Open in app

Sign in

Write

Sign in

STIG Scanning a Remote Machine from Local

Using OpenSCAP’s oscap-ssh Utility

Brandi McCall
Defense Unicorns
9 min readOct 19, 2023

--

In this tutorial, we will launch an Ubuntu 20.04 Multipass VM with a CloudInit file that creates a scap_auditor user and installs OpenSCAP. We will then perform a STIG scan on the VM from our local machine using OpenSCAP’s oscap-ssh utility.

Prerequisites:

  • Multipass installed
  • Unzip installed

Objectives:

  • Discuss OpenSCAP’s oscap-ssh utility
  • Launch a Multipass VM and pass a CloudInit file
  • Discuss how to run an Ubuntu 20.04 STIG scan on a remote machine from your local machine

What is OpenSCAP’s oscap-ssh Tool?

OpenSCAP is an open-source implementation of the Security Content Automation Protocol (SCAP), which is a suite of security standards that was developed by the National Institute of Standards and Technology (NIST). One capability of OpenSCAP is to perform security compliance checks of IT systems by running a scan that compares the defined security configuration of a system to a set of security standards, such as the Security Technical Implementation Guide (STIG) for that system. In this tutorial, we will deploy Ubuntu 20.04 on a Multipass VM and run the available Ubuntu 20.04 STIG (security guide) against the OS.

Typically you install OpenSCAP and the STIG security guide on the machine you want to scan, then use the oscap xccdf eval command to evaluate the STIG against the machine. There may be an instance, however, where you don’t have physical access to the machine you want to scan, but you could SSH into it. OpenSCAP provides a way to scan a remote machine from your local machine via the oscap-ssh utility. This command is run on your local machine, where it SSHs into the remote machine, scans the machine per a provided security guide and profile, creates a report of the scan results, and secure copies the report back to your local machine.

Launch Multipass VM

In this section we will use Multipass to quickly spin up a VM with the Ubuntu 20.04 image. At the time of this writing, the STIGs for Ubuntu 22.04 and 23.04 have not yet been released, thus the reason for using 20.04. In addition to spinning up the VM, we will pass in a CloudInit file on initial boot. Let’s get started!

On your local machine, change to the directory you want to work in and create a cloud-init.yaml file with the following contents:

#cloud-config
users:
  - default
  - name: scap_auditor
    groups: sudo, admin
    shell: /bin/bash
    lock_passwd: true
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys: 
    - ssh-rsa <public_key>
    
package_update: true
package_upgrade: true    
packages:
  - libopenscap8

When creating a CloudInit file, you must have #cloud-config at the start to identify it as CloudInit user data. The above file will create a default and scap_auditor user. For the scap-auditor user (you can name this user whatever you want), replace <public_key> with the public SSH key of a key pair you hold. If you do not have a key pair, or want to create a new one, follow these instructions to create a new one and add it to your ssh-agent and Apple Keychain if using a Mac. If you still have questions, check out the “Create SSH Key for User” section in my previous tutorial here. Alternatively, you can follow the CloudInit documentation to create a user password instead of an SSH key.

The rest of the file above will update and upgrade packages, then install the libopenscap8 package. The libopenscap8 package installs OpenSCAP. After saving the file in your local directory, open a new terminal window and run the below command to spin up the VM. Note that you can change the name to whatever you want, I just used STIG for its simplicity. focal is the name used to identify that you want Ubuntu 20.04 as the operating system.

#Launch Multipass VM with Ubuntu 20.04
multipass launch focal --name STIG --cloud-init cloud-init.yaml

After the Multipass VM finishes spinning up, launch a shell:

multipass shell <VM_name>

Scanning a Remote Machine with oscap-ssh

The oscap-ssh utility allows you to perform SCAP evaluations on a remote machine via SSH from your local. After performing the compliance check, oscap-ssh will automagically create a report.html of the findings and secure copy it to your local machine. The oscap-ssh tool is built into Ubuntu 23.04, but since we are using Ubuntu 20.04, we will have to install it in a later step. Instructions on how to use oscap-ssh can be found in the OpenSCAP user manual under section 5.1:

The instructions are brief and can be a bit misleading. Lucky for you, I’ve already gone through the pain of not having the above command work, and figuring out what exactly they want you to do.

First, let’s confirm that OpenSCAP correctly installed on the VM from the CloudInit file:

which oscap

Now let’s confirm oscap was installed in our $PATH. It looks like it was installed in /usr/bin . To check our current $PATH, run:

echo $PATH

Perfect, we should be good to continue. The official documentation states “The tool uses SSH connection to copy the SCAP content to a remote machine, then it runs an evaluation of the target system and downloads the results back.” This means we need the SCAP content on our local machine, so that the tool can copy it to the remote machine and run the scan. The SCAP content the documentation is referring to is the SCAP security guide. For Ubuntu 16.04 and later, use the following command on your local machine (not the VM):

sudo wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.69/scap-security-guide-0.1.69.zip

The SCAP security guide will install as a zip file. Find the file in your current directory and unzip it.

After unzipping the file, cd into the scap-security-guide-0.1.69 and you will find the security guide for Ubuntu 20.04.

When running a scan with OpenSCAP, you need to include in the command which security profile you want to run the scan as. Each security policy has a variety of profiles that contain different rules and values to adhere to different security baselines, thus tailoring the security configurations to specific use cases. You can see the available profiles of the ssg-ubuntu2004-ds-1.2.xml package by using the following command:

oscap info ssg-ubuntu2004-ds-1.2.xml

Well that’s no fun. The documentation told me I don’t need OpenSCAP (oscap) installed on my local machine but I can’t view the security guide profiles without it. Now what?

A few workarounds here:

  • You have oscap installed on the VM, so you could use the same wget command above to also install the security guides on the VM, then run oscap info ssg-ubuntu2004-ds-1.2.xml to see the profiles.
  • Or, you could go ahead and install OpenSCAP on your local machine so that you can actually read the contents of the security guide.
  • Or, best case scenario, you’ve done this before and you already know the name of the profile you want to use.

Fortunately for us, the latter is the case. I’ve done this a few times before, so trust me when I say the STIG profile for the Ubuntu 20.04 security guide is xccdf_org.ssgproject.content_profile_stig . Here’s a screen shot from one of my previous tutorials to show the profiles (in this tutorial, I had oscap and the security guides installed on the same machine, thus I was able to access the profiles):

The oscap-ssh documentation continues, “The remote machine needs to have OpenSCAP installed.” We did that earlier via our CloudInit file when we spun up the VM, and confirmed it was installed and in our $PATH.

Ok, at this point, we have the Ubuntu 20.04 security guide installed on our local machine, OpenSCAP installed on the remote machine, and we know the name of the security guide and profile we want to use to run our scan. Let’s move on to installing the oscap-ssh utility.

Install oscap-ssh

The oscap-ssh tool is built into Ubuntu 23.04, but since we are using Ubuntu 20.04, we will have to install it from this script. On your local machine, back out of the scap-security-guide-0.1.69 directory we were in and create a new file called oscap-ssh with the contents from this file:

https://github.com/OpenSCAP/openscap/blob/main/utils/oscap-ssh

Make the file executable:

sudo chmod u+x oscap-ssh

Scan the Remote VM

Let’s do a quick recap:

We are now ready to run our oscap-ssh command from your local machine! The structure of the command goes like this:

./oscap-ssh user@host <SSH_port> xccdf eval --profile <ssg_profile> \
--report report.html <path_to_security_guide>/ssg-ubuntu2004-ds-1.2.xml

Running ./ executes the oscap-ssh script in your current directory. The user will be the scap_auditor user that we created earlier because remember, we have the private and public SSH keys for that user locally and we added them to the ssh-agent. The host IP is the IP of our Multipass VM. We can find the IP by running multipass list or multipass info <VM_name> from your local machine.

The SSH_port will be 22 and xccdf eval tells oscap-ssh to evaluate the XCCDF content specified in the given --profile. The --report flag will create a report of the scan results and export those results in an easy to read HTML file report.html . We will replace <path_to_security_guide with the path of the security guide located on our local machine, so oscap-ssh knows where to copy the security guide from to the remote machine. Putting all of this together, we get something like the below command. Make sure you are running the command from your local directory that has the oscap-ssh script!

./oscap-ssh scap_auditor@192.168.64.23 22 xccdf eval --profile \
xccdf_org.ssgproject.content_profile_stig --report \
report.html /Users/brandi/Development/Cyber/STIG/scap-security-guide-0.1.69/ssg-ubuntu2004-ds-1.2.xml

You will see a long list of rules evaluated and whether they passed, failed, or are not applicable. Once the scan finishes, you should see something like this:

Run ls to see that your report.html file was created.

Open it up and …

Conclusion and Clean Up

Hopefully this tutorial has helped you better understand how you can use OpenSCAP’s oscap-ssh tool to perform a STIG scan on a remote machine from your local one. Remediation of failed rules can be done using OpenSCAP as well, and this will likely be covered in a future tutorial.

If you no longer need the tools we installed or the report.html file on your local computer, you can delete them:

To clean up the Multipass VM, run the following:

multipass delete <name_of_VM>
multipass purge
multipass list #Confirm VM has been fully removed

Thank you so much for following along! I hope that you learned something and will continue to watch for more DevOps content!

Stig
Openscap
Department Of Defense
Security
Cybersecurity

--

--

Brandi McCall
Defense Unicorns

Written by Brandi McCall

1K Followers

DevOps Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams