Open in app

Sign in

Write

Sign in

Automate STIG Scanning with OpenSCAP and CloudInit

In this tutorial we create a CloudInit file to automate STIG scanning with OpenSCAP at server creation time

Brandi McCall
Defense Unicorns
7 min readOct 12, 2023

--

Prerequisites:

  • Multipass installed (click link for installation guide)

Objectives:

  • Create new SSH key for new user
  • Launch Multipass VM with CloudInit file that creates a new user and automates Ubuntu 20.04 STIG scanning via OpenSCAP
  • SSH into Multipass VM using new user and new SSH key
  • Confirm Ubuntu STIG scan was completed and view report

Create SSH Key for User

This tutorial is an extension of my work done here where I discussed how to manually run a STIG scan using OpenSCAP. In this tutorial, we will use CloudInit to automate STIG scanning with OpenSCAP upon server creation.

The goal here is to create a user that will automatically run the Ubuntu 20.04 STIG via OpenSCAP upon server creation. To do this, we can use a CloudInit YAML file. The CloudInit file located here is used to create a user named scap_auditor . The scap_auditor user has sudo permissions and is assigned an SSH key. You may already have a personal SSH key on your local machine, but we want to create a separate RSA-type SSH key specifically for the scap_auditor user. To do this, run the following command on your local machine:

ssh-keygen -t rsa -C "scap_auditor@ATAR_IP"

The -t flag indicates what type of SSH key to generate (I chose RSA). The -C flag stands for “Comment” and allows us to create a custom comment at the end of the key that says “scap_auditor@ATAR_IP.” This comment is not necessary, but since I have more than one SSH key, it helps me to remember that this is my scap_auditor user SSH key. You can put whatever you want in this comment section.

After running the above command, you will be asked to give a file name in which to save the new SSH key. If you just press Enter and don’t indicate a file name, the key will be saved as the default “id_rsa” in your ~/.ssh folder. I wanted to remember that this key is specifically for my scap_auditor user, so I chose to save the key in a file called “scap-key.”

When asked to enter a “passphrase” you can simply press Enter twice if you do not want to use a passphrase. If you do want to use a passphrase, type it out and press Enter, then type it out again to confirm it. Make sure you take note of the passphrase somewhere, as you will not be able to recover it later. After entering the passphrase, your key pair will be created and can be found in ~/.ssh .

Your SSH keys consist of a pair (one private key and one public key). The public key ends with the .pub extension, and the corresponding private key has the same name, without an extension.

Launch Multipass VM

For this section, copy the below CloudInit file to your local directory. The file can also be found in my repo here.

#cloud-config
users:
  - default
  - name: scap_auditor
    groups: sudo, admin
    shell: /bin/bash
    lock_passwd: true
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys: 
    - ssh-rsa <SSH_public_key>
    
package_update: true
package_upgrade: true    
packages:
  - unzip
  - libopenscap8
  - ssg-debderived

runcmd:
  - cd /usr/share/xml/scap/ssg/content
  - wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.69/scap-security-guide-0.1.69.zip
  - unzip scap-security-guide-0.1.69.zip
  - cd scap-security-guide-0.1.69/
  - oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report report.html ssg-ubuntu2004-ds-1.2.xml

# Secure copy results file from remote to local
# scp ubuntu@10.1.29.82:/usr/share/xml/scap/ssg/content/scap-security-guide-0.1.69/report.html ~/Development

You will need to replace <SSH_public_key>under ssh_authorized_keys with the public SSH key you created in the previous section. To get the actual key, vim or cat your <key.pub> file, copy it, and paste it into the CloudInit file. Make sure you are pasting your public key (not private) to the CloudInit file. This CloudInit file creates a default user, then a user called scap_auditor (you can name this user whatever you want) with sudo permissions. Beyond the user creation, the rest of the file automates my previous STIG scanning work done here. Specifically, upon creation of the Ubuntu 20.04 server, a scap_auditor user will be created, the listed packages will be installed, and then the user will perform all of the commands under runcmd which will result in the Ubuntu 20.04 STIG scan being run via OpenSCAP. The STIG scan results results will then be output to a report.html file.

Multipass is pretty simple to use and allows you to quickly spin up VMs for development and testing work. This came in particularly useful recently when my work’s remote servers were down. I was able to spin up a Multipass VM within minutes to continue testing the work I was doing. For this tutorial, I wanted to spin up a VM with the Ubuntu 20.04 OS. To do this, I first visited the Multipass documentation here to find the custom alias for Ubuntu 20.04 (see screenshot below).

After finding the alias of the OS you want to use, pass it into the below command to spin up the Multipass VM:

multipass launch focal --name STIG --cloud-init cloud-init.yaml

Use --name to give your VM a name, and --cloud-init to indicate the name of your CloudInit YAML file. By passing in the CloudInit file at VM creation, all of the commands in the file will be performed on creation of the server. If you’re familiar with creating an AWS EC2 instance, this is similar to putting a script in the User Data section.

Find IPv4 of VM

At this point, you could simply run multipass shell <name_of_VM> to shell into your newly created VM. However, we want to test that we can SSH into the server with the scap_auditor user we created on initial boot. First we need to find the IPv4 address of the VM we just created, and can do that with the following command:

multipass info <name_of_VM>

SSH into Multipass VM

Change directory to where your private SSH key is located.

Use the -i flag (-i = identity) to pass in the name of the private key file you want to use. Remember, your public key will have the .pub extension and your corresponding private key will be the same key name with no extension. In the above screenshot, scap-key is my private key file and scap-key.pub is my public key file. Replace <VM_IPv4_address> in the below command with the IPv4 address you found in the last section.

ssh scap_auditor@<VM_IPv4_address> -i scap-key

If prompted “Are you sure you want to continue connecting” type “Yes” and press Enter to continue.

Notice I am now SSH’d in as scap_auditor.

Confirm Ubuntu STIG Completed

If you followed along with my previous tutorial, you may remember that when a STIG is run with OpenSCAP, the results are output to a report.html file in located at /usr/share/xml/scap/ssg/content/scap-security-guide-0.1.69/ . Let’s see if our report was created upon server creation.

cd /usr/share/xml/scap/ssg/content/scap-security-guide-0.1.69/

We can see that a report.html file does exist where we expect it to. Let’s secure copy it from the remote server to our local machine so we can open it up and see the report. Open a new terminal window on your local machine where you are not SSH’d into the remote server.

Note that in the below command I will copy the file to a Development folder located in my home directory. A few things to note here if you get a “Permission denied (publickey)” error. I you have more than one SSH key (like myself), you need to use the -i flag to indicate which key should be used. Replace <VM_IPv4_address> with the IP address of the Multipass VM you found earlier.

scp -i scap-key scap_auditor@<VM_IPv4_address>:/usr/share/xml/scap/ssg/content/scap-security-guide-0.1.69/report.html ~/Development

Find the file in your local directory and open it to view the results of your OpenSCAP STIG scan.

Conclusion and Clean Up

There you have it! STIG scanning with OpenSCAP has been automated by passing in a specific CloudInit file upon server creation. If you no longer need the report.html file, you can delete it from your local directory. To clean up the Multipass VM, run the following:

exit
multipass delete <name_of_VM>
multipass purge

# Confirm VM has been deleted
multipass list

Thank you so much for following along! Between this tutorial and my last one, hopefully STIG scanning is a little less scary. Keep watching for more tutorials, as I’ll continue to teach as I learn.

Ubuntu
Stig
Openscap
Cloud Init
Automation

--

--

Defense Unicorns
Defense Unicorns

Published in Defense Unicorns

98 Followers

We provide mission heroes with DevSecOps and organizational transformation stories from the world’s leading problem solvers. For all our new and up-to-date content, please visit defenseunicorns.com/blog. Explore an expansive set of articles, and learn more about Defense Unicorns.

Brandi McCall
Brandi McCall

Written by Brandi McCall

1.1K Followers

DevOps Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams