OpenSCAP : Install2022/07/01 |
Install OpenSCAP which is the security audit and vulnerability scanning tool based on SCAP (Security Content Automation Protocol).
For details about SCAP, refer to the site below.
⇒ https://csrc.nist.gov/projects/security-content-automation-protocol OVAL (Open Vulnerability and Assessment Language) XCCDF (Extensible Configuration Checklist Description Format) OCIL (Open Checklist Interactive Language) CPE (Common Platform Enumeration) CCE (Common Configuration Enumeration) CVE (Common Vulnerabilities and Exposures) CVSS (Common Vulnerability Scoring System) |
|
[1] | Install OpenSCAP command line tool and SCAP Security Guide for Linux. |
[root@dlp ~]# dnf -y install openscap-scanner scap-security-guide
|
[2] | SCAP Security Guide is installed under the [/usr/share/xml/scap/ssg/content] directory. |
[root@dlp ~]# ll /usr/share/xml/scap/ssg/content/ total 41804 -rw-r--r--. 1 root root 21300553 Jun 2 00:13 ssg-cs9-ds.xml -rw-r--r--. 1 root root 21502789 Jun 2 00:13 ssg-rhel9-ds.xml # display description for each content [root@dlp ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml Document type: Source Data Stream Imported: 2022-06-02T00:13:16 Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf-1.2.xml Status: draft Generated: 2022-06-01 Resolved: true Profiles: Title: ANSSI-BP-028 (enhanced) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced Title: ANSSI-BP-028 (high) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high Title: ANSSI-BP-028 (intermediary) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary Title: ANSSI-BP-028 (minimal) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server Id: xccdf_org.ssgproject.content_profile_cis Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server Id: xccdf_org.ssgproject.content_profile_cis_server_l1 Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1 Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2 Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8 Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Australian Cyber Security Centre (ACSC) ISM Official Id: xccdf_org.ssgproject.content_profile_ism_o Title: [DRAFT] Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_stig Title: [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_stig_gui Referenced check files: ssg-rhel9-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel9-ocil.xml system: http://scap.nist.gov/schema/ocil/2 security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml |
[3] | Scan CentOS System with [oscap] command. Scan result is renerated as HTML report, you should verify it and try to apply recommended settings as much as possible. |
# xccdf : specify [xccdf] module
# ⇒ available modules : info, xccdf, oval, ds, cpe, cvss, cve, cvrf # [--profile] : specify profile # ⇒ available profiles are on the result you run [oscap info] command above # [--results] : output file # [--report] : output HTML report oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_ospp \ --results ssg-cs9-ds.xml \ --report ssg-cs9-ds.html \ /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml Downloading: https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2 ... ok --- Starting Evaluation --- Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Result fail Title Enable Dracut FIPS Module Rule xccdf_org.ssgproject.content_rule_enable_dracut_fips_module Result fail Title Enable FIPS Mode Rule xccdf_org.ssgproject.content_rule_enable_fips_mode Result fail Title Install crypto-policies package Rule xccdf_org.ssgproject.content_rule_package_crypto-policies_installed Result pass Title Configure BIND to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy Result pass Title Configure System Cryptography Policy Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy Result fail Title Configure Kerberos to use System Crypto Policy Rule xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy Result pass ..... ..... |
[4] |
It's possible to generate remediation script from scaned result.
Remediation script will change various system settings, so you must take care if you run it, especially for production systems.
|
# make sure the [Result ID] in the result output on [3] [root@dlp ~]# oscap info ssg-cs9-ds.xml | grep "Result ID" Result ID: xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp # generate remediation script
# [--fix-type] : specify fix type : default is Bash # ⇒ available type ⇒ bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint # [--output] : specify output script file # [--result-id] : specify [Result ID]
[root@dlp ~]#
[root@dlp ~]# oscap xccdf generate fix \
--fix-type bash \ --output ssg-cs9-ds-remediation.sh \ --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp \ ssg-cs9-ds.xml total 16172 -rw-------. 1 root root 1100 Nov 26 2021 anaconda-ks.cfg -rw-r--r--. 1 root root 2286030 Jul 29 09:37 ssg-cs9-ds.html -rwx------. 1 root root 183754 Jul 29 09:55 ssg-cs9-ds-remediation.sh -rw-r--r--. 1 root root 14081044 Jul 29 09:37 ssg-cs9-ds.xml # run remediation script [root@dlp ~]# ./ssg-cs9-ds-remediation.sh ..... ..... Remediating rule 111/112: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled' Created symlink /etc/systemd/system/basic.target.wants/usbguard.service /usr/lib/systemd/system/usbguard.service. Remediating rule 112/112: 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub' # check again [root@dlp ~]# oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_ospp \ --results ssg-cs9-ds_after-remediation.xml \ --report ssg-cs9-ds_after-remediation.html \ /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml |
After running remediation script, many [fail] items has been improved. |
Sponsored Link |
|