Exercise 1.7 - OpenSCAP Security Compliance Scanning

Return to Workshop

Overview

RHEL 8 makes it easy to maintain secure and compliant systems with OpenSCAP.

What is SCAP?

SCAP (Security Content Automation Protocol) is a NIST project that standardizes the language for describing assessment criteria and findings. It also provides a vulnerability rating system. The project’s home page is https://scap.nist.gov/

The essential components of SCAP are:

  • XCCDF: The Extensible Configuration Checklist Description Format

  • OVAL®: Open Vulnerability and Assessment Language

  • CCE™: Common Configuration Enumeration

  • CPE™: Common Platform Enumeration

  • CVE®: Common Vulnerabilities and Exposures

  • CVSS: Common Vulnerability Scoring System

OpenSCAP is a project that implements tools for performing SCAP scans and remediating findings.
You can read more about the project at http://www.open-scap.org/ and the repository for their tools and profiles is on GitHub at https://github.com/OpenSCAP/openscap/.

Exercise Description

In the following exercises we’ll use the CLI to show how you can validate system compliance. There are other tools as well, including a GUI utility and another for scanning container images.

Section 1: Ensure httpd and the OpenSCAP scanner are installed

Ensure Apache httpd plus the OpenSCAP scanner and definitions are installed with the command below; it’s safe to run even if the packages already exist:

sudo yum install -y httpd openscap-scanner scap-security-guide

The scap-security-guide package contains prepared system profiles for several RHEL releases and system types; they are installed under /usr/share/xml/scap/ssg/content.
You can get a summary of the profiles in a given definition file with the following command:

oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Output:

Document type: Source Data Stream
Imported: 2019-03-11T12:36:47

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
		Status: draft
		Generated: 2019-03-11
		Resolved: true
		Profiles:
			Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: OSPP - Protection Profile for General Purpose Operating Systems
				Id: xccdf_org.ssgproject.content_profile_ospp
		Referenced check files:
			ssg-rhel8-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-rhel8-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml

Looking about half-way down, you can see that this file contains two profiles: one for PCI-DSS and another for OSPP. The OSPP profile is a general-purpose profile, so it’s a good choice for testing.

Section 2: Enable httpd for viewing compliance report

Run the following to enable the Apache web server and allow client access to it.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo systemctl reload firewalld
sudo systemctl enable --now httpd

Section 3: Perform an initial compliance scan

To perform a basic compliance scan using the OSPP profile for RHEL 8, run the following command; the profile is specified by supplying the Id field from the output above:

sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp --results-arf /tmp/arf.xml --report /var/www/html/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Once the command completes, open this link in another tab to view the resulting report:

http://example.node.0.redhatgov.io/report.html

Here’s a snippet of what the report looks like:

openscap example report
Figure 1: OpenSCAP report

Section 4: Automatically remediate findings

To correct compliance issues found in the scan, we can generate a Bash shell script or an Ansible playbook automatically from the scan’s findings. To generate an Ansible playbook, run the following:

sudo oscap xccdf generate fix --fetch-remote-resources --fix-type ansible --result-id "" /tmp/arf.xml > /tmp/ospp-playbook-fix.yml

Review the generated YAML file, /tmp/ospp-playbook-fix.yml. Note that the individual tasks are clearly named and delineated. Once you’re comfortable with it, run the playbook with:

ansible-playbook -i localhost, -u ec2-user -b /tmp/ospp-playbook-fix.yml

The playbook will take several minutes to run.

Section 5: Review changes

To see what differences the application of the hardening profile has made, re-run OpenSCAP, in eval mode, as you did, before:

sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_ospp --results-arf /tmp/arf.xml --report /var/www/html/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Once the command completes, open this link in another tab to view the resulting report:

http://example.node.0.redhatgov.io/report.html

Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop