-
Medium/Average (~10-20 mins)
-
Become familiar with the basics of automated security and compliance scanning and remediations with OpenSCAP and Red Hat® Ansible® Automation
Security Content Automation Protocol (SCAP) is a collection of standards to enable automated vulnerability and configuration compliance. OpenSCAP is a family of open source SCAP tools, and the SCAP Security Guide (SSG) is a collection of XML-based SCAP benchmarks and content in various formats to help with compliance configuration assessment of Red Hat Enterprise Linux® (RHEL) machines. Natively shipping in Red Hat Enterprise Linux, OpenSCAP provides practical security hardening advice and remediations for Red Hat technologies and helps with meeting security compliance requirements, making it easier to obtain security certifications and accreditations.
OpenSCAP and SSG allows you to perform both vulnerability and security compliance checks in a fully automated way.
OpenSCAP is integrated into Red Hat Satellite for automated security and compliance scanning across multiple Red Hat systems at scale. OpenSCAP, Red Hat Satellite, Red Hat Ansible Automation, and Red Hat CloudForms® can also all be integrated together for automated and continuous scanning and remediations for security and compliance across a hybrid environment at scale.
In this lab, you focus on single host scanning and remediations for security vulnerabilities and compliance to security baselines using the security tools built info Red Hat Enterprise Linux.
All of the steps in this setup section are already completed for you. This section is for reference only so that you know what is already configured in this lab environment.
-
Red Hat Enterprise Linux 8.0 is installed on the openscap.example.com host.
NoteRead the comments above each installation command for more details. If needed, the root password for the openscap.example.com host is r3dh4t1!. Also, remember to replace the GUID with your unique lab-provided GUID.
Versions of installed packages may not be up to date, but this does not affect the lab.
-
Additionally, openscap-scanner, scap-security-guide, and Ansible are installed on the openscap.example.com host. Take a look at the comments above each installation command for more details. If needed, the root password for the openscap.example.com host is r3dh4t1!. Also, don’t forget to replace the GUID with unique lab provided GUID! Note that the versions of packages installed may not be up to date. However, this will not affect this lab:
[localhost ~]$ ssh [email protected] [lab-user@workstation-GUID ~]$ ssh [email protected] # the tool that performs the scanning [root@openscap]# yum install openscap-scanner # project that brings in security policies we will load and test agains [root@openscap]# yum install scap-security-guide # we will need this later for Ansible based remediations [root@openscap]# yum install ansible python-firewall
-
To verify a successful installation, run:
[root@openscap ~]# oscap -V OpenSCAP command line tool (oscap) 1.3.0 Copyright 2009--2018 Red Hat Inc., Durham, North Carolina. ==== Supported specifications ==== XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1 ...
Note that this command outputs the OpenSCAP version and versions of supported standards. If during your own installation a message indicates that the
oscapcommand is not found, this means OpenSCAP is not successfully installed, and you must install the OpenSCAP tooling (as detailed earlier). -
SCAP Workbench is also installed on the openscap.example.com server host for you:
# GUI tool for scanning and benchmark customization, a front-end for OpenSCAP [root@openscap ~] yum install scap-workbench
-
If not already there, log in to the workstation bastion host as lab-user from your desktop system, replacing
GUIDwith your lab-provided GUID and, if needed, using the password r3dh4t1!:[localhost ~]$ ssh [email protected]
-
Log in to the openscap.example.com host as root:
[lab-user@workstation-GUID ~]$ ssh [email protected]
-
Examine the compliance content provided by
scap-security-guide:[root@openscap ~]# rpm -ql scap-security-guide ... /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml ...
Note that content provided in
scap-security-guidecovers a wide range of security baselines. For Red Hat Enterprise Linux 8, Protection Profile for General Purpose Operating Systems (OSPP) and Payment Card Industry Data Security Standard (PCI-DSS) profiles are available. There are various formats in which this is provided—human-readable HTML guides, SCAP benchmarks, and Ansible remediation playbooks. -
Move to the
contentfolder so that you can avoid typing long paths in the subsequent exercises:[root@openscap ~]# cd /usr/share/xml/scap/ssg/content
-
Determine which content and compliance profiles (OSPP and PCI-DSS) are available for Red Hat Enterprise Linux 8:
[root@openscap content]# oscap info ssg-rhel8-ds.xml
-
Perform your first security compliance baseline scan with the OSPP profile:
The scanning command must be executed by a privileged user:
rootor usingsudo. Therefore the scanner can access system parts that are off-limits to common users. The simplest scanner invocation can look like this:oscap xccdf eval --profile ospp ./ssg-rhel8-ds.xml
You can omit the profile ID prefix to make the command simpler—the actual ID is
xccdf_org.ssgproject.content_profile_ospp.You also want to store the scan results, so you can process them later. Therefore, you need to supply additional arguments.
-
Store the results of the scan this time:
[root@openscap content]# oscap xccdf eval --oval-results --profile ospp --results-arf /tmp/arf.xml --report /tmp/report.html ./ssg-rhel8-ds.xml
-
--results-arfgets the machine-readable results archive. -
--reportgets a human-readable report, which can also be generated from ARF after the scan (as shown in the optional step that follows). -
--oval-resultsprovides additional details of failing rules.
-
-
(Optional) Generate the HTML report separately:
[root@openscap content]# rm -f /tmp/report.html [root@openscap content]# oscap xccdf generate report /tmp/arf.xml > /tmp/report.html
-
From the Lab Information page where you were assigned your lab GUID, click the link provided on the bullet to go to your power control and consoles view:
-
Click the console button for your workstation bastion host and log in as lab-user with r3dh4t1! as the password:
-
In an X-forwarded web browser, open Terminal and use it to open the report.html (which is in the
.tmpdirectory of your openscap.example.com host):[lab-user@workstation-GUID ~]$ ssh -X [email protected] firefox /tmp/report.html
-
Expect to see the security compliance scan results for every security control in the OSPP security baseline profile in HTML format:
NoteRules can have several types of results, but the most common are pass and fail, which indicate whether a particular security control has passed or failed the scan. Other results you can encounter frequently are notapplicable, for rules that were skipped as not relevant to the scanned system, and notchecked, for rules without an automated check.
-
Click any of the rule titles in the HTML report, such as the rules highlighted in red in this image:
-
Wait for the dialog to appear, then examine the details of the OpenSCAP security rule that failed or passed—in this case, it shows which file failed the regex check:
If the
--oval-resultsoption is specified on the command line when scanning, extended details are provided. For example, if an OpenSCAP security rule is testing file permissions on a list of files, it specifies which files failed and their permission bits. -
Browse through the report to see all of the different checks performed.
The machine is in a state equivalent to a default installation.
-
When you are finished, close the Firefox window.
-
Return to the workstation console page, click the console button for your workstation bastion host, and log in as lab-user with r3dh4t1! as the password:
-
After you log in, open Terminal.
-
Use SSH with X forwarding to run SCAP Workbench, which is installed on the openscap.example.com host:
[lab-user@workstation-GUID ~]$ ssh -X [email protected] scap-workbench
-
After SCAP Workbench starts, select RHEL8 and click Load Content to open the compliance content for Red Hat Enterprise Linux 8:
-
For Profile, select PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8 (18), then click Customize:
-
In the Customize Profile window, leave the default New Profile ID name and click OK:
Now you can select and unselect rules according to your organization’s needs and change values such as minimum password length to tailor the compliance profile.
The toolbar at the top of the window provides options to help you create and customize the profile. Notice the Deselect All and Search buttons, which can be very useful when creating a new profile from scratch.
-
Customize the profile as you like, then click OK to save it:
-
Click Scan to run a test scan with the new custom profile you just created, typing r3dh4t1! when prompted for the lab-user password, then inspect the results:
This take a few minutes to complete.
NoteYou may proceed with the remainder of this lab before the scan completes. You can ignore and close the diagnostics window that appears at the end of the scan. -
(Optional) Select File→Save Customization Only to save the customization to a tailoring file:
Putting the machine into compliance—for example, by changing its configuration—is called remediation in SCAP terminology. Because remediation changes the configuration of the machine to restrict its capabilities, it is possible for you to lock yourself out or disable workloads important to you. As a result, it is a best practice to test the remediation and its effects before deploying.
-
If not already there, open Terminal and log in to the workstation bastion host as lab-user from your desktop system, replacing
GUIDwith your lab-provided GUID and using the password r3dh4t1!:[localhost ~]$ ssh [email protected]
-
Log in to the openscap.example.com host as root:
[lab-user@workstation-GUID ~]$ ssh [email protected]
All remediations are executed on the openscap.example.com host. You do not make modifications to any other hosts, including the workstation.example.com bastion host.
-
Automatically generate an Ansible Playbook using the
--fix-type ansibleoption to request a playbook with the scan result fixes:[root@openscap]# oscap xccdf generate fix --fix-type ansible --result-id "" /tmp/arf.xml > playbook.yml
This puts the openscap.example.com machine into compliance based on a given security compliance profile from the previous scan results of the OSPP security baseline profile.
-
(Optional) Generate the bash remediation script using
--fix-type bashto request a bash script with the fixes:[root@openscap]# oscap xccdf generate fix --fix-type bash --result-id "" /tmp/arf.xml > bash-fix.sh
By running either the automatically generated Ansible remediation playbook or the bash remediation script, the openscap.example.com machine is put into compliance to the OSPP security baseline profile.
TipNote that in both cases you use an empty --result-id. This is a trick to avoid specifying the full result ID.
In this section, you focus on the Ansible remediation options.
-
Open the generated playbook using a text editor (nano is used here, but vi can also be used):
[root@openscap]# nano playbook.yml --- ############################################################################### # # Ansible remediation role for the results of evaluation of profile xccdf_org.ssgproject.content_profile_ospp # XCCDF Version: 1.2 # ... # # How to apply this remediation role: # $ ansible-playbook -i "localhost," -c local playbook.yml # $ ansible-playbook -i "192.168.1.155," playbook.yml # $ ansible-playbook -i inventory.ini playbook.yml # ###############################################################################
-
Examine the generated playbook in detail and note the various Ansible tasks for configuring this machine to make it compliant with the OSPP security baseline profile:
- name: Ensure gpgcheck Enabled For All Yum Package Repositories with_items: "{{ yum_find.files }}" lineinfile: create: yes dest: "{{ item.path }}" regexp: '^gpgcheck' line: 'gpgcheck=1' tags: - ensure_gpgcheck_never_disabled - high_severity - unknown_strategy - low_complexity - medium_disruption - CCE-26876-3 - NIST-800-53-CM-5(3) - NIST-800-53-SI-7 - NIST-800-53-MA-1(b) - NIST-800-171-3.4.8 - PCI-DSS-Req-6.2 - CJIS-5.10.4.1 -
Customize the playbook by changing the variables listed at the top of the generated file—in this case, change the password minimum length by setting the
var_password_pam_minlento!!str 18:vars: var_accounts_password_minlen_login_defs: !!str 15 var_accounts_passwords_pam_faillock_deny: !!str 3 var_accounts_passwords_pam_faillock_unlock_time: !!str never var_accounts_passwords_pam_faillock_fail_interval: !!str 900 var_accounts_passwords_pam_faillock_deny: !!str 3 var_accounts_passwords_pam_faillock_unlock_time: !!str never var_accounts_passwords_pam_faillock_fail_interval: !!str 900 var_password_pam_minlen: !!str 18 var_password_pam_ocredit: !!str -1 var_password_pam_lcredit: !!str -1 var_password_pam_ucredit: !!str -1 var_password_pam_dcredit: !!str -1 var_accounts_tmout: !!str 600 var_system_crypto_policy: !!str FIPS rsyslog_remote_loghost_address: !!str logcollector ...TipAfter making this change, press Ctrl+X, then type y and press Enter in your nano text editor to save your changes.
-
Run the playbook locally on the openscap.example.com host in check mode to see how it would change the machine to put it into compliance with the OSPP security baseline profile:
[root@openscap]# ansible-playbook -i "localhost," -c local --check playbook.yml -e 'ansible_python_interpreter=/usr/bin/python3'
ImportantSetting
ansible_python_interpreteris a workaround for a known issue in the Ansible 2.7 binary installed on the lab machines.[WARNING]: While constructing a mapping from /root/playbook.yml, line 26, column 7, found a duplicate dict key (var_accounts_passwords_pam_faillock_deny). Using last defined value only. [WARNING]: While constructing a mapping from /root/playbook.yml, line 26, column 7, found a duplicate dict key (var_accounts_passwords_pam_faillock_unlock_time). Using last defined value only. [WARNING]: While constructing a mapping from /root/playbook.yml, line 26, column 7, found a duplicate dict key (var_accounts_passwords_pam_faillock_fail_interval). Using last defined value only. PLAY [all] ********************************************************************* TASK [Gathering Facts] ********************************************************* ok: [localhost] TASK [Disable GSSAPI Authentication] ******************************************* changed: [localhost] TASK [Disable SSH Root Login] ************************************************** changed: [localhost] ... TASK [Set rsyslog remote loghost] ********************************************** changed: [localhost] PLAY RECAP ********************************************************************* localhost : ok=458 changed=260 unreachable=0 failed=0
This command takes a while to finish.
ImportantIf you omit the --checkparameter from the previous command, the resulting machine is compliant with the provided rules in the OSPP security baseline profile. Note that you are able to log in again to the openscap.example.com machine after running the previous Ansible remediation command. This is because the machine is hardened with the Ansible remediation playbook for the OSPP security baseline profile and one of the requirements of the OSPP security baseline profile prohibits login as root.