7.3. Configuration Compliance Scanning

7.3.1. Configuration Compliance in RHEL 7

You can use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you work with the US government, you might have to comply with the Operating System Protection Profile (OSPP), and if you are a payment processor, you might have to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform configuration compliance scanning to harden your system security.
Red Hat recommends you follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.
The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant.
The SCAP Security Guide suite provides profiles for several platforms in a form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL 7 provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules.

Structure of Compliance Scanning Resources

Data stream
   ├── xccdf
   |      ├── benchmark
   |            ├── profile
   |                ├──rule
   |                    ├── xccdf
   |                         ├── oval reference
   ├── oval                  ├── ocil reference
   ├── ocil                  ├── cpe reference
   └── cpe                   └── remediation

A profile is a set of rules based on a security policy, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS). This enables you to audit the system in an automated way for compliance with security standards.
You can modify (tailor) a profile to customize certain rules, for example, password length. For more information on profile tailoring, see Section 7.7.2, “Customizing a Security Profile with SCAP Workbench”

Note

To scan containers or container images for configuration compliance, see Section 7.9, “Scanning Containers and Container Images for Vulnerabilities”

7.3.2. Possible results of an OpenSCAP scan

Depending on various properties of your system and the data stream and profile applied to an OpenSCAP scan, each rule may produce a specific result. This is a list of possible results with brief explanations of what they mean.

Table 7.1. Possible results of OpenSCAP scan

ResultExplanation
PassThe scan did not find any conflicts with this rule.
FailThe scan found a conflict with this rule.
Not checkedOpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually.
Not applicableThis rule does not apply to the current configuration.
Not selectedThis rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results.
ErrorThe scan encountered an error. For additional information, you can enter the oscap-scanner command with the --verbose DEVEL option. Consider opening a bug report.
UnknownThe scan encountered an unexpected situation. For additional information, you can enter the oscap-scanner command with the --verbose DEVEL option. Consider opening a bug report.

7.3.3. Viewing Profiles for Configuration Compliance

Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions using the oscap info sub-command.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. List all available files with configuration compliance profiles provided by the SCAP Security Guide project:
    ~]$ ls /usr/share/xml/scap/ssg/content/
    ssg-firefox-cpe-dictionary.xml  ssg-rhel6-ocil.xml
    ssg-firefox-cpe-oval.xml        ssg-rhel6-oval.xml
    ...
    ssg-rhel6-ds-1.2.xml            ssg-rhel8-xccdf.xml
    ssg-rhel6-ds.xml
    ...
  2. Display detailed information about a selected data stream using the oscap info sub-command. XML files containing data streams are indicated by the -ds string in their names. In the Profiles section, you can find a list of available profiles and their IDs:
    ~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
    ...
    Profiles:
    	Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
    		Id: xccdf_org.ssgproject.content_profile_pci-dss
    	Title: OSPP - Protection Profile for General Purpose Operating Systems v. 4.2.1
    		Id: xccdf_org.ssgproject.content_profile_ospp
    ...
    
  3. Select a profile from the data stream file and display additional details about the selected profile. To do so, use oscap info with the --profile option followed by the suffix of the ID displayed in the output of the previous command. For example, the ID of the PCI-DSS profile is: xccdf_org.ssgproject.content_profile_pci-dss, and the value for the --profile option can be _pci-dss:
    ~]$ oscap info --profile _pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
    ...
    Profile
    	Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
    	Id: xccdf_org.ssgproject.content_profile_pci-dss
    
    	Description: Ensures PCI-DSS v3.2.1 related security configuration settings are applied.
    ...
  4. Alternatively, when using GUI, install the scap-security-guide-doc package and open the file:///usr/share/doc/scap-security-guide-doc-0.1.46/ssg-rhel7-guide-index.html file in a web browser. Select the required profile in the upper right field of the Guide to the Secure Configuration of Red Hat Enterprise Linux 7 document, and you can see the ID already included in the relevant command for the subsequent evaluation.

Additional Resources

  • The scap-security-guide(8) man page also contains the list of profiles.

7.3.4. Assessing Configuration Compliance with a Specific Baseline

To determine whether your system conforms to a specific baseline, follow these steps.

Prerequisites

Procedure

  1. Evaluate the compliance of the system with the selected profile and save the scan results in the report.html HTML file, for example:
    ~]$ sudo oscap xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
  2. Optional: Scan a remote system with the machine1 host name, SSH running on port 22, and the joesec user name for vulnerabilities and save results to the remote-report.html file:
    ~]$ oscap-ssh joesec@machine1 22 xccdf eval --report remote_report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Additional Resources