OpenSCAP Issues with Ansible
Lab: Managing Compliance with OpenSCAP
Summary

Abstract

Goal	Evaluate and remediate a server's compliance with security policies by using OpenSCAP.
Objectives	Explain what OpenSCAP is and how it works, and install OpenSCAP tools and SCAP Security Guide content on a server. Evaluate a server's compliance with the requirements specified by a policy from the SCAP Security Guide using OpenSCAP tools. Create a tailoring file to adjust the policy's security checks so that they are relevant and correct for a specific system and its use case. Run Ansible Playbooks, provided with the SCAP Security Guide's content, to remediate compliance checks that failed an OpenSCAP scan.
Sections	Installing OpenSCAP (and Guided Exercise) Scanning and Analyzing Compliance (and Guided Exercise) Customizing OpenSCAP Policy (and Guided Exercise) Remediating OpenSCAP Issues with Ansible (and Guided Exercise)
Lab	Managing Compliance with OpenSCAP

Installing OpenSCAP

Objectives

After completing this section, students should be able to:

Explain what OpenSCAP is and how it works.
Explain what the SCAP Security Guide is.
Discuss SCAP profiles and how to choose a policy.
Discuss basic OpenSCAP tools and packages.
Prepare a system for a local OpenSCAP scan.

OpenSCAP and Security Compliance in Red Hat Enterprise Linux

Enterprise computing environments may consist of hundreds or thousands of interconnected computer systems, running numerous applications and services, and accessed by a large and diverse set of users and applications. In order to maintain control over the security of this vast environment, a standard way to scan systems for compliance with security policies is needed.

The National Institute of Standards and Technology (NIST), in conjunction with other authorities, developed a standard compliance system called Security Content Automation Protocol (SCAP). SCAP can be described as a framework of security specifications. It supports automated configuration, vulnerability and patch checking measurement. OpenSCAP is an open source project that develops tools for implementing and enforcing security policies using the SCAP standard.

You need to perform a compliance audit to verify that a given object follows a rule in a compliance policy. Usually, the compliance policy varies across organizations. The needs and risk profiles of each organization are different, and often require the ability to customize the compliance policy checklist. The OpenSCAP project provides a number of predefined and customizable compliance policies in SCAP format for use with OpenSCAP tools.

Red Hat Enterprise Linux provides tools that are based on the SCAP standard and allow administrators to run a fully automated compliance audit. In addition to natively providing OpenSCAP tooling, Red Hat provides the underlying development libraries. This approach allows independent software vendors (ISVs) to embed NIST-certified configuration and vulnerability scanning into their applications.

Security Compliance Tools

The following security compliance tools are provided on Red Hat Enterprise Linux 7:

OpenSCAP: The oscap command-line utility performs configuration and vulnerability scans, and generates reports and guidance based on these scans.
SCAP Security Guide (SSG): A predefined collection of security policies for Linux systems, provided in the scap-security-guide package. It provides a catalog of hardening advice, linked to various government requirements to help define and customize security policies according to the organization's needs. This is not just documentation but provides rules and scripts used by oscap.
Script Check Engine (SCE): The openscap-engine-sce package provides the SCE extension that allows you to write security content using Bash, Python, or Ruby.
SCAP Workbench: A graphical utility to perform scans on a single local or remote system and to generate security reports based on these scans. It can also be used to customize the compliance policy being used.

The SCAP Security Guide

The SCAP Security Guide is a collection of security policies for Linux systems, in the form of SCAP documents. It consists of rules with detailed descriptions and proven remediation scripts and Ansible Playbooks. The SCAP Security Guide can be used with OpenSCAP tools to automate the auditing of a Linux system.

SCAP Security Guide transforms security guidelines recommended by different authorities into a machine-readable format which can be used by OpenSCAP to audit your system. It builds multiple security baselines from the high-quality SCAP content. If your system must comply with one of the provided baselines, you can select the appropriate profile from the SCAP Security Guide. However, most real world deployments will require adjustments to the profile based on the organization's security requirements.

Various security policies are available in the SCAP Security Guide, for example, Fedora, Red Hat Enterprise Linux, Mozilla Firefox, and others. It is a good practice to write a security policy in a proactive way, that balances security risk against business needs. Security policy should be regularly updated and maintained, and must incorporate any government and industry requirements.

For ease of use, all the available security policies are broken into profiles. A profile can be defined as a grouping of security settings that correlate to a known policy.

Use the yum install scap-security-guide command to install the SCAP Security Guide. It automatically installs the openscap-scanner package as a dependency. The openscap-scanner package contains the OpenSCAP command-line tool called oscap.

[root@demo ~]# yum install scap-security-guide

The scap-security-guide package installs predefined profiles in the /usr/share/xml/scap/ssg/content/ directory. Each file in that directory is an XCCDF file, based on XML. The Extensible Configuration Checklist Description Format (XCCDF) is a language used to describe the security checklists. XCCDF supports document generation, information interchange, automation of compliance testing, compliance scoring, and situational tailoring. These XCCDF files contain the SCAP profiles with all the rules needed to run an evaluation or a scan. You will learn how to use these files in upcoming sections of this chapter.

[root@demo ~]# ls -l /usr/share/xml/scap/ssg/content/
total 35156
-rw-r--r--. 1 root root      546 Apr 27 09:03 ssg-firefox-cpe-dictionary.xml
-rw-r--r--. 1 root root     3647 Apr 27 09:03 ssg-firefox-cpe-oval.xml
-rw-r--r--. 1 root root   239466 Apr 27 09:03 ssg-firefox-ds.xml
-rw-r--r--. 1 root root    34691 Apr 27 09:03 ssg-firefox-ocil.xml
-rw-r--r--. 1 root root    45444 Apr 27 09:03 ssg-firefox-oval.xml
-rw-r--r--. 1 root root   219410 Aug  7 08:12 ssg-firefox-xccdf-result.xml
-rw-r--r--. 1 root root   149321 Apr 27 09:03 ssg-firefox-xccdf.xml
-rw-r--r--. 1 root root     1409 Apr 27 09:03 ssg-jre-cpe-dictionary.xml
-rw-r--r--. 1 root root     5518 Apr 27 09:03 ssg-jre-cpe-oval.xml
-rw-r--r--. 1 root root   157601 Apr 27 09:03 ssg-jre-ds.xml
-rw-r--r--. 1 root root    14011 Apr 27 09:03 ssg-jre-ocil.xml
-rw-r--r--. 1 root root    19627 Apr 27 09:03 ssg-jre-oval.xml
-rw-r--r--. 1 root root   113199 Apr 27 09:03 ssg-jre-xccdf.xml
-rw-r--r--. 1 root root     2338 Apr 27 09:03 ssg-rhel6-cpe-dictionary.xml
-rw-r--r--. 1 root root    37429 Apr 27 09:03 ssg-rhel6-cpe-oval.xml
-rw-r--r--. 1 root root  8691280 Apr 27 09:03 ssg-rhel6-ds.xml
-rw-r--r--. 1 root root   415058 Apr 27 09:03 ssg-rhel6-ocil.xml
-rw-r--r--. 1 root root  1975312 Apr 27 09:03 ssg-rhel6-oval.xml
-rw-r--r--. 1 root root  1977774 Apr 27 09:03 ssg-rhel6-xccdf.xml
-rw-r--r--. 1 root root     2978 Apr 27 09:03 ssg-rhel7-cpe-dictionary.xml
-rw-r--r--. 1 root root    37429 Apr 27 09:03 ssg-rhel7-cpe-oval.xml
-rw-r--r--. 1 root root 14277274 Apr 27 09:03 ssg-rhel7-ds.xml
-rw-r--r--. 1 root root   969349 Apr 27 09:03 ssg-rhel7-ocil.xml
-rw-r--r--. 1 root root  2357742 Apr 27 09:03 ssg-rhel7-oval.xml
-rw-r--r--. 1 root root   352878 Aug  7 08:12 ssg-rhel7-report.html
-rw-r--r--. 1 root root  3844544 Apr 27 09:03 ssg-rhel7-xccdf.xml

To review all of the security rules associated with a profile, you can consult the appropriate XCCDF XML file. However, an easier way is to use the oscap command to generate a user-friendly HTML version of the security guide for a specific profile.

To use oscap to generate the HTML security guide for a specific profile, you need to provide the profile's unique id attribute. You can use the oscap info command to parse the XCCDF XML files and display the profiles, along with their id attributes.

The following example uses the oscap info command to inspect the security content:

[root@demo ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
Document type: Source Data Stream
Imported: 2018-04-27T09:03:14

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-firefox-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml
		Status: draft
		Generated: 2018-04-27
		Resolved: true
		Profiles:
			Title: Upstream Firefox STIG
				Id: xccdf_org.ssgproject.content_profile_stig-firefox-upstream
		Referenced check files:
			ssg-firefox-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-firefox-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-firefox-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-firefox-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-firefox-cpe-dictionary.xml

The output contains the available configuration profiles. To generate the HTML security guide, choose the appropriate profile and use the oscap xccdf generate guide command. The following command shows how to generate the HTML security guide for the Upstream Firefox STIG profile.

[root@demo ~]# oscap xccdf generate guide \
> --profile xccdf_org.ssgproject.content_profile_stig-firefox-upstream \
> /usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml > guide.html

Use a browser to open the final guide.html HTML security guide. It contains all the available rules in a browsable form.

SCAP Workbench

SCAP Workbench is a graphical tool that allows users to perform configuration scans, perform remediation of the system, and generate reports based on the evaluations. It can be used to scan the local system, or it can use SSH to connect to and scan a single remote system.

Figure 9.1: SCAP Workbench interface

Use the yum install scap-workbench command to install SCAP Workbench.

[root@demo ~]# yum install scap-workbench

When you launch SCAP Workbench, it gives you the opportunity to choose the security content that you want to use. The scap-security-guide package is installed as a dependency of SCAP Workbench. You can choose from the predefined content it installs in the /usr/share/xml/scap/ssg/content/ directory.

Figure 9.2: Choosing SCAP Workbench content

Local System OpenSCAP Scan

To scan local file systems, the oscap command-line utility is provided as part of the OpenSCAP project. If SCAP Workbench is installed then the oscap utility is installed as a dependency. If not, you need to install it separately.

To prepare your local system for an OpenSCAP scan, install the openscap-scanner package, which contains the oscap command-line utility.

[root@demo ~]# yum install openscap-scanner

The oscap command needs some security content to work, it is recommended to use the scap-security-guide package which provides the SCAP Security Guide.

[root@demo ~]# yum install scap-security-guide

You can also start by installing only the SCAP Security Guide, which installs the openscap-scanner as a dependency.

With both packages installed, your system is ready for an OpenSCAP scan. In the next section of this course, you will learn how to perform and evaluate the results of a scan.

References

oscap(8) man page

For more information, refer to the Compliance and Vulnerability Scanning with OpenSCAP chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#chap-Compliance_and_Vulnerability_Scanning

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c