RH415 - ch09s03

You can use the oscap command-line tool to scan a system for compliance with a SCAP policy, to generate remediation scripts, and to create reports and guides.

The oscap command needs some security content in order to work. The scap-security-guide package provides the SCAP Security Guide, which contains some standard security policies for Linux systems. The package installs content files in the /usr/share/xml/scap/ssg/content/ directory.

The files with names that end with -ds.xml in that directory are XCCDF data stream files.

[user@host ~]$ ls /usr/share/xml/scap/ssg/content/
ssg-rhel9-ds.xml

A data stream file can also define multiple profiles that you can choose when scanning a system for compliance. To list the available profiles, use the oscap info command.

[user@host ~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
Document type: Source Data Stream
Imported: 2023-02-14T07:34:39

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
		Status: draft
		Generated: 2023-02-14
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			Title: ANSSI-BP-028 (intermediary)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
			Title: ANSSI-BP-028 (minimal)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
...output omitted...

Scanning a System for Compliance

To scan a system, install the openscap-scanner and scap-security-guide packages on that system, and select the XCCDF data stream file and the profile that you intend to use.

Run the oscap xccdf eval command to scan the system. Provide the data stream file as an argument, and the identifier of the profile to use with the --profile option. The command displays the result of each test on the standard output, and you can save these results in an XML file with the --results option. With that file, you can later generate reports and remediation scripts.

The following example uses the oscap xccdf eval command to scan the local system. The example uses the /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml data stream file for Red Hat Enterprise Linux 9. The security profile that is applied from the data stream is the DISA STIG for Red Hat Enterprise Linux 9 profile (xccdf_org.ssgproject.content_profile_stig). The command in the example saves the results to the /root/results.xml file.

[root@host ~]# oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_stig \
    --results /root/results.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-90843-4
Result  fail

Title   Configure AIDE to Verify the Audit Tools
Rule    xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Ident   CCE-87757-1
Result  fail

Title   Configure Periodic Execution of AIDE
Rule    xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Ident   CCE-83437-4
Result  fail

Title   Configure Notification of Post-AIDE Scan Details
Rule    xccdf_org.ssgproject.content_rule_aide_scan_notification
Ident   CCE-90844-2
Result  fail

Title   Configure AIDE to Verify Access Control Lists (ACLs)
Rule    xccdf_org.ssgproject.content_rule_aide_verify_acls
Ident   CCE-90837-6
Result  fail

Title   Configure AIDE to Verify Extended Attributes
Rule    xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
Ident   CCE-83439-0
Result  fail

Title   Audit Tools Must Be Group-owned by Root
Rule    xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
Ident   CCE-86240-9
Result  pass

...output omitted...

You must run the command as the root user because the scan process might need to evaluate files that are only accessible to the root user.

Notice the warning messages in the command output. The scan skips some files because the scan requires an up-to-date list of patches to control. If the system can access the internet, then the oscap command can download that list from Red Hat. In that case, add the --fetch-remote-resources option.

Generating and Viewing the HTML Report

After the scan is complete, you can use the resulting XML file to generate a complete report in HTML format.

Run the oscap xccdf generate report command.

[root@host ~]# oscap xccdf generate report results.xml > results.html

After you generate the results.html file, use Mozilla Firefox or another web browser to view it.

[root@host ~]# firefox results.html

In Firefox, navigate to the Evaluation Characteristics section to view initial details related to the target system of the compliance scan. This section includes scan characteristics, such as the name of the system that is targeted for evaluation, start and finish times, network addresses, and other scan results.

Figure 9.3: Evaluation characteristics for the OpenSCAP scan

Navigate to the Compliance and Scoring section to view a chart of the total number of rules that either passed or failed compliance, and the totals of severity levels for failed rules.

Figure 9.4: Compliance and scoring totals of the OpenSCAP scan results

Navigate to the Rule Overview section to view rule groups. The selection for the Group rules by list is currently set to Default. You can choose the Severity or Result options to change the grouping view to meet specific needs.

The default view groups rules by title. Rules can have several types of results but the most common are pass and fail, which indicate whether that particular security control has passed or failed the scan.

Figure 9.5: Rule overview group views

Clicking a rule title, such as Ensure gpgcheck Enabled for All dnf Package Repositories, opens a dialog where you can examine why a particular OpenSCAP security rule failed or passed.

Figure 9.6: Individual rule details

References

oscap(8) man page

For more information, refer to the Assessing Configuration Compliance with a Specific Baseline section in the Scanning the System for Configuration Compliance and Vulnerabilities chapter in the Security Hardening guide at https://access.redhat.com/documentation/es-es/red_hat_enterprise_linux/9/html-single/security_hardening/index#assessing-configuration-compliance-with-a-specific-baseline_configuration-compliance-scanning

For more information from the OpenSCAP project about the policies that are available in the SCAP Security Guide and how to select them, refer to Choosing a Policy at https://www.open-scap.org/security-policies/choosing-policy/

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299