Open in app

Sign in

Write

Sign in

STIG Scanning with OpenSCAP

Learn how to run a STIG for Ubuntu 20.04 using OpenSCAP

Brandi McCall
Defense Unicorns
9 min readOct 3, 2023

--

Prerequisites:

  • Server with Ubuntu 20.04 installed

Objectives:

  • Discuss STIG compliance and its purpose
  • Discuss SCAP tools and their justification
  • Install OpenSCAP on Ubuntu server
  • Install SCAP security guides
  • Use OpenSCAP to evaluate the Ubuntu 20.04 STIG
  • View the STIG scan report
  • Discuss what to do with the results

What is a STIG?

If you’ve ever worked with the U.S. Department of Defense (DoD) then you may be familiar with or have heard of the term “STIG.” As you can imagine, DoD computer systems contain confidential information that must be protected from vulnerabilities. One layer of protection is to require that any piece of hardware or software that connects to or is a part of the DoD IT network and systems be STIG compliant.

“STIG” stands for Security Technical Implementation Guide, and consists of hardware and software configuration standards whose goals are to make systems as secure as possible. STIGs were developed by the Defense Information Systems Agency (DISA), and compliance with STIGs are mandatory for all DoD agencies and any organizations or contractors using DoD information networks. This ensures that the network and anything utilizing it meets a minimum level of security, based on security best practices and compliance standards.

In short, a STIG is basically a list of cybersecurity requirements that must be met to ensure basic security measures. For example, a STIG may require secure SSH configuration, and may provide a list of SSH requirements like:

  • A specific SSH protocol version
  • Strong encryption algorithm
  • Key-based authentication (instead of password-based authentication)
  • Disabling of root login
  • Idle timeout period
  • Restrict SSH access to authorized users only

The list can go on and on but in the end, it supports the best practice configuration. Remember, the STIG is simply a guide. If your system were to be 100% compliant with the guide, it likely would not be a functional system. After running a STIG scan, you must take into account the pros and cons of correcting each “Fail,” and determine a balance of risk acceptance for functionality and security.

What is SCAP?

Imagine you have created a system that has an Ubuntu OS and eight applications running on it. You are creating this system for the DoD, so the entirety of it must be as STIG compliant as possible. It would take weeks to months to have engineers manually check configuration compliance of the OS and all of the applications. On top of the initial check, let’s say you are required to check compliance on a monthly basis, as new vulnerabilities may be identified frequently. How in the world can you keep up with and meet these requirements?

Enter Security Content Automation Protocol (SCAP) tools. SCAP is a method that helps organizations automate STIG compliance scans. Whereas STIGs are a set of guidelines that provide detailed instructions for securing computer systems and software, SCAP is a protocol that provides a standardized approach to security automation, enabling the automation of repetitive security-related tasks, including vulnerability scanning, configuration assessment, and compliance checks.

What is OpenSCAP?

OpenSCAP is one of many tools that leverage SCAP standards to automate the assessment and validation of STIG compliance. OpenSCAP is open-source and has a vibrant community committed to its maintenance. In this tutorial, we will install OpenSCAP on our Ubuntu server and use it to run the Ubuntu 20.04 STIG.

Install OpenSCAP on Ubuntu Server

For this tutorial, I am using a clean server that only has a minimal Ubuntu 20.04 OS installed (no GUI), thus everything will be run through the CLI. To get started, SSH into your server, then update and upgrade packages.

# SSH into Server
ssh ubuntu@server_IP

# Update and upgrade packages
sudo apt update && sudo apt upgrade

Next, we can install OpenSCAP with the following command:

# Install OpenSCAP
sudo apt install libopenscap8

(Optional) Confirm that OpenSCAP was installed:

# Confirm installation and location of OpenSCAP
which oscap

# Confirm OpenSCAP version
oscap -V

Install SCAP Security Guides

In addition to OpenSCAP, we need to install the SCAP Security Guide (SSG) for our Debian-based system. SSGs are security policies that transform STIGs (and other security guidelines) into a machine readable format (XCCDF) that can be used by OpenSCAP to scan your system for vulnerabilities and compliance. We can download the latest SSG packages from the ComplianceAsCode project using the following command:

# Download the latest Scap Security Guide
mkdir /usr/share/xml/scap/ssg/content
cd /usr/share/xml/scap/ssg/content
sudo wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.69/scap-security-guide-0.1.69.zip

The ComplianceAsCode project is an open-source project that creates security policy content and offers Ansible playbooks and Bash scripts to automate compliance solutions, aiming to simplify the process of maintaining compliance with security standards. To find the official DISA STIG, navigate to https://public.cyber.mil/stigs/downloads/ and search for “Canonical Ubuntu 20.04 LTS STIG — Ver 1, Rel 9.” I will use the official DISA STIG in a future post.

The latest SSG is contained in a zip file.

If you do not have unzip installed, use the following command:

# Install unzip on Ubuntu server
sudo apt install unzip

Unzip the SSG file, then change into the SSG directory and look around:

# Unzip Scap Security Guide
sudo unzip scap-security-guide-0.1.69.zip
cd scap-secuirty-guide-0.1.69/
ls

You should now see the SSG security policies for Ubuntu 20.04.

Display Profile Options

Each security policy has a variety of profiles that contain different rules and values to adhere to different security baselines, thus tailoring the security configurations to specific use cases. You can see the available profiles of the ssg-ubuntu2004-ds-1.2.xml package by using the following command:

# Display a list of available Profiles
oscap info ssg-ubuntu2004-ds-1.2.xml

Find the profile with profile_stig in it.

Use OpenSCAP to Evaluate the Security Policy and Profile

The purpose of OpenSCAP is to evaluate a local system for vulnerabilities and a standard configuration based on a security policy and profile. The basic syntax of scanning using a SCAP source data stream (ex. XCCDF file) starts with the oscap xccdf eval command and an explanation of the command and its flags can be found here in section 4.1.

For our purposes, we will scan our Ubuntu system using the xccdf_org.ssgproject.content_profile_stig profile and the ssg-ubuntu2004-ds-1.2.xml security policy, so our command will look like this:

# Evaluate a STIG Profile and write XCCDF results into a report.html file
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \
--report report.html ssg-ubuntu2004-ds-1.2.xml

Here’s a breakdown of the above command:

sudo oscap xccdf eval: Indicates to evaluate the compliance of the system against the rules specified in the XCCDF file.

--profile xccdf_org.ssgproject.content_profile_stig: Specifies to use the xccdf_org.ssgproject.content_profile_stig profile, which represents the Ubuntu 20.04 STIG configuration.

--report report.html: Indicates to save the compliance evaluation results of the scan in HTML format in a new document called report.html.

ssg-ubuntu2004-ds-1.2.xml: Indicates the XCCDF content file against which the system's compliance is being evaluated.

After the evaluation has completed, you will see a long list of rules and whether your system passed or failed those rules. Your output should look something similar to this:

If you run ls you will see that the report.html file has been created. This file contains all of the output of the evaluation in HTML format.

View STIG Scan Results

To view the results, you can simply vim the report.html file, but it looks very messy. A better way is to secure copy the file from the remote server to your local machine, then view the HTML document in a web browser. To secure copy a file from a remote server to your local machine, the basic syntax looks like this:

scp <USER>@<HOST>:source destination

If you have multiple SSH keys, you can specify which key to use with the -i flag. For more details on how to do this, see this tutorial. If the SSH key is not specified, the default will be used. If you get a “permission denied/public key” error, see if this tutorial helps you resolve it (even though that tutorial is not exactly what we’re doing here, I found its troubleshooting steps helpful).

To copy the report file from the remote server, first open a new terminal window on your local machine. I am going to copy the report.html file from the remote server to my local ~/Development directory, so my scp command looks like this:

# Exmaple secure copy from remote to local
scp ubuntu@10.1.29.82:/usr/share/xml/scap/ssg/content/scap-security-guide-0.1.69/report.html ~/Development

Notice I run this command from my local machine (not the window where I am SSH’d into the Ubuntu server). If I ls I can see that the report.html file now lives locally in my Development directory.

To view the report, simply double click it in your file directory (Finder on a Mac, File Explorer on Microsoft) and it will open the HTML in your default web browser.

The web browser version will look like this:

The report gives you a score of compliance (only 58% for this server) and if you scroll down, you will see each configuration that failed and the severity of the failure. More details can be seen by clicking on the specific test.

We Have Results, Now What?

When building an IT system for the DoD, part of the approval process involves obtaining an Authority to Operate or ATO. This can be a difficult, timely process but is required before your IT system can be used by the DoD. Basically, the DoD wants to ensure your system is secure enough before it is incorporated into their system. As discussed previously, part of ensuring security is identifying vulnerabilities and risk acceptance through STIG scanning. Another part is mitigating as much risk as possible.

The Risk Management Framework (RMF) is a publication by the National Institute of Standards and Technology (NIST) that offers guidance on how to manage information security and privacy risks effectively, providing a systematic approach for organizations to identify, assess, respond to, and monitor risks associated with their information systems and assets. Basically, once you’ve identified the risks and vulnerabilities of your system via your STIG scans, the RMF offers guidance on how to mitigate those risks. By adhering to the RMF objectives, the overall IT attack surface of a system can be reduced.

Conclusion

Thank you so much for following along with me on this STIG journey! Remember, this is a learning process for both me and you, and as I learn I will continue to try and teach others. If you have more questions on STIG scanning, I found these two resources to be very helpful:

OpenSCAP User Manual

https://static.open-scap.org/openscap-1.3/oscap_user_manual.html#_introduction

Master Degree Thesis: Security assessment and threat response through SCAP

chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://webthesis.biblio.polito.it/22850/1/tesi.pdf

Stig
Disa
Openscap
Ubuntu 20 04
Cybersecurity

--

--

Brandi McCall
Defense Unicorns

Written by Brandi McCall

1K Followers
Editor for

DevOps Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams