CentOS Stream 9
Sponsored Link

OpenSCAP : Install
2022/07/01
 
Install OpenSCAP which is the security audit and vulnerability scanning tool based on SCAP (Security Content Automation Protocol).
For details about SCAP, refer to the site below.
⇒ https://csrc.nist.gov/projects/security-content-automation-protocol
OVAL  (Open Vulnerability and Assessment Language)

XCCDF (Extensible Configuration Checklist Description Format)

OCIL  (Open Checklist Interactive Language)

CPE   (Common Platform Enumeration)

CCE   (Common Configuration Enumeration)

CVE   (Common Vulnerabilities and Exposures)

CVSS  (Common Vulnerability Scoring System)

[1] Install OpenSCAP command line tool and SCAP Security Guide for Linux.
[root@dlp ~]#
dnf -y install openscap-scanner scap-security-guide
[2] SCAP Security Guide is installed under the [/usr/share/xml/scap/ssg/content] directory.
[root@dlp ~]#
ll /usr/share/xml/scap/ssg/content/

total 41804
-rw-r--r--. 1 root root 21300553 Jun  2 00:13 ssg-cs9-ds.xml
-rw-r--r--. 1 root root 21502789 Jun  2 00:13 ssg-rhel9-ds.xml

# display description for each content

[root@dlp ~]#
oscap info /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml

Document type: Source Data Stream
Imported: 2022-06-02T00:13:16

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf-1.2.xml
                Status: draft
                Generated: 2022-06-01
                Resolved: true
                Profiles:
                        Title: ANSSI-BP-028 (enhanced)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
                        Title: ANSSI-BP-028 (high)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
                        Title: ANSSI-BP-028 (intermediary)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
                        Title: ANSSI-BP-028 (minimal)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
                        Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
                                Id: xccdf_org.ssgproject.content_profile_cis_server_l1
                        Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
                                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
                        Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
                                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
                        Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
                                Id: xccdf_org.ssgproject.content_profile_cui
                        Title: Australian Cyber Security Centre (ACSC) Essential Eight
                                Id: xccdf_org.ssgproject.content_profile_e8
                        Title: Health Insurance Portability and Accountability Act (HIPAA)
                                Id: xccdf_org.ssgproject.content_profile_hipaa
                        Title: Australian Cyber Security Centre (ACSC) ISM Official
                                Id: xccdf_org.ssgproject.content_profile_ism_o
                        Title: [DRAFT] Protection Profile for General Purpose Operating Systems
                                Id: xccdf_org.ssgproject.content_profile_ospp
                        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                        Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
                                Id: xccdf_org.ssgproject.content_profile_stig
                        Title: [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
                                Id: xccdf_org.ssgproject.content_profile_stig_gui
                Referenced check files:
                        ssg-rhel9-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel9-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml
        Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml
[3] Scan CentOS System with [oscap] command.
Scan result is renerated as HTML report, you should verify it and try to apply recommended settings as much as possible.
# xccdf : specify [xccdf] module
# ⇒ available modules : info, xccdf, oval, ds, cpe, cvss, cve, cvrf
# [--profile] : specify profile
# ⇒ available profiles are on the result you run [oscap info] command above
# [--results] : output file
# [--report] : output HTML report
# [--fetch-remote-resources] : download the latest data
[root@dlp ~]#
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_ospp \
--results ssg-cs9-ds.xml \
--report ssg-cs9-ds.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml


Downloading: https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2 ... ok
--- Starting Evaluation ---

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Result  fail

Title   Enable Dracut FIPS Module
Rule    xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Result  fail

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Result  fail

Title   Install crypto-policies package
Rule    xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Result  pass

Title   Configure BIND to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Result  pass

Title   Configure System Cryptography Policy
Rule    xccdf_org.ssgproject.content_rule_configure_crypto_policy
Result  fail

Title   Configure Kerberos to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Result  pass

.....
.....
[4]
It's possible to generate remediation script from scaned result.
Remediation script will change various system settings, so you must take care if you run it, especially for production systems.
# make sure the [Result ID] in the result output on [3]

[root@dlp ~]#
oscap info ssg-cs9-ds.xml | grep "Result ID"

        Result ID: xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp

# generate remediation script
# [--fix-type] : specify fix type : default is Bash
# ⇒ available type ⇒ bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint
# [--output] : specify output script file
# [--result-id] : specify [Result ID]
[root@dlp ~]#
oscap xccdf generate fix \
--fix-type bash \
--output ssg-cs9-ds-remediation.sh \
--result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp \
ssg-cs9-ds.xml
[root@dlp ~]#
total 16172
-rw-------. 1 root root     1100 Nov 26  2021 anaconda-ks.cfg
-rw-r--r--. 1 root root  2286030 Jul 29 09:37 ssg-cs9-ds.html
-rwx------. 1 root root   183754 Jul 29 09:55 ssg-cs9-ds-remediation.sh
-rw-r--r--. 1 root root 14081044 Jul 29 09:37 ssg-cs9-ds.xml

# run remediation script

[root@dlp ~]#
./ssg-cs9-ds-remediation.sh

.....
.....
Remediating rule 111/112: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service  /usr/lib/systemd/system/usbguard.service.
Remediating rule 112/112: 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub'

# check again

[root@dlp ~]#
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_ospp \
--results ssg-cs9-ds_after-remediation.xml \
--report ssg-cs9-ds_after-remediation.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml

  After running remediation script, many [fail] items has been improved.
Matched Content