Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Chapter 9. Managing Compliance with OpenSCAP

Section Installing OpenSCAP

SectionObjectives
SectionOpenSCAP and Security Compliance in Red Hat Enterprise Linux
SectionSCAP Workbench
SectionOpenSCAP Scans

Guided Exercise: Installing OpenSCAP

Scanning and Analyzing Compliance

Objectives
Overview of the OpenSCAP Command-line Tool
Scanning a System for Compliance

Guided Exercise: Scanning and Analyzing Compliance

Customizing OpenSCAP Policy

Objectives
Customizing a SCAP Security Guide Profile
Scanning a System by Using a Custom Profile

Guided Exercise: Customizing OpenSCAP Policy

Remediating OpenSCAP Issues with Ansible

Objectives
Generating a Remediation Ansible Playbook
Running a Remediation Ansible Playbook
Applying Profiles During Installation

Guided Exercise: Remediating OpenSCAP Issues with Ansible

Lab: Managing Compliance with OpenSCAP

Summary

Abstract

Goal	Evaluate and remediate a server's compliance with security policies by using OpenSCAP.
Sections	Installing OpenSCAP (and Guided Exercise) Scanning and Analyzing Compliance (and Guided Exercise) Customizing OpenSCAP Policy (and Guided Exercise) Remediating OpenSCAP Issues with Ansible (and Guided Exercise)
Lab	Managing Compliance with OpenSCAP

Installing OpenSCAP

Objectives

Explain basic OpenSCAP concepts, tools, and profiles, and prepare a system for a local OpenSCAP scan.

OpenSCAP and Security Compliance in Red Hat Enterprise Linux

Enterprise computing environments might consist of hundreds or thousands of interconnected computer systems that are running many applications and services, and which are accessed by a large and diverse set of users and applications. To maintain control over the security of this vast environment, a standard way to scan systems for compliance with security policies is needed.

The National Institute of Standards and Technology (NIST), along with other authorities, developed a standard compliance system called Security Content Automation Protocol (SCAP). The SCAP standard is a framework of security specifications. SCAP standards support automated configuration, and vulnerability and patch checking measurement. The OpenSCAP project is an open source project that develops tools for implementing and enforcing security policies by using the SCAP standard.

The OpenSCAP project also provides a number of predefined and customizable compliance policies in the SCAP format for use with OpenSCAP tools. The needs and risk profiles of each organization are different, and often require the ability to customize the compliance policy checklist. As a result, the compliance policy varies across organizations. To verify whether a given object follows a rule in a compliance policy, perform a compliance audit.

Red Hat Enterprise Linux provides tools that are based on the SCAP standard and that enable administrators to run a fully automated compliance audit. In addition to natively providing OpenSCAP tooling, Red Hat provides the underlying development libraries. This approach allows independent software vendors (ISVs) to embed NIST-certified configuration and vulnerability scanning into their applications.

Security Compliance Tools

The following security compliance tools are provided on Red Hat Enterprise Linux 9:

OpenSCAP: The oscap command-line utility, provided by the openscap-scanner package, performs configuration and vulnerability scans, and generates reports and guidance based on these scans.
SCAP Security Guide (SSG): This predefined collection of security policies for Linux systems is provided in the scap-security-guide package. The guide provides a catalog of hardening advice that is linked to various government requirements to help define and customize security policies according to the organization's needs. This guide is not just documentation; rather, this guide provides rules and scripts that are used by the oscap command.
Script Check Engine (SCE): The openscap-engine-sce package provides the SCE extension that enables you to write security content by using Bash, Python, or Ruby.
SCAP Workbench: This graphical utility performs scans on a single local or a remote system, and generates security reports based on these scans. The utility can also be used to customize compliance policies.

The SCAP Security Guide

The SCAP Security Guide is a collection of security policies for Linux systems, in the form of SCAP documents. The guide consists of rules with detailed descriptions and proven remediation scripts and Ansible Playbooks. The SCAP Security Guide can be used with OpenSCAP tools to automate the auditing of a Linux system.

SCAP Security Guide transforms the security guidelines that are recommended by different authorities into a machine-readable format that can be used by OpenSCAP to audit your system. The guide builds multiple security baselines from the high-quality SCAP content. If your system must comply with one of the provided baselines, then you can select the appropriate profile from the SCAP Security Guide. However, most real world deployments require adjustments to the profile based on the organization's security requirements.

Various security policies are available in the SCAP Security Guide, such as Fedora Linux, Red Hat Enterprise Linux, Mozilla Firefox, and others. Red Hat recommends that you write a security policy in a proactive way that balances security risk against business needs. Security policies should be regularly updated and maintained, and must incorporate any government and industry requirements.

For ease of use, all the available security policies are broken into profiles. A profile can be defined as a grouping of security settings that correlate to a known policy.

Use the dnf install scap-security-guide command to install the SCAP Security Guide. This command automatically installs the openscap-scanner package as a dependency. The openscap-scanner package contains the OpenSCAP command-line tool called oscap.

[root@host ~]# dnf install scap-security-guide

The scap-security-guide package installs a predefined data stream file in the /usr/share/xml/scap/ssg/content/ directory. The SCAP source data stream file (ssg-rhel9-ds.xml) contains all the data that were contained in the XCCDF file (ssg-rhel9-xccdf.xml) in previous versions of RHEL. The SCAP source data stream is a container file that includes all the components that are needed to perform a compliance scan. Using the SCAP source data stream instead of XCCDF files has been recommended since Red Hat Enterprise Linux 7. In previous versions of Red Hat Enterprise Linux, the data in the XCCDF file and SCAP source data stream was duplicated. In Red Hat Enterprise Linux 9, this duplication is removed to reduce the RPM package size. If your scenario requires using separate files instead of the data stream, then you can split the data stream file by using the following command:

[root@host ~]# oscap ds sds-split \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml output_directory

The SCAP source data stream supports document generation, information interchange, automation of compliance testing, compliance scoring, and situational tailoring. The data stream file contains the SCAP profiles with all the rules that are required to run an evaluation or a scan. You learn how to use this file in upcoming sections of this chapter.

[root@host ~]# ls -l /usr/share/xml/scap/ssg/content/
total 22548
-rw-r--r--. 1 root root 23088822 Feb 14  2023 ssg-rhel9-ds.xml

To review all the security rules that are associated with a profile, you can consult the data stream file. However, you can also use the oscap command to generate a user-friendly HTML version of the security guide for a specific profile.

To use the oscap command to generate the HTML security guide for a specific profile, you must provide the profile's unique id attribute. You can use the oscap info command to parse the data stream file and to display the profiles, along with their id attributes.

The following example uses the oscap info command to inspect the security content:

[root@host ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2023-02-14T07:34:39

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
        Status: draft
        Generated: 2023-02-14
        Resolved: true
        Profiles:
            Title: ANSSI-BP-028 (enhanced)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
            Title: ANSSI-BP-028 (high)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
            Title: ANSSI-BP-028 (intermediary)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
            Title: ANSSI-BP-028 (minimal)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
            Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
                Id: xccdf_org.ssgproject.content_profile_cis
            Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
                Id: xccdf_org.ssgproject.content_profile_cis_server_l1
            Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
            Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
            Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
                Id: xccdf_org.ssgproject.content_profile_cui
...output omitted...

The output contains the available configuration profiles. To generate the HTML security guide, choose the appropriate profile and use the oscap xccdf generate guide command. The following command generates the HTML security guide for the DISA STIG for Red Hat Enterprise Linux 9 profile.

[root@host ~]# oscap xccdf generate guide \
    --profile xccdf_org.ssgproject.content_profile_stig \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > guide.html

Use a web browser to open the final guide.html security guide. The HTML security guide contains all the available rules in an organized form.

SCAP Workbench

SCAP Workbench is a graphical tool that enables users to perform configuration scans, remediate the system, and generate reports based on the evaluations. The tool can scan the local system, or it can use SSH to connect to and scan a single remote system.

Figure 9.1: SCAP Workbench interface

Use the dnf install scap-workbench command to install SCAP Workbench.

[root@host ~]# dnf install scap-workbench

When you launch SCAP Workbench, you can choose the security content that you want to use. The scap-security-guide package is installed as a dependency of SCAP Workbench. You can choose from the predefined content that the scap-security-guide package installs in the /usr/share/xml/scap/ssg/content/ directory.

Figure 9.2: Choosing SCAP Workbench content

OpenSCAP Scans

To scan a file system, use the oscap command-line utility, which is provided as part of the OpenSCAP project. If SCAP Workbench is installed on the system, then the oscap utility is installed as a dependency. If you are scanning a remote host that does not have SCAP Workbench installed, then you must install the oscap tool separately.

To prepare your remote system for an OpenSCAP scan, install the openscap-scanner package, which contains the oscap command-line utility.

[root@host ~]# dnf install openscap-scanner

The oscap command uses security policies that are defined as SCAP documents. Red Hat recommends using the scap-security-guide package, which provides the SCAP Security Guide.

[root@host ~]# dnf install scap-security-guide

You can also start by installing only the SCAP Security Guide, which installs the openscap-scanner as a dependency.

With both packages installed, your system is ready for an OpenSCAP scan. In the next section of this course, you learn how to perform and evaluate the results of a scan.

References

oscap(8) man page

For more information, refer to the Scanning the System for Configuration Compliance and Vulnerabilities chapter in the Red Hat Enterprise Linux 9 Security Hardening guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299