7.3. Using SCAP Workbench

SCAP Workbench (scap-workbench) is a graphical utility that enables users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system, and generate reports based on scan evaluations. Note that compared with the oscap command-line utility, SCAP Workbench has only limited functionality. SCAP Workbench can also process only security content in the form of XCCDF and data-stream files.
The following sections explain how to install, start, and utilize SCAP Workbench to perform system scans, remediation, scan customization, and display relevant examples for these tasks.

7.3.1. Installing SCAP Workbench

To install SCAP Workbench on your system, enter the following command as root: 
~]# yum install scap-workbench
This command installs all packages required by SCAP Workbench to function properly, including the scap-workbench package that provides the utility itself. Note that required dependencies, such as the qt and openssh packages, are automatically updated to the newest available version if the packages are already installed on your system.
SCAP Workbench needs a security content to operate. Red Hat recommends to use the SCAP Security Guide (SSG). The scap-security-guide package is installed as a SCAP Workbench dependency and it is located in the /usr/share/xml/scap/ssg/content/ directory.
To find other possible sources of existing SCAP content that might suit your needs, see Section 7.10, “Additional Resources”.

7.3.2. Running SCAP Workbench

For running SCAP Workbench from the GNOME Classic desktop environment, press the Super key to enter the Activities Overview, type scap-workbench, and then press Enter. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar key.
Open SCAP Security Guide Window

Figure 7.1. Open SCAP Security Guide Window

As soon as you start the utility, the Open SCAP Security Guide window appears. After a selection one of the guides, the SCAP Workbench window appears. This window consists of several interactive components, which you should become familiar with before you start scanning your system:
File
This menu list offers several options to load or save a SCAP-related content. To show the initial Open SCAP Security Guide window, click the menu item with the same name. Alternatively, load another customization file in the XCCDF format by clicking Open Other Content. To save your customization as an XCCDF XML file, use the Save Customization Only item. The Save All allows you to save SCAP files either to the selected directory or as an RPM package.
Customization
This combo box informs you about the customization used for the given security policy. You can select custom rules that are applied for the system evaluation by clicking this combo box. The default value is (no customization), which means that there are no changes to the used security policy. If you make any changes to the selected security profile, you can save those changes as an XML file by clicking the Save Customization Only item in the File menu.
Profile
This combo box contains the name of the selected security profile. You can select the security profile from a given XCCDF or data-stream file by clicking this combo box. To create a new profile that inherits properties of the selected security profile, click the Customize button.
Target
The two radio buttons enable you to select whether the system to be evaluated is a local or remote machine.
Rules
This field displays a list of security rules that are subject of the security policy. Expanding a particular security rule provides detailed information about that rule.
Status bar
This is a graphical bar that indicates status of an operation that is being performed.
Generate remediation role
This pop-up menu enables you to export profile-based remediations to a file. This file contains all available fixes for all rules in the currently selected profile. You can choose the output as a Bash script, an Ansible playbook, or a Puppet manifest. A remediation performed during a system evaluation is based on bash remediations.
This feature enables you to examine individual remediations and possibly edit or cherry-pick them. Therefore, it puts you in full control over the remediation process.
Dry run
Use this check box to get command line arguments to the diagnostics window instead of running the scan.
Fetch remote resources
This check box allows to instruct the scanner to download a remote OVAL content defined in an XML file.
Remediate
This check box enables the remediation feature during the system evaluation. If you check this box, SCAP Workbench attempts to correct system settings that failed to match the state defined by the policy.
Scan
This button enables you to start the evaluation of the specified system.
SCAP Workbench Window

Figure 7.2. SCAP Workbench Window

7.3.3. Scanning the System

The main functionality of SCAP Workbench is to perform security scans on a selected system in accordance with the given XCCDF or data stream file. To evaluate your system against the selected security policy, follow these steps:
  1. Select a security policy by using either the Open SCAP Security Guide window, or Open Other Content in the File menu and search the respective XCCDF, SCAP RPM or data stream file.

    Warning

    Selecting a security policy results in the loss of any previous customization changes that were not saved. To re-apply the lost options, you have to choose the available profile and customization content again. Note that your previous customizations may not be applicable with the new security policy.
  2. To use a pre-arranged a file with customized security content specific to your use case, you can load this file by clicking on the Customization combo box. You can also create a custom tailoring file by altering an available security profile. For more information, see Section 7.3.4, “Customizing Security Profiles”.
    1. Select the (no customization) option if you do not want to use any customization for the current system evaluation. This is the default option if no previous customization was selected.
    2. Select the (open customization file...) option to search for the particular tailoring file to be used for the current system evaluation.
    3. If you have previously used some customization file, SCAP Workbench remembers this file and adds it to the list. This simplifies the repetitive application of the same scan.
  3. Select a suitable security profile by clicking the Profile combo box.
    1. To modify the selected profile, click the Customize button. For more information about profile customization, see Section 7.3.4, “Customizing Security Profiles”.
  4. Select either of two Target radio buttons to scan either a local or a remote machine.
    1. If you have selected a remote system, specify it by entering the user name, host name, and the port information as shown in the following example. If you have previously used the remote scan, you can also select a remote system from a list of recently scanned machines.
      Specifying a Remote System

      Figure 7.3. Specifying a Remote System

  5. You can allow automatic correction of the system configuration by selecting the Remediate check box. With this option enabled, SCAP Workbench attempts to change the system configuration in accordance with the security rules applied by the policy, should the related checks fail during the system scan.

    Warning

    If not used carefully, running the system evaluation with the remediation option enabled could render the system non-functional.
  6. Click the Scan button to initiate the system scan.

7.3.4. Customizing Security Profiles

After selecting the security profile that suits your security policy, you can further adjust it by clicking the Customize button. This opens the new Customization window that enables you to modify the currently selected XCCDF profile without actually changing the respective XCCDF file.
Customizing the Selected Security Profile

Figure 7.4. Customizing the Selected Security Profile

The Customization window contains a complete set of XCCDF elements relevant to the selected security profile with detailed information about each element and its functionality. You can enable or disable these elements by selecting or de-selecting the respective check boxes in the main field of this window. The Customization window also supports undo and redo functionality; you can undo or redo your selections by clicking the respective arrow icon in the top left corner of the window.
You can also change variables that will later be used for evaluation. Find the appropriate item in the Customization window, navigate to the right part and use the Modify value field.
Setting a value for the selected item in the Customization window

Figure 7.5. Setting a value for the selected item in the Customization window

After you have finished your profile customizations, confirm the changes by clicking the Confirm Customization button. Your changes are now in the memory and do not persist if SCAP Workbench is closed or certain changes, such as selecting a new SCAP content or choosing another customization option, are made. To store your changes, click the Save Customization button in the SCAP Workbench window. This action allows you to save your changes to the security profile as an XCCDF customization file in the chosen directory. Note that this customization file can be further selected with other profiles.

7.3.5. Saving SCAP Content

SCAP Workbench also allows you to save SCAP content that is used with your system evaluations. You can either save a customization file separately (see Section 7.3.4, “Customizing Security Profiles”) or you can save all security content at once by clicking the Save content combo box and selecting either the Save into a directory or Save as RPM options.
By selecting the Save into a directory option, SCAP Workbench saves both the XCCDF or data-stream file and the customization file to the specified location. This can be useful as a backup solution.
By selecting the Save as RPM option, you can instruct SCAP Workbench to create an RPM package containing the XCCDF or data stream file and customization file. This is useful for distributing the security content to systems that cannot be scanned remotely, or just for delivering the content for further processing.
Saving the Current SCAP Content as an RPM Package

Figure 7.6. Saving the Current SCAP Content as an RPM Package

7.3.6. Viewing Scan Results and Generating Scan Reports and Remediations

After the system scan is finished, three new buttons, Clear, Save Results, Generate remediation role, and Show Report will appear instead of the Scan button.

Warning

Clicking the Clear button permanently removes the scan results.
To store the scan results in the form of an XCCDF, ARF, or HTML file, click the Save Results combo box. Choose the HTML Report option to generate the scan report in human-readable form. The XCCDF and ARF (data stream) formats are suitable for further automatic processing. You can repeatedly choose all three options.
If you prefer to view the scan results immediately without saving them, click the Show Report button, which opens the scan results in the form of a temporary HTML file in your default web browser.
You can use the Generate remediation role pop-up menu to export results-based remediations to a file. This functionality is very similar to the profile-based remediation role export — the difference is that remediations for rules that pass the system evaluation are not exported, so the file may be smaller.

Warning

Results-based remediation is not supported for tailored profiles. If you need to export those, you can use the oscap command-line utility.