As you already know from Lab Exercise 1, the ComplianceAsCode project provides security content that can be used for automated security scanning of your system.
Red Hat® Enterprise Linux® 8 (RHEL 8) contains OpenSCAP Scanner, which is a security scanner that works with ComplianceAsCode content.
The content that you build in ComplianceAsCode can be simply passed to OpenSCAP Scanner and the scan can be started right away.
OpenSCAP Scanner allows you to perform security compliance checks in a fully automated way.
It is possible to run the scan using either the oscap command line tool or the SCAP Workbench graphical application.
Several integrations for continuous scanning also exist, but in this lab exercise, you focus on one-off scanning.
-
Learn the basics of automated security scanning in Red Hat® Enterprise Linux® 8
-
Learn how to use
ComplianceAsCodefor automated security scanning -
Learn how to do lightweight customization of a predefined security policy using a GUI tool
-
Explore the possibilities for remediations of failing rules
-
The
ComplianceAsCoderepository was cloned to thelab2_openscapdirectory. -
The dependencies required for the
ComplianceAsCodecontent build were installed usingyum install:-
Generic build utilities:
cmakeandmake -
Utilities for generating SCAP content:
openscap-scanner -
Python dependencies for putting content together:
python3-pyyamlandpython3-jinja2
-
-
The following OpenSCAP ecosystem packages were installed using
yum install:-
The scanner:
openscap-scanner -
Utilities for scanning remote systems:
openscap-utils -
The GUI front end and datastream tool:
scap-workbench
-
|
Important
|
Content used in this lab has been altered to increase its educative potential, and is therefore different from the content in ComplianceAsCode upstream repository or the content in the scap-security-guide package shipped in Red Hat® products. |
OpenSCAP provides a command line tool called oscap that can be used for automated security scanning.
-
You can verify a successful installation of
oscapby running the following commands:[... lab1_introduction]$ cd /home/lab-user/labs/lab2_openscap [... lab2_openscap]$ oscap --version OpenSCAP command line tool (oscap) 1.3.1 Copyright 2009--2018 Red Hat Inc., Durham, North Carolina. ==== Supported specifications ==== XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1 ...
Note that this command outputs the OpenSCAP version and versions of supported standards.
In this section, you build the security content for Red Hat® Enterprise Linux® 8 from ComplianceAsCode source code and then you use the built content with the OpenSCAP command line tool to scan your machine.
-
The content has been built, so you can take a look at the generated files in the
builddirectory right away:[... lab2_openscap]$ cd build [... build]$ ls ... ssg-rhel8-ds.xml ssg-rhel8-ocil.xml ssg-rhel8-oval.xml ...
There are multiple files produced by the build. The file that is going to be used with the OpenSCAP scanner is
ssg-rhel8-ds.xml. This file is called a SCAP Datastream. -
Check which compliance profiles are available for RHEL 8.
[... build]$ oscap info ssg-rhel8-ds.xml ... Profiles: Title: Criminal Justice Information Services (CJIS) Security Policy Id: xccdf_org.ssgproject.content_profile_cjis Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) Id: xccdf_org.ssgproject.content_profile_rht-ccp ...In the "Profiles:" section, you can see a list of profiles contained in the datastream. The datastream contains multiple profiles that cover different security baselines for different purposes. Each profile is identified by a profile ID.
The built
ComplianceAsCodecontent is available as a RHELscap-security-guideRPM package. Unlike the upstream repository that you work with now, the package contains only content that is officially tested and supported by Red Hat®. Therefore, thescap-security-guidepackage in RHEL 8 contains only the OSPP and PCI-DSS profiles at the moment. -
Perform your first baseline testing scan with the vanilla OSPP profile.
Note in the command below that you can skip the profile ID prefix to make the command simpler. The real ID is
xccdf_org.ssgproject.content_profile_ospp.The scanning command has to be executed by a privileged user using
sudo, so the scanner can access parts of the system that are off-limits to common users. The simplest scanner invocation can look like this:sudo oscap xccdf eval --profile ospp ssg-rhel8-ds.xml
However, you also want to store the scan results so you can process them later. Therefore, you have to supply additional arguments:
-
Use
--results-arfto get a machine-readable results archive -
Use
--reportto get a human-readable report (this can also be generated from ARF after the scan, as you see in the next optional step) -
Use
--oval-resultsto get detailed results in the reportNow execute the following to run the scan and generate the HTML report as a side-effect:
[... build]$ sudo oscap xccdf eval --profile ospp --results-arf /tmp/arf.xml --report /home/lab-user/labs/lab2_openscap/lab2_report.html --oval-results ./ssg-rhel8-ds.xml ...
NoteYou can also generate the HTML report later by executing these commands:
[... build]$ sudo rm -f /home/lab-user/labs/lab2_openscap/lab2_report.html [... build]$ oscap xccdf generate report /tmp/arf.xml > /home/lab-user/labs/lab2_openscap/lab2_report.html
-
-
Open the file explorer by clicking
Activitiesand then the "file cabinet" icon. Once it opens, click theHomeicon in the top left portion of the browser’s window. Clicklabsthenlab2_openscapfolders. Expect to see thelab2_report.htmlfile there. Double-click it to open it in the browser.
You see the compliance scan results for every security control in the OSPP security baseline profile in HTML format.
Rules can have several types of results, but the most common ones are pass and fail, which indicate whether a particular security control has passed or failed the scan. Other results you frequently encounter are notapplicable for rules that have been skipped as not relevant to the scanned system, and notchecked for rules without an automated check.
-
Click the rule title in the HTML report.
This brings up a pop-up dialog that allows you to examine why a particular rule failed or passed. For example, if a rule is testing file permissions on a list of files, it specifies which files failed and what their permission bits are.
-
In the console view, click
Activitiesin the top left corner of the screen, then select the green circle icon for SCAP Workbench. -
After Workbench starts, select
Other SCAP contentin the drop-down list and clickLoad Content. A file browser window appears. -
Locate
ssg-rhel8-ds.xmlfrom the/home/lab-user/labs/lab2_openscap/builddirectory and clickOpento open the compliance content for Red Hat® Enterprise Linux® 8 that you built in the previous section.
-
Customize the PCI-DSS Control baseline.
-
Select this profile from the
Profiledrop-down list. -
Click
Customize.
-
In the
Customize Profilepop-up window, leave the name generated by default forNew Profile IDand clickOK.
-
Now you can select and deselect rules according to your organization’s needs, and change values such as minimum password length, to tailor the compliance profile.
-
-
After you are done customizing, click
OKto save the profile. You have now created a new custom profile.
-
Run a test scan with the new custom profile you just created.
-
Click
Scanand inspect the results. -
When prompted for the password for Lab User, type r3dh4t1!. This takes a few minutes, so feel free to move on with the lab exercise and not wait for the scan to complete.
-
Close the Diagnostics window.
TipYou can save the customization to a tailoring file by selecting
File→Save Customization Only.
-
Putting the machine into compliance (for example, by changing its configuration) is called remediation in the SCAP terminology. Remediation changes the configuration of the machine, and it is possible to lock yourself out or disable important workloads! As a result, it is a best practice to test the remediation changes before deploying.
You use Terminal on your laptop for the next part—there is no need to use the console.
-
Generate an Ansible® Playbook that puts your machine into compliance.
-
Generate a playbook from the scan results. Use the
--fix-type ansibleoption to request an Ansible Playbook with the fixes:[... build]$ oscap xccdf generate fix --fix-type ansible --result-id "" /tmp/arf.xml > playbook.yml
You specified the empty
result-idbecauseoscapsupports generation of fixes from a result file that has results from multiple scans. However, as there is only one result from a single scan, you do not have to specify the result ID explicitly.
-
-
Check the output using a text editor:
[... build]$ nano playbook.yml
-
When finished, exit
nanoby pressingCtrl+X. -
Generate a Bash remediation script from the scan results. ..Run the following command, using
--fix-type bashto request a bash script with the fixes:[... build]$ oscap xccdf generate fix --fix-type bash --result-id "" /tmp/arf.xml > bash-fix.sh
You specified the empty
result-idbecauseoscapsupports generation of fixes from a result file that has results from multiple scans. However, as there is only one result from a single scan, you do not have to specify the result ID explicitly. -
Check the output using a text editor:
[... build]$ nano bash-fix.sh
-
When finished, exit
nanoby pressingCtrl+X.
The Ansible Playbook can be used to configure a system to meet a compliant state. Using Ansible Playbooks is discussed in Lab Exercise 4. The Bash remediation script also can be used to change the configuration of the system. It is recommended that you review the contents of these scripts and test them in a testing environment first, as they have the potential to make unexpected or harmful changes.