Introduction
RHEL 7 makes it simple to support secure and compliant systems with the openscap scanner. Also, try openssl.
What is SCAP?
SCAP (Security Content Automation Protocol) is a NIST project that standardizes the language for describing assessment criteria and findings. It also provides a vulnerability rating system.
The critical components of SCAP are:
- XCCDF: The Extensible Configuration Checklist Description Format, to describe security checklists
- OVAL®: Open Vulnerability and Assessment Language, a declarative language for making logical assertions about the state of a system
- CCE™: Common Configuration Enumeration
- CPE™: Common Platform Enumeration
- CVE®: Common Vulnerabilities and Exposures
- CVSS: Common Vulnerability Scoring System
OpenSCAP is a project that fulfills tools for performing SCAP scans and remediating findings.
Read more about the project at http://www.open-scap.org/ and the repository for their tools and profiles on GitHub at https://github.com/OpenSCAP/openscap/. Red Hat ships SCAP content in the SCAP guide, but the content the OpenSCAP uses is under active development, and the latest version can be found at: http://www.github.com/ComplianceAsCode.
Install Httpd and OpenSCAP scanner
Ensure Apache HTTPd plus the OpenSCAP scanner and definitions are installed with the command below; it’s safe to run even if the packages already exist:
# sudo yum install -y httpd openscap-scanner scap-security-guide
The scap-security-guide package contains prepared system profiles for several RHEL releases and system types; they are installed under /usr/share/xml/scap/ssg/content.
You can get a summary of the profiles in a given definition file with the following command:
# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Output:
[root@master ~]# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2021-04-28T13:42:03
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
Status: draft
Generated: 2021-04-28
Resolved: true
Profiles:
Title: NIST National Checklist Program Security Guide
Id: xccdf_org.ssgproject.content_profile_ncp
Title: DRAFT - ANSSI-BP-028 (high)
Id: xccdf_org.ssgproject.content_profile_anssi_nt28_high
Title: OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
Id: xccdf_org.ssgproject.content_profile_ospp
Title: ANSSI-BP-028 (intermediary)
Id: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Id: xccdf_org.ssgproject.content_profile_rht-ccp
Title: ANSSI-BP-028 (enhanced)
Id: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)
Id: xccdf_org.ssgproject.content_profile_rhelh-stig
Title: CIS Red Hat Enterprise Linux 7 Benchmark
Id: xccdf_org.ssgproject.content_profile_cis
Title: Unclassified Information in Non-federal Information Systems and Organizations (NIS
T 800-171)
Id: xccdf_org.ssgproject.content_profile_cui
Id: xccdf_org.ssgproject.content_profile_e8
Title: ANSSI-BP-028 (minimal)
Id: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
Title: Health Insurance Portability and Accountability Act (HIPAA)
Id: xccdf_org.ssgproject.content_profile_hipaa
Title: DISA STIG for Red Hat Enterprise Linux 7
Id: xccdf_org.ssgproject.content_profile_stig
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Id: xccdf_org.ssgproject.content_profile_pci-dss
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
security-data-oval-com.redhat.rhsa-RHEL7.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
Status: draft
Generated: 2021-04-28
Resolved: true
Profiles:
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Id: xccdf_org.ssgproject.content_profile_pci-dss_centric
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
security-data-oval-com.redhat.rhsa-RHEL7.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
[root@master ~]#
Enable httpd for viewing compliance report from OpenSCAP scanner
Run the following to enable the Apache web server and allow the client access to it.
# firewall-cmd --permanent --zone=public --add-service=http
# systemctl reload firewalld
# systemctl enable --now httpd
Perform an initial compliance from openscap scanner
Perform a basic compliance scan using the OSPP profile for RHEL 8, run the following command; the profile is specified by supplying the Id field
[root@master ~]# sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp --results-arf /t
mp/arf.xml --report /var/www/html/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
Title Install the dracut-fips Package
Rule xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
Ident CCE-80358-5
Result notapplicable
Title Enable FIPS Mode in GRUB2
Rule xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
Ident CCE-80359-3
Result notapplicable
................
.....
Title Use Only FIPS 140-2 Validated Ciphers
Rule xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
Ident CCE-27295-5
Result notapplicable
Title Disable Host-Based Authentication
Rule xccdf_org.ssgproject.content_rule_disable_host_auth
Ident CCE-27413-4
Result notapplicable
Title Disable GSSAPI Authentication
Rule xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
Ident CCE-80220-7
Result notapplicable
Title Disable SSH Root Login
Rule xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Ident CCE-27445-6
Result notapplicable
[root@master ~]#
The commands output the result of the compliance scan into an Asset Reporting Format (ARF) file and generate an HTML-based report. Execute the command completes, open this link in another tab to view the resulting report:
http://master.unixcop.com/report.html
Hi Mel,
Thanks for quick review. I liked the –fetch-remote-resources option and some other options on the basic compliance scan command line you used above. I also liked the use of profiles from scap-security-guide package.
Thanks, Tim