RH415 - ch09s02

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start openscap-installing

Instructions

On the serverc machine, install the oscap command-line tool and the SCAP Security Guide.
1. Log in to the serverc machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$
```
2. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]#
```
3. The openscap-scanner package provides the oscap command-line utility. Install that package.
```
[root@serverc ~]# dnf install openscap-scanner
...output omitted...
Complete!
```
4. Run the oscap -V command to confirm that the tool is now available.
```
[root@serverc ~]# oscap -V
OpenSCAP command line tool (oscap) 1.3.7
Copyright 2009--2021 Red Hat Inc., Durham, North Carolina.
...output omitted...
```
5. The oscap command needs some security content in order to work. Install the scap-security-guide package, which provides the SCAP Security Guide. The SCAP Security Guide contains some standard security policies for Linux systems.
```
[root@serverc ~]# dnf install scap-security-guide
...output omitted...
Complete!
```

Review the available profiles in the SCAP Security Guide.

The scap-security-guide package installs the scap-security-guide(8) man page. On this man page, review the Red Hat Enterprise Linux 9 PROFILES section, which describes the available profiles.
```
[root@serverc ~]# man scap-security-guide
```

Another way to list the available profiles is to directly review the XCCDF XML files. The scap-security-guide package deploys those files to the /usr/share/xml/scap/ssg/content/ directory. In that directory, extract the profile list from the ssg-rhel9-ds.xml file.

[root@serverc ~]# grep 'content_profile' \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_high">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_minimal">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis_server_l1">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis_workstation_l1">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis_workstation_l2">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cui">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_e8">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_hipaa">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_ism_o">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_ospp">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_pci-dss">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig">
      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_gui">

The id attribute provides a unique identifier for each profile. You use this identifier with the oscap command to indicate which profile to use during a system scan.

The oscap info command can also parse this XML file and display the profiles.

[root@serverc ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
Document type: Source Data Stream
Imported: 2023-02-14T07:34:39

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
		Status: draft
		Generated: 2023-02-14
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			Title: ANSSI-BP-028 (intermediary)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
			Title: ANSSI-BP-028 (minimal)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
				Id: xccdf_org.ssgproject.content_profile_cis_server_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
			Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_cui
...output omitted...

The warnings indicate that there are remote resources that the oscap command can download. For the purposes of the guided exercise, you can ignore the warning.

Generate the HTML security guide for the DISA STIG for Red Hat Enterprise Linux 9 profile (xccdf_org.ssgproject.content_profile_stig) and review the security rules that are included in that profile.
1. One way to retrieve the rules that are associated with a profile is to consult the /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml XCCDF XML file. However, the oscap command can generate a more readable HTML version of the security guide for a specific profile.
  Use the oscap xccdf generate guide command to generate the HTML security guide for the DISA STIG for Red Hat Enterprise Linux 9 profile.
```
[root@serverc ~]# oscap xccdf generate guide \
    --profile xccdf_org.ssgproject.content_profile_stig \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > guide.html
[root@serverc ~]#
```
2. Use scp to copy the guide.html file to workstation so that you can use Firefox to display it. Use student as the password.
```
[root@serverc ~]# scp guide.html student@workstation:
The authenticity of host 'workstation (172.25.250.9)' can't be established.
ED25519 key fingerprint is SHA256:Lavlr4HiIVFIWK+OEt/1swi7gAyFe5WO5vc7HP4VhGo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'workstation' (ED25519) to the list of known hosts.
student@workstation's password: student
guide.html                                        100% 7493KB 171.6MB/s   00:00
```
3. Log off from serverc.
```
[root@serverc ~]# logout
[student@serverc ~]$ logout
[student@workstation ~]$
```
4. Use Firefox to display the guide.html file. Browse through the page and review some rules. Close Firefox when you are done.
```
[student@workstation ~]$ firefox guide.html
```
  Navigate to Table of Contents → System Settings. Click the Installing and Maintaining Software link to review the Updating Software group information and Ensure gpgcheck Enabled In Main dnf Configuration rule details.
On workstation, use the SCAP Workbench graphical utility to review the DISA STIG for Red Hat Enterprise Linux 9 profile from the SCAP Security Guide.
1. Install the scap-workbench package.
```
[student@workstation ~]$ sudo dnf install scap-workbench
...output omitted...
Complete!
```
2. Use the scap-workbench command to start SCAP Workbench.
```
[student@workstation ~]$ scap-workbench
```
  The SCAP Workbench detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.
  In the Select content to load field, select RHEL9 and click Load Content.
3. Locate the Profile field and select DISA STIG for Red Hat Enterprise Linux 9. The lower part of the window displays the rules that are associated with that profile. Review the rules but do not initiate a scan at this time. Close SCAP Workbench when you are done exploring.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish openscap-installing

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299