RH415 - ch09s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

SectionSection 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Scanning and Analyzing Compliance

Objectives

After completing this section, students should be able to evaluate a server's compliance with the requirements specified by a policy from the SCAP Security Guide using OpenSCAP tools.

Introducing the oscap Command

You can use the oscap command-line tool to scan a system for compliance with a SCAP policy, generate remediation scripts, and create reports and guides.

The oscap command needs some security content to work. The scap-security-guide package provides the SCAP Security Guide, which contains some standard security policies for Linux systems. The package installs content files in the /usr/share/xml/scap/ssg/content/ directory.

The files with names ending with -ds.xml in that directory are XCCDF data stream files. They define the compliance policies for different applications, such as Firefox, or operating systems, such as Red Hat Enterprise Linux.

[user@demo ~]$ cd /usr/share/xml/scap/ssg/content
[user@demo content]$ ls *-ds.xml
ssg-firefox-ds.xml  ssg-jre-ds.xml  ssg-rhel6-ds.xml  ssg-rhel7-ds.xml

A data stream file can also define multiple profiles that you can choose when scanning a system for compliance. To list the available profiles, use the oscap info command.

[user@demo content]$ oscap info ./ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2018-04-27T15:03:29

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
		Status: draft
		Generated: 2018-04-27
		Resolved: true
		Profiles:
			Title: Standard System Security Profile
				Id: xccdf_org.ssgproject.content_profile_standard
			Title: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: C2S for Red Hat Enterprise Linux 7
				Id: xccdf_org.ssgproject.content_profile_C2S
			Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
				Id: xccdf_org.ssgproject.content_profile_rht-ccp
			Title: Common Profile for General-Purpose Systems
				Id: xccdf_org.ssgproject.content_profile_common
			Title: DISA STIG for Red Hat Enterprise Linux 7
				Id: xccdf_org.ssgproject.content_profile_stig-rhel7-disa
			Title: STIG for Red Hat Virtualization Hypervisor
				Id: xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
			Title: United States Government Configuration Baseline (USGCB / STIG) - DRAFT
				Id: xccdf_org.ssgproject.content_profile_ospp-rhel7
			Title: Criminal Justice Information Services (CJIS) Security Policy
				Id: xccdf_org.ssgproject.content_profile_cjis-rhel7-server
			Title: Standard Docker Host Security Profile
				Id: xccdf_org.ssgproject.content_profile_docker-host
			Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_nist-800-171-cui
...output omitted...

Scanning a System for Compliance

In order to scan a system, install the openscap-scanner and scap-security-guide packages on that system, and select the XCCDF data stream file and the profile you want to use.

Run the oscap xccdf eval command to scan the system. Provide the data stream file as an argument, and the identifier of the profile to use with the --profile option. The command displays the result of each test on the standard output, but you can save these results in an XML file with the --results option. With that file, you can later generate reports and remediation scripts.

The following example shows how to use the oscap xccdf eval command to scan the local system. It uses the data stream file for Red Hat Enterprise Linux 7, /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml. The security profile being applied from the data stream is the PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7, xccdf_org.ssgproject.content_profile_pci-dss. The results of the scan are saved to /root/results.xml.

[root@demo ~]# oscap xccdf eval \
> --profile xccdf_org.ssgproject.content_profile_pci-dss \
> --results /root/results.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Ensure Red Hat GPG Key Installed
Rule    xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Ident   CCE-26957-1
Result  pass

Title   Ensure gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Ident   CCE-26989-4
Result  pass

Title   Ensure gpgcheck Enabled For All Yum Package Repositories
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Ident   CCE-26876-3
Result  pass

Title   Ensure Software Patches Installed
Rule    xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Ident   CCE-26895-3
Result  notchecked
...output omitted...

You need to run the command as root because the scan process may need to evaluate files only accessible to the root user.

Notice the warning messages in the command output, and the result of the Ensure Software Patches Installed test. The scan skips that test because it needs an up-to-date list of patches to control.

If the system can access the internet, the oscap command can download that list from Red Hat. Add the --fetch-remote-resources option in that case.

[root@demo ~]# oscap xccdf eval --fetch-remote-resources \
> --profile xccdf_org.ssgproject.content_profile_pci-dss \
> --results /root/results.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
Title   Ensure Red Hat GPG Key Installed
Rule    xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Ident   CCE-26957-1
Result  pass

Title   Ensure gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Ident   CCE-26989-4
Result  pass

Title   Ensure gpgcheck Enabled For All Yum Package Repositories
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Ident   CCE-26876-3
Result  pass

Title   Ensure Software Patches Installed
Rule    xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Ident   CCE-26895-3
Result  fail
...output omitted...

Performing compliance scan using OpenSCAP tools

Generating and Viewing the HTML Report

After the scan is complete, you can use the resulting XML file to generate a complete report in HTML format.

Run the oscap xccdf generate report command.

[root@demo ~]# oscap xccdf generate report results.xml > results.html

Use Firefox on demo to view a report generated locally on serverc and copied to demo for viewing.

[root@demo ~]# firefox results.html

In the Firefox web browser navigate to the Evaluation Characteristics section to view initial details related to the target system of the compliance scan. This section includes scan characteristics such as the name of the system targeted for evaluation, start and finish times, network addresses, and other scan results.

Figure 9.3: Evaluation characteristics for the oscap scan

Navigate to the Compliance and Scoring section to view a chart of the total number of rules that either passed or failed compliance and totals of severity levels for failed rules.

Figure 9.4: Compliance and scoring totals of oscap results

Navigate to the Rule Overview section to view rule groups. Notice the selection for the Group rules by list is currently set to Default. You can choose Severity or Result to change the grouping view to meet specific needs.

The default view groups rules by title. Rules can have several types of results but the most common ones are pass and fail, which indicate whether or not the particular security control has passed or failed the scan.

Figure 9.5: Rule overview group views

Click a rule title such as Ensure Red Hat GPG Key Installed to display a dialog box that allows you to examine why a particular OpenSCAP security rule failed or passed.

Figure 9.6: Individual rule details

References

oscap(8) man page

For more information, refer to the Using oscap chapter in the Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#sect-Using_oscap

Information is available from the community OpenSCAP project on the policies that are available in the SCAP Security Guide and on how to select them, at https://www.open-scap.org/security-policies/choosing-policy/

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083