Perform a vulnerability scan with Openscap scanner

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

Introduction

RHEL 7 makes it simple to support secure and compliant systems with the openscap scanner. Also, try openssl.

What is SCAP?

SCAP (Security Content Automation Protocol) is a NIST project that standardizes the language for describing assessment criteria and findings. It also provides a vulnerability rating system. 

The critical components of SCAP are:

  • XCCDF: The Extensible Configuration Checklist Description Format, to describe security checklists
  • OVAL®: Open Vulnerability and Assessment Language, a declarative language for making logical assertions about the state of a system
  • CCE™: Common Configuration Enumeration
  • CPE™: Common Platform Enumeration
  • CVE®: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System

OpenSCAP is a project that fulfills tools for performing SCAP scans and remediating findings.

Read more about the project at http://www.open-scap.org/ and the repository for their tools and profiles on GitHub at https://github.com/OpenSCAP/openscap/. Red Hat ships SCAP content in the SCAP guide, but the content the OpenSCAP uses is under active development, and the latest version can be found at: http://www.github.com/ComplianceAsCode.

Install Httpd and OpenSCAP scanner

Ensure Apache HTTPd plus the OpenSCAP scanner and definitions are installed with the command below; it’s safe to run even if the packages already exist:

# sudo yum install -y httpd openscap-scanner scap-security-guide

The scap-security-guide package contains prepared system profiles for several RHEL releases and system types; they are installed under /usr/share/xml/scap/ssg/content.
You can get a summary of the profiles in a given definition file with the following command:

# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Output:

[root@master ~]# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2021-04-28T13:42:03

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
                Status: draft
                Generated: 2021-04-28
                Resolved: true
                Profiles:
                        Title: NIST National Checklist Program Security Guide
                                Id: xccdf_org.ssgproject.content_profile_ncp
                        Title: DRAFT - ANSSI-BP-028 (high)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_high
                        Title: OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
                                Id: xccdf_org.ssgproject.content_profile_ospp
                        Title: ANSSI-BP-028 (intermediary)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
                        Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
                                Id: xccdf_org.ssgproject.content_profile_rht-ccp
                        Title: ANSSI-BP-028 (enhanced)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
                        Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)
                                Id: xccdf_org.ssgproject.content_profile_rhelh-stig
                        Title: CIS Red Hat Enterprise Linux 7 Benchmark
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: Unclassified Information in Non-federal Information Systems and Organizations (NIS
T 800-171)
                                Id: xccdf_org.ssgproject.content_profile_cui
                                Id: xccdf_org.ssgproject.content_profile_e8
                        Title: ANSSI-BP-028 (minimal)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
                        Title: Health Insurance Portability and Accountability Act (HIPAA)
                                Id: xccdf_org.ssgproject.content_profile_hipaa
                        Title: DISA STIG for Red Hat Enterprise Linux 7
                                Id: xccdf_org.ssgproject.content_profile_stig
                        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                Referenced check files:
                        ssg-rhel7-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel7-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-com.redhat.rhsa-RHEL7.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
                Status: draft
                Generated: 2021-04-28
                Resolved: true
                Profiles:
                        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
                                Id: xccdf_org.ssgproject.content_profile_pci-dss_centric
                Referenced check files:
                        ssg-rhel7-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel7-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-com.redhat.rhsa-RHEL7.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
        Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
[root@master ~]#

Enable httpd for viewing compliance report from OpenSCAP scanner

Run the following to enable the Apache web server and allow the client access to it.

# firewall-cmd --permanent --zone=public --add-service=http
# systemctl reload firewalld
# systemctl enable --now httpd

Perform an initial compliance from openscap scanner

Perform a basic compliance scan using the OSPP profile for RHEL 8, run the following command; the profile is specified by supplying the Id field

[root@master ~]# sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp --results-arf /t
mp/arf.xml --report /var/www/html/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
Title   Install the dracut-fips Package
Rule    xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
Ident   CCE-80358-5
Result  notapplicable

Title   Enable FIPS Mode in GRUB2
Rule    xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
Ident   CCE-80359-3
Result  notapplicable
................

.....
Title   Use Only FIPS 140-2 Validated Ciphers
Rule    xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
Ident   CCE-27295-5
Result  notapplicable

Title   Disable Host-Based Authentication
Rule    xccdf_org.ssgproject.content_rule_disable_host_auth
Ident   CCE-27413-4
Result  notapplicable

Title   Disable GSSAPI Authentication
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
Ident   CCE-80220-7
Result  notapplicable

Title   Disable SSH Root Login
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Ident   CCE-27445-6
Result  notapplicable

[root@master ~]#

The commands output the result of the compliance scan into an Asset Reporting Format (ARF) file and generate an HTML-based report. Execute the command completes, open this link in another tab to view the resulting report:

http://master.unixcop.com/report.html
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"
Mel
Melhttps://unixcop.com
Unix/Linux Guru and FOSS supporter

1 COMMENT

  1. Hi Mel,
    Thanks for quick review. I liked the –fetch-remote-resources option and some other options on the basic compliance scan command line you used above. I also liked the use of profiles from scap-security-guide package.

    Thanks, Tim

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook