How to quickly scan your machine (for free) to make a DISA Checklist CKL using OpenSCAP

This is a quick step-by-step guide on how to scan your server, virtual machine, or workstation with the free OpenSCAP tool and DISA Benchmark for your operating system. That gives you an XCCDF XML file you can load into OpenRMF OSS or OpenRMF Professional to quickly get a checklist CKL file to give to your group asking for a DISA Checklist file for RMF, FedRAMP or cyber compliance.

Final result of running oscap with a RHEL 8 Benchmark to get a RHEL8 CKL file

Step 1: Download OpenSCAP on your machine

First things first, go to the OpenSCAP website and make sure you have a RHEL or Ubuntu operating system you can use to install it. You also can view the Red Hat Video on installing openscap-scanner and the workbench GUI to use if you wish here as well.

Make sure when you run that with the yum or apt-get type of commands that after you can run which oscap and get a good path. That is the executable we will use.

You also can follow along at their GitHub Repo for more information as well.

Step 2: Get the Proper DISA Benchmark

Now, you need to know to go to DISA’s website to get a benchmark to use for scanning. Go to the https://public.cyber.mil/stigs/ area, then click the Automation → Security Content Automation Protocol (SCAP) link to get to the page showing the benchmarks. You can also find the DISA SCC tool here (we have in another blog post) to scan your machine as well.

When you are ready to run the scan in Step 4 below, you will use OpenSCAP, have a machine to scan with options, and you pass in a benchmark so it knows what to check for security settings. Then it produces the output file we use for making a checklist.

On the https://public.cyber.mil/stigs/scap/ page you will see a listing like this below. Find your proper operating system or application benchmark file and download the ZIP. Then unzip the .xml file in it. THAT is your benchmark file.

For this walkthrough we are going to use the Red Hat Enterprise Linux 8 STIG Benchmark — Ver 1, Rel 8 file that came out January 13th (Friday the 13th!).

Note that NOT ALL operating systems have a DISA Benchmark file to use. So make sure you can use this method before going too far. If not, there are other methods like CIS scans using .audit files from Tenable Nessus or Rapid7 Nexpose as well to eventually create CKL files. Those cost $$$$ though.

DISA public.cyber.mil website showing SCAP benchmarks to use

Step 3: Find the Proper Profile in the Benchmark

Now that you have OpenSCAP installed and you downloaded and unzipped the proper benchmark XML file, put the benchmark file on the machine where the oscap executable is. For this example, we put this all on our RHEL 8.7 machine in a ~/SCAPBenchmarks/ directory.

Now run oscap info ./NAME-OF-BENCHMARK.xml and it will give you a list of profiles to use. It will look like the below image. You need to choose a profile Id from the listing. In the example below, we will choose the xccdf_mil.disa.stig_profile_MAC-3_Sensitiveprofile.

If you do not know your profile, ask your cyber professionals on your project or government information security officer for the proper mission assurance category (MAC) level of your device. MAC 1 is the most critical and most stringent.

Running `oscap info U_RHEL_8_V1R8_STIG_SCAP_1–2_Benchmark.xml` to get a profile listing

Step 4: Scan and Export XCCDF XML Results

Now that you have OpenSCAP, your benchmark file, and your profile chosen you can FINALLY execute the scanner command! The below command was run all on one line. We formatted for readability.

sudo oscap xccdf eval \
  --profile xccdf_mil.disa.stig_profile_MAC-3_Sensitive \
  --results myrel8machine-hostname-xccdf.xml \
  ./U_RHEL_8_V1R8_STIG_SCAP_1-2_Benchmark.xml

Results from running the oscap command above

When done you will see a screen like the above and have a file (for us it is myrel8machine-hostname-xccdf.xml) that looks like the below XML.

<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_mil.disa.stig_benchmark_RHEL_8_STIG" 
resolved="1" xml:lang="en" style="SCAP_1.2">
  <status date="2022-12-06">accepted</status>
  <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en">Red Hat Enterprise Linux 8 STIG SCAP Benchmark</title>
  <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en">This Security Technical Implementation Guide is published as a tool to improve the se
curity of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53
 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</descripti
on>
  <notice xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en" id="terms-of-use"/>
  <front-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en"/>
  <rear-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en"/>
  <reference xmlns:dc="http://purl.org/dc/elements/1.1/" href="https://cyber.mil">
    <dc:publisher>DISA</dc:publisher>
    <dc:source>STIG.DOD.MIL</dc:source>
  </reference>
  <plain-text id="release-info">Release: 1.8 Benchmark Date: 26 Jan 2023</plain-text>
  <plain-text id="generator">3.4.0.34222</plain-text>
  <plain-text id="conventionsVersion">1.10.0</plain-text>
  <platform idref="cpe:/o:redhat:enterprise_linux:8"/>
  <version update="http://iase.disa.mil/stigs">001.008</version>

Step 5: Load into OpenRMF OSS or Professional

Now that you have that file, you can load THAT file into the OpenRMF OSS or OpenRMF Professional application to get a Checklist CKL file. You can even load it into the STIGViewer application (requires Java installed) on the DISA website as well if you need to.

OpenRMF OSS lets you view multiple checklists, run searches, export to the CKL format or even export to MS XLSX for easier viewing and sharing. And it is free.

RHEL 8 checklist from OpenSCAP and RHEL 8 benchmark loaded into OpenRMF

NOTE: if the file does not load into your OpenRMF OSS application it may be the newer title on some scan results that have yet again changed in the benchmark XML files from DISA. The results XML file has a title area near the top like the below line. Remove the “ SCAP Benchmark” at the end of the title field including the space before SCAP at the end of it and try again. There is a fix coming in later February 2023 to address this.

<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en">Red Hat Enterprise Linux 8 STIG SCAP Benchmark</title>

Special Thanks to…

Matthew Amacker for asking on our Slack Channel how to quickly get a DISA CKL for his machine. It is a PITA when you are asked for this kind of report or CKL file without knowing what it is or being given good step-by-step guidance. So this was the kicker to get this written down.

Also to Dave Gould my co-founder, friend, colleague, and cyber guru for making me understand all this mess over the last 18 years!

For this kind of thing of scanning and making CKLs for RMF or FedRAMP, if you know how to do it you know it. Otherwise, it is “cyber magic” to get this all done by the great Oz behind the cyber curtain.

We need to roll that curtain back and get EVERYONE understanding cyber compliance and how to achieve this in a collaborative team environment to make everyone smarter. On their way to better cyber hygiene and better cyber security.

We also have on our OpenRMF OSS documentation site a link to What is a SCAP Scan explained as well.