Preparing to Harden Linux with OpenSCAP
OpenSCAP is a free implementation of
SCAP, the Security Content Automation Protocol.
That's a set of standards used to automate vulnerability
assessment, vulnerability management, and policy compliance
of information systems.
OpenSCAP has been certified by NIST as correctly implementing the SCAP standards.
The primary tool for Linux system administrators and security auditors is the
It uses the SCAP Security Guide content, a collection of XML files.
The main tool is the
On Red Hat and Oracle Linux,
it is in the
The SCAP content, the SCAP Security Guide,
is a collection of XML files in the
On Red Hat and Oracle Linux,
they are in the
Here's what you get on RHEL 7.
$ cd /usr/share/xml/scap/ssg/content $ ls -sh ssg-rhel7-* 8.0K ssg-rhel7-cpe-dictionary.xml 92K ssg-rhel7-cpe-oval.xml 32M ssg-rhel7-ds-1.2.xml 32M ssg-rhel7-ds.xml 1.4M ssg-rhel7-ocil.xml 3.5M ssg-rhel7-oval.xml 10M ssg-rhel7-xccdf.xml
Some components are also stored in subdirectories of
The SCAP components are:
Asset Identification (AID) Asset Reporting Format (ARF) Common Configuration Enumeration (CCE) Common Configuration Scoring System (CCSS) Common Platform Enumeration (CPE) Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Open Checklist Interactive Language (OCIL) Open Vulnerability and Assessment Language (OVAL) Trust Model for Security Automation Data (TMSAD) Software Identification (SWID) tagsExtensible Configuration Checklist Description Format (XCCDF)
You can reference either the XCCDF or
file, or the Datastream or
which contains the other component files within it.
You would expect the two to lead to the same result, as the Datastream file supposedly contains the XCCDF and other files. However...
The SCAP Security Guide
The SCAN Security Guide or SSG, the source of the SCAP content, is a great idea and an active project. It is not, however, finished.
Working as a consultant as a sub-sub-contractor on an electronic warfare project for the U.S. Army, I was given a copy of SCC or the SCAP Compliance Checker, a package developed by the Navy. It checks for compliance against the U.S. Department of Defense STIG or Security Technology Implementation Guide. Or just DoD STIG for short.
After installing a customized but fairly general-purpose RHEL 7 system, SCC scores it around 35%.
oscap with what Red Hat describes as
the test-and-mitigate profile for the DoD STIG for RHEL 7,
and then scanning it with SCC,
the result still scores no higher than about 65%.
The precise numbers vary from update to update. But as a general rule, a run using the Datastream file applies more checks than one using the XCCDF file.
So, through the following, we will be using the Datastream file.
An XCCDR or Datastream file can contain arbitrarily many profiles, each an individual set of tests, each possibly accompanied by a mitigation. My experience has been that:
- Not all components of a given requirement (e.g., DoD STIG) are tested.
- For the tests that exist, some (and perhaps all) have no mitigation defined.
- Some existing mitigations fail to run.
- You will likely discover false-positive errors in the results, and we must assume that false-negative errors also occur.
You use the
info operation of
to display a description of the included XCCDF data.
allows it to also download remote content referenced
within the file, e.g.
Editing down the results to just the titles of the profiles,
on RHEL 7
$ more /etc/system-release Red Hat Enterprise Linux Server release 7.9 (Maipo) $ oscap info --fetch-remote-resources ssg-rhel7-ds.xml | grep 'Title:' | sed 's/^^I*//' Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) Title: NIST National Checklist Program Security Guide Title: CIS Red Hat Enterprise Linux 7 Benchmark Title: DISA STIG for Red Hat Enterprise Linux 7 Title: Criminal Justice Information Services (CJIS) Security Policy Title: Standard System Security Profile for Red Hat Enterprise Linux 7 Title: Australian Cyber Security Centre (ACSC) Essential Eight Title: OSPP - Protection Profile for General Purpose Operating Systems v4.2.1 Title: Health Insurance Portability and Accountability Act (HIPAA) Title: C2S for Red Hat Enterprise Linux 7 Title: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH) Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH) Title: DRAFT - ANSSI DAT-NT28 (minimal) Title: DRAFT - ANSSI DAT-NT28 (high) Title: DRAFT - ANSSI DAT-NT28 (enhanced) Title: DRAFT - ANSSI DAT-NT28 (intermediary) Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7 Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Red Hat has scaled the project way back, from 19 in RHEL 7.9 to just 2 profiles in RHEL 8.
$ more /etc/system-release Red Hat Enterprise Linux Server release 8.0 (Ootpa) $ oscap info --fetch-remote-resources ssg-rhel8-ds.xml | grep 'Title:' | sed 's/^^I*//' Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Title: OSPP - Protection Profile for General Purpose Operating Systems
Meanwhile, Oracle is remaining active in maintaining SSG content for Oracle Linux 8:
$ more /etc/system-release Oracle Linux Server release 8.3 $ oscap info --fetch-remote-resources ssg-ol8-ds.xml | grep 'Title:' | sed 's/^^I*//' Title: Criminal Justice Information Services (CJIS) Security Policy Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Title: [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight Title: Health Insurance Portability and Accountability Act (HIPAA) Title: [DRAFT] Protection Profile for General Purpose Operating Systems Title: PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8 Title: Standard System Security Profile for Oracle Linux 8 Title: [DRAFT] DISA STIG for Oracle Linux 8
OpenSCAP Assessment of RHEL 7, PCI-DSS Profile
You need the profile ID, so get that first:
$ oscap info ssg-rhel7-ds.xml | grep -C 2 PCI-DSS Title: DRAFT - ANSSI DAT-NT28 (intermediary) Id: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7 Id: xccdf_org.ssgproject.content_profile_pci-dss Referenced check files:
Now run it with the
Run it within a
script session to save
all the output with colors preserved:
$ script /tmp/oscap-rhel7-pci-output Script started, file is /tmp/oscap-rhel7-pci-output $ oscap xccdf eval \ --fetch-remote-resources \ --profile xccdf_org.ssgproject.content_profile_pci-dss \ --report /tmp/rhel7-pci-dss-report.html \ ssg-rhel7-ds.xml [... much output ...] $ ^D Script done, file is /tmp/oscap-rhel7-pci-output
You will see a lot of output, with white "notapplicable" and "notchecked", green "pass", and red "fail" for various tests.
Using the same starting point that SCC scores at about 35% against DoS STIG, I got this:
61.89% score: 1297 rules, 1248 passed, 48 medium severity failed, 1 not checked.
Every test can have its own score, and with PCI-DSS they do have varying scores. 48 medium severity tests and one high severity test failed. Scrolling down, I see the start of the report.
I scrolled down and clicked on "Prevent Login to Accoutns with Empty Password". That provides an list of references, a description and rationale for the rule, and remediation content as both Bash shell script and Ansible code.
OpenSCAP Remediation of RHEL 7, PCI-DSS Profile
OK, let's see if this SSG content can improve things.
We will add the
It will run an evaluation, apply what remediations is can,
and then run a second evaluation and generate its report.
You're hoping for lots of yellow "fixed" items
and no red "error" items.
For the build I used for this test,
there were 48 "fixed" and 1 "error" remediation items.
$ script /tmp/oscap-rhel7-pci-remediation-output Script started, file is /tmp/oscap-rhel7-pci-remediation-output $ oscap xccdf eval --remediate \ --fetch-remote-resources \ --profile xccdf_org.ssgproject.content_profile_pci-dss \ --report /tmp/rhel7-pci-dss-remediation-report.html \ ssg-rhel7-ds.xml [... much output ...] $ ^D Script done, file is /tmp/oscap-rhel7-pci-remediation-output
Here's what it looked like after remediation:
98.21% score, 1295 passed and one failed to run. The one that could not successfully run was worth 1.79% of the score.
The remediation item that failed with an error was
"Enable Auditing for Processes Which Start Prior to
the Audit Daemon".
It intended to add
audit=1 to the default
GRUB command line for the Linux kernel in
Then, to run
grub2-mkconfig to apply that
change to rebuild the GRUB configuration file in either
The fix actually worked, the string was correctly added
/etc/default/grub and the GRUB configuration
Re-running an assessment scan, it scores 98.21% with one medium severity failure for this item. So, this is a false positive. Tools are useful, but not perfect.