Perform a vulnerability scan with Openscap scanner

Introduction

RHEL 7 makes it simple to support secure and compliant systems with the openscap scanner. Also, try openssl.

What is SCAP?

SCAP (Security Content Automation Protocol) is a NIST project that standardizes the language for describing assessment criteria and findings. It also provides a vulnerability rating system. 

The critical components of SCAP are:

  • XCCDF: The Extensible Configuration Checklist Description Format, to describe security checklists
  • OVAL®: Open Vulnerability and Assessment Language, a declarative language for making logical assertions about the state of a system
  • CCE™: Common Configuration Enumeration
  • CPE™: Common Platform Enumeration
  • CVE®: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System

OpenSCAP is a project that fulfills tools for performing SCAP scans and remediating findings.

Read more about the project at http://www.open-scap.org/ and the repository for their tools and profiles on GitHub at https://github.com/OpenSCAP/openscap/. Red Hat ships SCAP content in the SCAP guide, but the content the OpenSCAP uses is under active development, and the latest version can be found at: http://www.github.com/ComplianceAsCode.

Install Httpd and OpenSCAP scanner

Ensure Apache HTTPd plus the OpenSCAP scanner and definitions are installed with the command below; it’s safe to run even if the packages already exist:

# sudo yum install -y httpd openscap-scanner scap-security-guide

The scap-security-guide package contains prepared system profiles for several RHEL releases and system types; they are installed under /usr/share/xml/scap/ssg/content.
You can get a summary of the profiles in a given definition file with the following command:

# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Output:

[root@master ~]# oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2021-04-28T13:42:03

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
                Status: draft
                Generated: 2021-04-28
                Resolved: true
                Profiles:
                        Title: NIST National Checklist Program Security Guide
                                Id: xccdf_org.ssgproject.content_profile_ncp
                        Title: DRAFT - ANSSI-BP-028 (high)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_high
                        Title: OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
                                Id: xccdf_org.ssgproject.content_profile_ospp
                        Title: ANSSI-BP-028 (intermediary)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
                        Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
                                Id: xccdf_org.ssgproject.content_profile_rht-ccp
                        Title: ANSSI-BP-028 (enhanced)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
                        Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)
                                Id: xccdf_org.ssgproject.content_profile_rhelh-stig
                        Title: CIS Red Hat Enterprise Linux 7 Benchmark
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: Unclassified Information in Non-federal Information Systems and Organizations (NIS
T 800-171)
                                Id: xccdf_org.ssgproject.content_profile_cui
                                Id: xccdf_org.ssgproject.content_profile_e8
                        Title: ANSSI-BP-028 (minimal)
                                Id: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
                        Title: Health Insurance Portability and Accountability Act (HIPAA)
                                Id: xccdf_org.ssgproject.content_profile_hipaa
                        Title: DISA STIG for Red Hat Enterprise Linux 7
                                Id: xccdf_org.ssgproject.content_profile_stig
                        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                Referenced check files:
                        ssg-rhel7-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel7-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-com.redhat.rhsa-RHEL7.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
                Status: draft
                Generated: 2021-04-28
                Resolved: true
                Profiles:
                        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
                                Id: xccdf_org.ssgproject.content_profile_pci-dss_centric
                Referenced check files:
                        ssg-rhel7-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel7-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-com.redhat.rhsa-RHEL7.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
        Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
[root@master ~]#

Enable httpd for viewing compliance report from OpenSCAP scanner

Run the following to enable the Apache web server and allow the client access to it.

# firewall-cmd --permanent --zone=public --add-service=http
# systemctl reload firewalld
# systemctl enable --now httpd

Perform an initial compliance from openscap scanner

Perform a basic compliance scan using the OSPP profile for RHEL 8, run the following command; the profile is specified by supplying the Id field

[root@master ~]# sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp --results-arf /t
mp/arf.xml --report /var/www/html/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
Title   Install the dracut-fips Package
Rule    xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
Ident   CCE-80358-5
Result  notapplicable

Title   Enable FIPS Mode in GRUB2
Rule    xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
Ident   CCE-80359-3
Result  notapplicable
................

.....
Title   Use Only FIPS 140-2 Validated Ciphers
Rule    xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
Ident   CCE-27295-5
Result  notapplicable

Title   Disable Host-Based Authentication
Rule    xccdf_org.ssgproject.content_rule_disable_host_auth
Ident   CCE-27413-4
Result  notapplicable

Title   Disable GSSAPI Authentication
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
Ident   CCE-80220-7
Result  notapplicable

Title   Disable SSH Root Login
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Ident   CCE-27445-6
Result  notapplicable

[root@master ~]#

The commands output the result of the compliance scan into an Asset Reporting Format (ARF) file and generate an HTML-based report. Execute the command completes, open this link in another tab to view the resulting report:

http://master.unixcop.com/report.html
Melhttps://unixcop.com
Unix/Linux Guru and FOSS supporter

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

You might also likeRELATED

How to Install and Configure VNC on Ubuntu Server 20.04

This article will show you how to set up a VNC on Ubuntu Server 20.04. Virtual Network Computing (VNC) is a graphical desktop sharing technology...

How to Export Your Servers Logs with Rsyslog in Centos 8

In this post, you will learn how to Export Your Servers Logs with Rsyslog in Centos 8 In this article, we'll walk through setting up...

How To Setup a Counter Strike: Global Offensive Server on CentOS 8

Counter-Strikes first option is a feature called "Official Matchmaking." This selects a Steam-owned server near you where you can play against players from all...