7.3. Using SCAP Workbench
7.3.1. Installing SCAP Workbench
yum install scap-workbench
7.3.2. Running SCAP Workbench
scap-workbench, and then press Enter. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar key.
Figure 7.1. Open SCAP Security Guide Window
- This menu list offers several options to load or save a SCAP-related content. To show the initial Open SCAP Security Guide window, click the menu item with the same name. Alternatively, load another customization file in the XCCDF format by clicking Open Other Content. To save your customization as an XCCDF XML file, use the Save Customization Only item. The Save All allows you to save SCAP files either to the selected directory or as an RPM package.
- This combo box informs you about the customization used for the given security policy. You can select custom rules that are applied for the system evaluation by clicking this combo box. The default value is
(no customization), which means that there are no changes to the used security policy. If you make any changes to the selected security profile, you can save those changes as an XML file by clicking the Save Customization Only item in the File menu.
- This combo box contains the name of the selected security profile. You can select the security profile from a given XCCDF or data-stream file by clicking this combo box. To create a new profile that inherits properties of the selected security profile, click thebutton.
- The two radio buttons enable you to select whether the system to be evaluated is a local or remote machine.
- This field displays a list of security rules that are subject of the security policy. Expanding a particular security rule provides detailed information about that rule.
- Status bar
- This is a graphical bar that indicates status of an operation that is being performed.
- Generate remediation role
- This pop-up menu enables you to export profile-based remediations to a file. This file contains all available fixes for all rules in the currently selected profile. You can choose the output as a Bash script, an Ansible playbook, or a Puppet manifest. A remediation performed during a system evaluation is based on bash remediations.This feature enables you to examine individual remediations and possibly edit or cherry-pick them. Therefore, it puts you in full control over the remediation process.
- Dry run
- Use this check box to get command line arguments to the diagnostics window instead of running the scan.
- Fetch remote resources
- This check box allows to instruct the scanner to download a remote OVAL content defined in an XML file.
- This check box enables the remediation feature during the system evaluation. If you check this box, SCAP Workbench attempts to correct system settings that failed to match the state defined by the policy.
- This button enables you to start the evaluation of the specified system.
Figure 7.2. SCAP Workbench Window
7.3.3. Scanning the System
- Select a security policy by using either the Open SCAP Security Guide window, or
Open Other Contentin the File menu and search the respective XCCDF, SCAP RPM or data stream file.
WarningSelecting a security policy results in the loss of any previous customization changes that were not saved. To re-apply the lost options, you have to choose the available profile and customization content again. Note that your previous customizations may not be applicable with the new security policy.
- To use a pre-arranged a file with customized security content specific to your use case, you can load this file by clicking on the Customization combo box. You can also create a custom tailoring file by altering an available security profile. For more information, see Section 7.3.4, “Customizing Security Profiles”.
- Select the
(no customization)option if you do not want to use any customization for the current system evaluation. This is the default option if no previous customization was selected.
- Select the
(open customization file...)option to search for the particular tailoring file to be used for the current system evaluation.
- If you have previously used some customization file, SCAP Workbench remembers this file and adds it to the list. This simplifies the repetitive application of the same scan.
- Select a suitable security profile by clicking the Profile combo box.
- To modify the selected profile, click the Section 7.3.4, “Customizing Security Profiles”.button. For more information about profile customization, see
- Select either of tworadio buttons to scan either a local or a remote machine.
- If you have selected a remote system, specify it by entering the user name, host name, and the port information as shown in the following example. If you have previously used the remote scan, you can also select a remote system from a list of recently scanned machines.
Figure 7.3. Specifying a Remote System
- You can allow automatic correction of the system configuration by selecting the SCAP Workbench attempts to change the system configuration in accordance with the security rules applied by the policy, should the related checks fail during the system scan.check box. With this option enabled,
WarningIf not used carefully, running the system evaluation with the remediation option enabled could render the system non-functional.
- Click thebutton to initiate the system scan.
7.3.4. Customizing Security Profiles
Figure 7.4. Customizing the Selected Security Profile
Figure 7.5. Setting a value for the selected item in the Customization window
7.3.5. Saving SCAP Content
Save into a directoryor
Save as RPMoptions.
Save into a directoryoption, SCAP Workbench saves both the XCCDF or data-stream file and the customization file to the specified location. This can be useful as a backup solution.
Save as RPMoption, you can instruct SCAP Workbench to create an RPM package containing the XCCDF or data stream file and customization file. This is useful for distributing the security content to systems that cannot be scanned remotely, or just for delivering the content for further processing.
Figure 7.6. Saving the Current SCAP Content as an RPM Package
7.3.6. Viewing Scan Results and Generating Scan Reports and Remediations
HTML Reportoption to generate the scan report in human-readable form. The XCCDF and ARF (data stream) formats are suitable for further automatic processing. You can repeatedly choose all three options.