The Ultimate Guide for Security Compliance with OpenSCAP-Part 1
Introduction
Hi Everyone,
In this article, I will guide you through the basics of SCAP and the entire steps for performing security compliance management and vulnerability assessment with an open-source tool called OpenSCAP.
What is SCAP?
SCAP is abbreviated as Security Content Automation Protocol. This Protocol standardizes security compliance and vulnerability management for computer systems to eliminate security threats. It has a set of standard checklist‘s maintained by NIST(National Institute of Standards and Technology) which anyone could follow for hardening their computer systems.
What is OpenSCAP?
It is an open-source project with a collection of tools to perform security audits based on configuration and vulnerability scans of local, remote, VM, and docker systems.
As mentioned, OpenSCAP has 5 tools namely:
- OpenSCAP Base
- OpenSCAP Daemon
- SCAP Workbench
- Scaptimony
- OSCAP Anaconda Addon
OSCAP Installation
OpenSCAP Base
As the name suggests, it is a base tool that performs operations like reading SCAP security policies, evaluating profiles, scanning systems, and generating reports. It’s a NIST-Certified command-line tool. It can be called by oscap command.
Install:
For Ubuntu and Debian:
sudo apt -y install libopenscap8For Centos 6, Centos 7, RHEL 6 and RHEL 7:
sudo yum -y install openscap-scannerFor Fedora:
sudo dnf install openscap-scannerFor Windows:
Check the OpenSCAP Github releases page and download .msi installer.
To check the version,
oscap -V
Security Content Download
To demonstrate the use of the tool, we need
- An operating system.
- Definitions to scan for compliance.
These definitions are written in OVAL(Open Vulnerability Assessment Language). Some vendors like Ubuntu and Red Hat provide updated OVAL definitions to cover all the latest known vulnerabilities in OS. These can be downloaded from respective vendor's sites. If you don’t find definitions of your operating system by the vendor then, you can try some default policies defined by SCAP Security Guide(SSG).
SSG’s are security policies written in form of SCAP Documents. This policies can be used to perform security scans and provides best solutions to mitigate the issues. Security policies in SSG are not only limited to operating systems but also for the applications like firefox, chromium, JRE….
For Step 1:
Download and Install any Linux Server(For this article I’m using Ubuntu 20.04).
For Step 2:
Use any one of the below steps to download the security content which we will use later for scanning the server.
RHEL:
wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2or
sudo yum install scap-security-guideUbuntu or Debian:
wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2or
sudo apt install ssg-debian # for Debian guides
sudo apt install ssg-debderived #for Debian-based distributions (e.g. Ubuntu) guides
sudo apt install ssg-nondebian # for other distributions guides (RHEL, Fedora, etc.)
sudoapt install ssg-applications # for application-oriented guides (Firefox, JBoss, etc.)Other than package managers you can also download the latest SSG content from its official GitHub releases page.
Usage
I have downloaded the latest release of SSG content from the Github page mentioned above and extracted it.
You can check what are all the profiles present in the data stream file with the below command.
oscap info <PATH_TO_DS_XML_FILE>
As my testing machine is ubuntu 20.04, I picked ssg-ubuntu2004-ds.xml the data stream file and xccdf_org.ssgproject.content_profile_standard profile.
To scan the machine, use the below command
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
--results-arf ~/Documents/scap/reports/ubn2-arf.xml \
--report ~/Documents/scap/reports/ubn2-report.html \
~/Documents/scap-security-guide-0.1.62/ssg-ubuntu2004-ds.xml--profile <PROFILE_ID> is used to specify the profile you want to audit for your system.
--results-arf <FILE_TO_STORE_ARF_REPORT> is used to generate Asset Reporting Format(ARF).
Asset Report Format(ARF) is used to generate all results in a reusable Result DataStream format. These file can be further used in generating fix(managing compliance)
--report <FILE_TO_STORE_HTML_REPORT> will generate an HTML report which can be human-readable to understand reports.
~/Documents/scap-security-guide-0.1.62/ssg-ubuntu2004-ds.xml is the data stream file from which you are calling the profile.
After running the command scan will be started on your system and generates output like this.
It will also generate arf and HTML reports in the specified path. If you open the HTML report in any browser you can see a report similar to the below one.
Similarly, you can scan for other profiles which apply to your system.
As you can see from the HTML report part-3 picture, my system has 17 fails which means my system is not compliant enough with SSG standards, to make the system compliant you can apply the fix. This is automatically generated by oscap .
Note: This fix’s will not provide complete remediation.
OpenSCAP supports generating fix-types in bash, ansible, puppet, and anaconda.
sudo oscap xccdf generate fix \
--fix-type bash \
--result-id "" \
--output bash-remediation.sh \
~/Documents/scap/reports/ubn2-arf.xml--result-id “”Fixes will be generated for failed rule results of the specified test files. In the above case, the fail results are taken from the arf file which I specified.
Give executable permission to the bash file and run with Sudo privileges.
$ chmod +x remediation.sh
$ sudo ./remediation.sh
After applying the fix, scan the system again.
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
--results-arf ~/Documents/scap/reports/ubn2-arf-afterfix.xml \
--report ~/Documents/scap/reports/ubn2-report-afterfix.html ~/Documents/scap-security-guide-0.1.62/ssg-ubuntu2004-ds.xmlCheck that number of fails decreased(i.e compliance score increases). In my case fails decreased by only 2 😅.
To remediate all the remaining failures, you can follow Security Technical Implementation Guide(STIG). This guide will provide you with the best security practices you can follow to keep the system security compliant.
sudo oscap xccdf generate guide \
--profile xccdf_org.ssgproject.content_profile_standard \
--output ~/Documents/scap/reports/stig-guide-checklist.html \
~/Documents/scap-security-guide-0.1.62/ssg-ubuntu2004-ds.xmlOpenSCAP provides two ways of evaluating the data stream file.
- eXtensible Configuration Checklist Description Format(XCCDF), which I covered above.
- Open Vulnerability Assessment Language(OVAL), I’ll cover below.
To evaluate the data stream file using an oval, use the below command.
sudo oscap oval eval \
--results ~/Documents/scap/reports/ubn2-oval-def.xml \
--report ~/Documents/scap/reports/ubn2-oval-report.html \
~/Documents/scap-security-guide-0.1.62/ssg-ubuntu2004-ds.xmlIt generates :
ubn2-oval-def.xml file which contains all oval definitions present in ssg-ubuntu2004-ds.xml.
ubn2-oval-report.html file which is a human-readable system configuration with results to definitions.
References
Conclusion
Security is key-component for any organization. It’s best practice to follow security standards. So In this article, we’ve covered the installation and use-cases of the free and open-source tool OpenSCAP. Also to audit any system, maintain security compliance, and apply fixes recommended by SSG.
But wait, that’s not the end. Till now we only worked with OVAL definitions that are already written by vendors or other contributors. In the next article, I will explain in detail OVAL and write vulnerability definitions using OVAL.
If you like the article please encourage me with a clap and leave your valuable feedback.
Edit:
The Second part of the article (Explains writing OVAL Definitions) had been published on Loginsoft Blogs.
