Assessing and Hardening Linux with OpenSCAP

Preparing to Harden Linux with OpenSCAP

OpenSCAP is a free implementation of SCAP, the Security Content Automation Protocol. That's a set of standards used to automate vulnerability assessment, vulnerability management, and policy compliance of information systems.

OpenSCAP has been certified by NIST as correctly implementing the SCAP standards.

The primary tool for Linux system administrators and security auditors is the oscap tool.

It uses the SCAP Security Guide content, a collection of XML files.

OpenSCAP Components

The main tool is the oscap tool. On Red Hat and Oracle Linux, it is in the openscap-scanner package.

The SCAP content, the SCAP Security Guide, is a collection of XML files in the /usr/share/xml/scap/ssg/content directory. On Red Hat and Oracle Linux, they are in the scap-security-guide package. Here's what you get on RHEL 7.

$ cd /usr/share/xml/scap/ssg/content
$ ls -sh ssg-rhel7-*
8.0K ssg-rhel7-cpe-dictionary.xml
 92K ssg-rhel7-cpe-oval.xml
 32M ssg-rhel7-ds-1.2.xml
 32M ssg-rhel7-ds.xml
1.4M ssg-rhel7-ocil.xml
3.5M ssg-rhel7-oval.xml
 10M ssg-rhel7-xccdf.xml

Some components are also stored in subdirectories of /usr/share/openscap.

The SCAP components are:

Asset Identification (AID) Asset Reporting Format (ARF) Common Configuration Enumeration (CCE) Common Configuration Scoring System (CCSS) Common Platform Enumeration (CPE) Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Open Checklist Interactive Language (OCIL) Open Vulnerability and Assessment Language (OVAL) Trust Model for Security Automation Data (TMSAD) Software Identification (SWID) tags

Extensible Configuration Checklist Description Format (XCCDF)

You can reference either the XCCDF or *.xccdf.xml file, or the Datastream or *.ds.xml file, which contains the other component files within it.

You would expect the two to lead to the same result, as the Datastream file supposedly contains the XCCDF and other files. However...

The SCAP Security Guide

The SCAN Security Guide or SSG, the source of the SCAP content, is a great idea and an active project. It is not, however, finished.

Working as a consultant as a sub-sub-contractor on an electronic warfare project for the U.S. Army, I was given a copy of SCC or the SCAP Compliance Checker, a package developed by the Navy. It checks for compliance against the U.S. Department of Defense STIG or Security Technology Implementation Guide. Or just DoD STIG for short.

After installing a customized but fairly general-purpose RHEL 7 system, SCC scores it around 35%.

Using oscap with what Red Hat describes as the test-and-mitigate profile for the DoD STIG for RHEL 7, and then scanning it with SCC, the result still scores no higher than about 65%.

The precise numbers vary from update to update. But as a general rule, a run using the Datastream file applies more checks than one using the XCCDF file.

So, through the following, we will be using the Datastream file.

SSG Profiles

An XCCDR or Datastream file can contain arbitrarily many profiles, each an individual set of tests, each possibly accompanied by a mitigation. My experience has been that:

Not all components of a given requirement (e.g., DoD STIG) are tested.
For the tests that exist, some (and perhaps all) have no mitigation defined.
Some existing mitigations fail to run.
You will likely discover false-positive errors in the results, and we must assume that false-negative errors also occur.

You use the info operation of the oscap tool to display a description of the included XCCDF data. The --fetch-remote-resources option allows it to also download remote content referenced within the file, e.g.
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml

Editing down the results to just the titles of the profiles, on RHEL 7 ssg-rhel7-ds.xml contains:

$ more /etc/system-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
$ oscap info --fetch-remote-resources ssg-rhel7-ds.xml | grep 'Title:' | sed 's/^^I*//'
Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Title: NIST National Checklist Program Security Guide
Title: CIS Red Hat Enterprise Linux 7 Benchmark
Title: DISA STIG for Red Hat Enterprise Linux 7
Title: Criminal Justice Information Services (CJIS) Security Policy
Title: Standard System Security Profile for Red Hat Enterprise Linux 7
Title: Australian Cyber Security Centre (ACSC) Essential Eight
Title: OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
Title: Health Insurance Portability and Accountability Act (HIPAA)
Title: C2S for Red Hat Enterprise Linux 7
Title: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)
Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)
Title: DRAFT - ANSSI DAT-NT28 (minimal)
Title: DRAFT - ANSSI DAT-NT28 (high)
Title: DRAFT - ANSSI DAT-NT28 (enhanced)
Title: DRAFT - ANSSI DAT-NT28 (intermediary)
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7

Red Hat has scaled the project way back, from 19 in RHEL 7.9 to just 2 profiles in RHEL 8.

$ more /etc/system-release
Red Hat Enterprise Linux Server release 8.0 (Ootpa)
$ oscap info --fetch-remote-resources ssg-rhel8-ds.xml | grep 'Title:' | sed 's/^^I*//'
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Title: OSPP - Protection Profile for General Purpose Operating Systems

Meanwhile, Oracle is remaining active in maintaining SSG content for Oracle Linux 8:

$ more /etc/system-release
Oracle Linux Server release 8.3
$ oscap info --fetch-remote-resources ssg-ol8-ds.xml | grep 'Title:' | sed 's/^^I*//'
Title: Criminal Justice Information Services (CJIS) Security Policy
Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Title: [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
Title: Health Insurance Portability and Accountability Act (HIPAA)
Title: [DRAFT] Protection Profile for General Purpose Operating Systems
Title: PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
Title: Standard System Security Profile for Oracle Linux 8
Title: [DRAFT] DISA STIG for Oracle Linux 8

OpenSCAP Assessment of RHEL 7, PCI-DSS Profile

You need the profile ID, so get that first:

$ oscap info ssg-rhel7-ds.xml | grep -C 2 PCI-DSS
	Title: DRAFT - ANSSI DAT-NT28 (intermediary)
		Id: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
	Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
		Id: xccdf_org.ssgproject.content_profile_pci-dss
	Referenced check files:

Now run it with the xccdf module and the eval directive. Run it within a script session to save all the output with colors preserved:

$ script /tmp/oscap-rhel7-pci-output
Script started, file is /tmp/oscap-rhel7-pci-output
$ oscap xccdf eval					\
	--fetch-remote-resources				\
	--profile xccdf_org.ssgproject.content_profile_pci-dss	\
	--report /tmp/rhel7-pci-dss-report.html			\
	ssg-rhel7-ds.xml
[... much output ...]
$ ^D
Script done, file is /tmp/oscap-rhel7-pci-output

You will see a lot of output, with white "notapplicable" and "notchecked", green "pass", and red "fail" for various tests.

Using the same starting point that SCC scores at about 35% against DoS STIG, I got this:

OpenSCAP results for evaluating RHEL 7 against PCI-DSS.

61.89% score: 1297 rules, 1248 passed, 48 medium severity failed, 1 not checked.

Every test can have its own score, and with PCI-DSS they do have varying scores. 48 medium severity tests and one high severity test failed. Scrolling down, I see the start of the report.

OpenSCAP results for evaluating RHEL 7 against PCI-DSS, list of passed and failed rule tests.

I scrolled down and clicked on "Prevent Login to Accoutns with Empty Password". That provides an list of references, a description and rationale for the rule, and remediation content as both Bash shell script and Ansible code.

OpenSCAP results for evaluating RHEL 7 against PCI-DSS, explanation and remediation content.

OpenSCAP Remediation of RHEL 7, PCI-DSS Profile

OK, let's see if this SSG content can improve things. We will add the --remediate option. It will run an evaluation, apply what remediations is can, and then run a second evaluation and generate its report. You're hoping for lots of yellow "fixed" items and no red "error" items. For the build I used for this test, there were 48 "fixed" and 1 "error" remediation items.

$ script /tmp/oscap-rhel7-pci-remediation-output
Script started, file is /tmp/oscap-rhel7-pci-remediation-output
$ oscap xccdf eval --remediate	\
	--fetch-remote-resources				\
	--profile xccdf_org.ssgproject.content_profile_pci-dss		\
	--report /tmp/rhel7-pci-dss-remediation-report.html		\
	ssg-rhel7-ds.xml
[... much output ...]
$ ^D
Script done, file is /tmp/oscap-rhel7-pci-remediation-output

Here's what it looked like after remediation:

OpenSCAP results for remediating then evaluating RHEL 7 against PCI-DSS.

98.21% score, 1295 passed and one failed to run. The one that could not successfully run was worth 1.79% of the score.

The remediation item that failed with an error was "Enable Auditing for Processes Which Start Prior to the Audit Daemon". It intended to add audit=1 to the default GRUB command line for the Linux kernel in /etc/default/grub. Then, to run grub2-mkconfig to apply that change to rebuild the GRUB configuration file in either /boot/grub2/grub.cfg or /boot/efi/EFI/redhat/grub.cfg.

The fix actually worked, the string was correctly added to /etc/default/grub and the GRUB configuration file.

Re-running an assessment scan, it scores 98.21% with one medium severity failure for this item. So, this is a false positive. Tools are useful, but not perfect.

Cybersecurity

Open Source