Red Hat Security: Linux in Physical, Virtual, and Cloud

Objectives

After completing this section, students should be able to create a tailoring file to adjust the policy's security checks so that they are relevant and correct for a specific system and its use case.

Customizing a SCAP Security Guide Profile

The SCAP Security Guide provides profiles for verifying system compliance against standards established by governmental or other organizations. For example, the PCI-DSS profile tests compliance against the rules mandated by the Payment Card Industry Security Standards Council.

However, in the real world situations vary. Most profiles in the SCAP Security Guide are meant as a catalog, not a checklist, and satisfaction of every item may not be sensible or even possible in many operational scenarios.

Your organization, auditors, or other stakeholders may not require your systems to comply with every item specified in a particular profile, but instead require compliance with a specific subset of the profile. Some rules may not apply in your environment, and others, not in the profile, may be required. You might also need to increase or decrease the values used for certain checks; for example, the maximum password age or the minimum password length permitted.

With SCAP Workbench, you can create custom profiles. As a starting point, you select an existing profile that you adjust by selecting and clearing compliance rules. You then save your new profile in an XML tailoring file that you can copy to the systems to scan.

Creating a Tailoring File

Run the scap-workbench command to start SCAP Workbench and create your profile customization. You can use the SCAP Workbench tool on your local workstation and copy the resulting XML tailoring file to the systems you want to scan.

From the main SCAP Workbench window, select the profile on which you want to base your customization and then click Customize.

Figure 9.7: Main SCAP Workbench window

The next step is to give your new profile an identifier. You must use a particular format for the identifier. The Customize Profile dialog box provides guidance for creating correctly formatted identifiers.

Figure 9.8: New profile dialog box

In the customization window, select the rules that you want for your customized profile. The rules that are already selected come from the profile you initially chose.

There are two types of items in the left pane:

The following image highlights the rule selection. Inspect the information provided in the Selected Item Properties, Description, Security Identifiers, and Depends on Values sections in the right pane. These values represent information related to the specific rule selection:

Figure 9.9: Policy customization rule selection

The following image highlights a parameter value associated with the rule selection. Inspect the information provided in the right pane and notice that under the Modify Value section you have the option to change the value of the highlighted parameter:

Figure 9.10: Policy customization parameter selection

Notice in the previous image that the Set Password Maximum Age rule is selected. You can customize this rule with the maximum password age setting. In this example, the maximum age for a password is set to 60 days.

When done, click OK to go back to the main window. Click File → Save Customization Only to save your customization file.

Scanning a System Using a Profile Customized with a Tailoring File

Before you scan a system with your tailoring file, you need to collect the following information from the target system:

To scan the system with your tailoring file, run the oscap xccdf eval command as usual, using the correct data stream file. Use the --tailoring-file option to specify your tailoring file. The --profile option need to specify the ID of your custom profile.

[root@demo ~]# oscap xccdf eval \
> --profile custom_profile_ID \
> --tailoring-file tailoring_file.xml \
> --results result_file.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml