6.8. Practical Examples

This section demonstrates practical usage of certain security content provided for Red Hat products.

6.8.1. Auditing Security Vulnerabilities of Red Hat Products

Red Hat continuously provides OVAL definitions for their products. These definitions allow for fully automated audit of vulnerabilities in the installed software. To find out more information about this project, see http://www.redhat.com/security/data/metrics/. To download these definitions, enter the following command:
~]$ wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
The users of Red Hat Satellite 5 may find useful the XCCDF part of the patch definitions. To download these definitions, enter the following command:
~]$ wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
To audit security vulnerabilities for the software installed on the system, enter the following command:
~]$ oscap oval eval --results rhsa-results-oval.xml --report oval-report.html com.redhat.rhsa-all.xml
The oscap utility maps Red Hat Security Advisories to CVE identifiers that are linked to the National Vulnerability Database and reports which security advisories are not applied.

Note

Note that these OVAL definitions are designed to only cover software and updates released by Red Hat. You need to provide additional definitions in order to detect the patch status of third-party software.

6.8.2. Auditing System Settings with SCAP Security Guide

The SCAP Security Guide (SSG) project's package, scap-security-guide, contains the latest set of security polices for Linux systems. To install the SCAP Security Guide package on your system, enter the following command as root:
~]# yum install scap-security-guide
A part of scap-security-guide is also a guidance for Red Hat Enterprise Linux 7 settings. To inspect the security content available with scap-security-guide, use the oscap info module:
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command is an outline of the SSG document and it contains available configuration profiles. To audit your system settings, choose a suitable profile and run the appropriate evaluation command. For example, the following command is used to assess the given system against a draft SCAP profile for Red Hat Certified Cloud Providers:
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results ssg-rhel7-xccdf-result.xml --report ssg-rhel7-report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml