Show Table of Contents
8.7. Scanning the System with a Customized Profile Using SCAP Workbench
SCAP Workbench is a graphical utility that enables you to perform configuration scans on a single local or a remote system, perform remediation of the system, and generate reports based on scan evaluations. Note that SCAP Workbench has limited functionality compared with the oscap command-line utility. SCAP Workbench processes security content in the form of data stream files.
8.7.1. Using SCAP Workbench to Scan and Remediate the System
To evaluate your system against a selected security policy, use the following procedure.
- The scap-workbench package is installed on your system.
- To run SCAP Workbench from the GNOME Classic desktop environment, press the
Superkey to enter the
Activities Overview, type
scap-workbench, and then press Enter. Alternatively, use:
- Select a security policy by using any of the following options:
Load Contentbutton on the starting window
Open content from SCAP Security Guide
Open Other Contentin the
Filemenu, and search the respective XCCDF, SCAP RPM, or data stream file.
- You can enable automatic correction of the system configuration by selecting the SCAP Workbench attempts to change the system configuration in accordance with the security rules applied by the policy. This process attempts to fix the related checks that fail during the system scan.check box. With this option enabled,
WarningIf not used carefully, running the system evaluation with the
Remediateoption enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.
- Scan your system with the selected profile by clicking thebutton.
- To store the scan results in form of an XCCDF, ARF, or HTML file, click thecombo box. Choose the
HTML Reportoption to generate the scan report in a human-readable format. The XCCDF and ARF (data stream) formats are suitable for further automatic processing. You can repeatedly choose all three options.
- To export results-based remediations to a file, use thepop-up menu.
8.7.2. Customizing a Security Profile with SCAP Workbench
You can customize a security profile by changing parameters in certain rules (for example, minimum password length), removing rules that you cover in a different way, and selecting additional rules, to implement internal policies. You cannot define new rules by customizing a profile.
The following procedure demonstrates the use of SCAP Workbench for customizing (tailoring) a profile. You can also save the tailored profile for use with the oscap command-line utility.
- Run SCAP Workbench, and select the profile you want to customize by using either
Open content from SCAP Security Guideor
Open Other Contentin the
- To adjust the selected security profile according to your needs, click thebutton.This opens the new Customization window that enables you to modify the currently selected XCCDF profile without changing the original XCCDF file. Choose a new profile ID.
- Find a rule to modify using either the tree structure with rules organized into logical groups or the
- Include or exclude rules using check boxes in the tree structure, or modify values in rules where applicable.
- Confirm the changes by clicking thebutton.
- To store your changes permanently, use one of the following options:
- Save a customization file separately by using
Save Customization Onlyin the
- Save all security content at once using
Save Allin the
Filemenu.If you select the
Into a directoryoption, SCAP Workbench saves both the XCCDF or data stream file and the customization file to the specified location. You can use this as a backup solution.By selecting the
As RPMoption, you can instruct SCAP Workbench to create an RPM package containing the data stream file and the customization file. This is useful for distributing the security content to systems that cannot be scanned remotely, and for delivering the content for further processing.
Because SCAP Workbench does not support results-based remediations for tailored profiles, use the exported remediations with the oscap command-line utility.