Chapter 6. Scanning the system for security compliance and vulnerabilities

A compliance audit is a process of figuring out whether a given object follows all the rules written out in a compliance policy. The compliance policy is defined by security professionals who specify required settings, often in the form of a checklist, that are to be used in the computing environment.

The compliance policy can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of these systems and its importance for the organization. The custom software settings and deployment characteristics also raise a need for custom policy checklists.

6.1. Security compliance tools in RHEL

Red Hat Enterprise Linux provides tools that allow for a fully automated compliance audit. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

  • SCAP Workbench - The scap-workbench graphical utility is designed to perform configuration and vulnerability scans on a single local or remote system. It can be also used to generate security reports based on these scans and evaluations.
  • OpenSCAP - The oscap command-line utility is designed to perform configuration and vulnerability scans on a local system, to validate security compliance content, and to generate reports and guides based on these scans and evaluations.
  • SCAP Security Guide (SSG) - The scap-security-guide package provides the latest collection of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.
  • Script Check Engine (SCE) - SCE is an extension to the SCAP protocol that allows administrators to write their security content using a scripting language, such as Bash, Python, or Ruby. The SCE extension is provided in the openscap-engine-sce package.

If you require performing automated compliance audits on multiple systems remotely, you can utilize OpenSCAP solution for Red Hat Satellite.

Additional resources

  • oscap(8) - The manual page for the oscap command-line utility provides a complete list of available options and their usage explanation.
  • scap-workbench(8) - The manual page for the SCAP Workbench application provides a basic information about the application as well as some links to potential sources of SCAP content.
  • scap-security-guide(8) - The manual page for the scap-security-guide project provides further documentation about the various available SCAP security profiles. Examples how to utilize the provided benchmarks using the OpenSCAP utility are provided as well.
  • For more details about using OpenSCAP with Red Hat Satellite, see Security Compliance Management in the Administering Red Hat Satellite Guide.

6.2. Red Hat Security Advisories OVAL feed

Red Hat Enterprise Linux security auditing capabilities are based on the Security Content Automation Protocol (SCAP) standard. SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

SCAP specifications create an ecosystem where the format of security content is well known and standardized while the implementation of the scanner or policy editor is not mandated. Such a status enables organizations to build their security policy (SCAP content) once, no matter how many security vendors do they employ.

The Open Vulnerability Assessment Language (OVAL) is the essential and oldest component of SCAP. Unlike other tools or custom scripts, the OVAL language describes a required state of resources in a declarative manner. The OVAL language code is never executed directly but by means of an OVAL interpreter tool called scanner. The declarative nature of OVAL ensures that the state of the assessed system is not accidentally modified.

Like all other SCAP components, OVAL is based on XML. The SCAP standard defines several document formats. Each of them includes a different kind of information and serves a different purpose.

Red Hat Product Security helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers. It provides timely and concise patches and security advisories on the Red Hat Customer Portal. Red Hat creates and supports OVAL patch definitions, providing machine-readable versions of our security advisories.

The RHSA OVAL definitions are available individually and as a complete package, and are updated within an hour of a new security advisory being made available on the Red Hat Customer Portal.

Each OVAL patch definition maps one-to-one to a Red Hat Security Advisory (RHSA). Since an RHSA can contain fixes for multiple vulnerabilities, each vulnerability is listed separately by its Common Vulnerabilities and Exposures (CVE) name and has a link to its entry in our public bug database.

The RHSA OVAL definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks - for instance, to find out if the packages are being used in a vulnerable configuration. These definitions are designed to cover software and updates shipped by Red Hat. Additional definitions are required to detect the patch status of third-party software.

6.3. Scanning the system for vulnerabilities

The oscap command-line utility enables users to scan local systems, validate security compliance content, and generate reports and guides based on these scans and evaluations. This utility serves as a front end to the OpenSCAP library and groups its functionalities to modules (sub-commands) based on the type of SCAP content it processes.

Prerequisites

  • The AppStream repository is enabled.

Procedure

  1. Install the openscap-scanner package:

    # yum install openscap-scanner
  2. Download the latest RHSA OVAL definitions for your system:

    # wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
  3. Scan the system for vulnerabilities and save results to the vulnerability.html file:

    # oscap oval eval --report vulnerability.html com.redhat.rhsa-RHEL8.xml

    You can check the results in a browser of your choice, for example:

    $ firefox vulnerability.html &

Additional resources

6.4. Scanning remote systems for vulnerabilities

You can check also remote systems for vulnerabilities with the OpenSCAP scanner. This functionality is enabled by the oscap-ssh tool over the SSH protocol.

Prerequisites

  • The AppStream repository is enabled.
  • The openscap-scanner package is installed on the remote systems.
  • The SSH server is running on the remote systems.

Procedure

  1. Install the openscap-utils package:

    # yum install openscap-utils
  2. Download the latest RHSA OVAL definitions for your system:

    # wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
  3. Scan a remote system with the machine1 host name, SSH running on port 22, and the joesec user name for vulnerabilities and save results to the remote-vulnerability.html file:

    # oscap-ssh joesec@machine1 22 oval eval --report remote-vulnerability.html com.redhat.rhsa-RHEL8.xml

Additional resources

6.5. Viewing profiles for security compliance

RHEL 8 provides several profiles for compliance with security policies. Before you decide to use them for scanning or remediation, you can list them and check their detailed descriptions using the oscap info sub-command.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. List all available files with security compliance profiles provided by the SCAP Security Guide project:

    $ ls /usr/share/xml/scap/ssg/content/
    ssg-firefox-cpe-dictionary.xml  ssg-rhel6-ocil.xml
    ssg-firefox-cpe-oval.xml        ssg-rhel6-oval.xml
    ...
    ssg-rhel6-ds-1.2.xml          ssg-rhel8-oval.xml
    ssg-rhel8-ds.xml              ssg-rhel8-xccdf.xml
    ...
  2. Display detailed information about a selected data stream using the oscap info sub-command. XML files containing data streams are indicated by the -ds string in their names. In the Profiles section, you can find a list of available profiles and their IDs:

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
    ...
    Profiles:
      Title: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8
        Id: xccdf_org.ssgproject.content_profile_pci-dss
      Title: OSPP - Protection Profile for General Purpose Operating Systems
        Id: xccdf_org.ssgproject.content_profile_ospp
    ...
  3. Select a profile from the data-stream file and display additional details about the selected profile. To do so, use oscap info with the --profile option followed by the last section of the ID displayed in the output of the previous command. For example, the ID of the PCI-DSS profile is: xccdf_org.ssgproject.content_profile_pci-dss, and the value for the --profile option is pci-dss:

    $ oscap info --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
    ...
    Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
    Id: xccdf_org.ssgproject.content_profile_pci-dss
    
    Description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.
    ...

Additional resources

  • The scap-security-guide(8) man page.

6.6. Assessing security compliance with a specific baseline

The SCAP Security Guide suite provides profiles for several platforms in a form of XCCDF, OVAL, and data stream documents. The profile is a set of rules based on a security policy, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS). This enables you to audit the system in an automated way in respect of security standards.

Prerequisites

  • The openscap-scanner package is installed.

Procedure

  1. Install the scap-security-guide packages:

    # yum install scap-security-guide
  2. Display detailed information about a selected data stream using the oscap info sub-command. In the Profiles section, you can find a list of available profiles and their IDs:

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
    ...
    Profiles:
      Title: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8
        Id: xccdf_org.ssgproject.content_profile_pci-dss
      Title: OSPP - Protection Profile for General Purpose Operating Systems
        Id: xccdf_org.ssgproject.content_profile_ospp
    ...
    [trimmed for clarity]

    Select a profile from the data-stream file and display more details about the selected profile by providing the last part of an ID identified in the output of the previous command to the --profile option of oscap info. For example, the OSPP profile has Id: xccdf_org.ssgproject.content_profile_ospp, and the value for the --profile option is ospp:

    $ oscap info --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

    The PCI-DSS v3 Control Baseline profile is identified by xccdf_org.ssgproject.content_profile_pci-dss:

    $ oscap info --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
    ...
    Description: Ensures PCI-DSS v3 related security configuration settings are applied.
    [trimmed for clarity]

    Alternatively, when using GUI, install the scap-security-guide-doc package and open the file:///usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-index.html file in a web browser. After you select a required profile in the top right field of the Guide to the Secure Configuration of Red Hat Enterprise Linux 8 document, you can see a relevant command for the following evaluation.

  3. Evaluate the compliance of the system with the selected profile and save scan results in the report.html HTML file, for example:

    $ oscap xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

    With the openscap-utils package installed on your system and the openscap-scanner package installed on a remote system, you can also scan the remote system with the machine1 host name, SSH running on port 22, and the joesec user name for vulnerabilities and save results to the remote-report.html file:

    $ oscap-ssh joesec@machine1 22 xccdf eval --report remote_report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

6.7. Remediating the system to align with OSPP

Use this procedure to remediate the RHEL 8 system to align with the Protection Profile for General Purpose Operating Systems (OSPP).

Important

Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

Prerequisites

  • The scap-security-guide package is installed on your RHEL 8 system.

Procedure

  1. Use the oscap command with the --remediate option:

    # oscap xccdf eval --profile ospp --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  2. Restart your system.

Verification steps

  1. Evaluate the system of how it complies with the OSPP profile, and save results to the ospp_report.html file:

    $ oscap xccdf eval --report ospp_report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

  • scap-security-guide(8) and oscap(8) man pages

6.8. Remediating the system to align with OSPP using the SSG Ansible playbook

Use this procedure for remediation of your system to align with the Protection Profile for General Purpose Operating Systems (OSPP) using the Ansible playbook file from the SCAP Security Guide project.

Important

Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

Prerequisites

  • The scap-security-guide package is installed on your RHEL 8 system.
  • Ansible is installed. See the Ansible Installation Guide for more information.

Procedure

  1. Remediate your system to align with OSPP using Ansible:

    # ansible-playbook -i localhost, -c local /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml
  2. Restart the system.

Verification steps

  1. Scan the remediated system for compliance with OSPP:

    # oscap xccdf eval --profile ospp --report ospp_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

6.9. Creating a remediation Ansible playbook to align the system with OSPP

Use this procedure to create an Ansible playbook containing remediations that align your system with the Protection Profile for General Purpose Operating Systems (OSPP). Using the following steps, you do not do any modifications to your system, you only prepare a file for later application.

Prerequisites

  • The scap-security-guide package is installed on your RHEL 8 system.

Procedure

  1. Scan the system and save the results:

    # oscap xccdf eval --profile ospp --results ospp-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  2. Generate an Ansible playbook based on the file generated in the previous step:

    # oscap xccdf generate fix --fix-type ansible --output ospp-remediations.yml ospp-results.xml
  3. The ospp-remediations.yml file contains Ansible remediations for rules that failed during the scan performed in step 1. After reviewing this generated file, you can apply it with the ansible-playbook ospp-remediations.yml command.

Verification steps

  1. In a text editor of your choice, review that the ospp-remediations.yml file contains rules that failed in the scan performed in step 1.

Additional resources

6.10. Scanning the system with a customized profile using SCAP Workbench

SCAP Workbench (scap-workbench) is a graphical utility that enables users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system, and generate reports based on scan evaluations. Note that compared with the oscap command-line utility, SCAP Workbench has only limited functionality. SCAP Workbench can also process only security content in the form of XCCDF and data-stream files.

Prerequisites

  • SCAP Workbench is installed on your system by the yum install scap-workbench command.

6.10.1. Using SCAP Workbench to scan and remediate the system

To evaluate your system against the selected security policy, use the following procedure.

Procedure

  1. To run SCAP Workbench from the GNOME Classic desktop environment, press the Super key to enter the Activities Overview, type scap-workbench, and then press Enter. Alternatively, use:

    $ scap-workbench &
  2. Select a security policy by using either the following options:

    • Load Content button on the starting window
    • Open content from SCAP Security Guide
    • Open Other Content in the File menu, and search the respective XCCDF, SCAP RPM, or data stream file.

      scap workbench start
  3. You can allow automatic correction of the system configuration by selecting the Remediate check box. With this option enabled, SCAP Workbench attempts to change the system configuration in accordance with the security rules applied by the policy. This process should fix the related checks that fail during the system scan.

    Warning

    If not used carefully, running the system evaluation with the Remediate option enabled could render the system non-functional.

  4. Scan your system with the selected profile by clicking the Scan button.

    scap workbench results
  5. To store the scan results in form of an XCCDF, ARF, or HTML file, click the Save Results combo box. Choose the HTML Report option to generate the scan report in human-readable format. The XCCDF and ARF (data stream) formats are suitable for further automatic processing. You can repeatedly choose all three options.
  6. To export results-based remediations to a file, use the Generate remediation role pop-up menu.

6.10.2. Customizing a security profile with SCAP Workbench

The following procedure demonstrates how to use SCAP Workbench to customize a profile. You can also save the customized profile for use with the oscap command-line utility.

Procedure

  1. Run SCAP Workbench, and select the profile to customize by using either Open content from SCAP Security Guide or Open Other Content in the File menu.
  2. To further adjust the selected security profile to make it stricter or looser according to your organization needs, click the Customize button.

    This opens the new Customization window that enables you to modify the currently selected XCCDF profile without changing the respective XCCDF file. Choose the new profile ID.

    Choosing the ID of your new profile
  3. Use either the tree structure with rules organized into logical groups or the Search field to find a rule to modify.
  4. Include or exclude rules using check boxes in the tree structure, or modify values in rules where applicable.

    Customizing a rule in the OSPP profile
  5. Confirm the changes by clicking the OK button.
  6. To store your changes permanently, use one of the following options:

    • Save a customization file separately by using Save Customization Only in the File menu.
    • Save all security content at once by Save All in the File menu.

      By selecting the Into a directory option, SCAP Workbench saves both the XCCDF or data-stream file and the customization file to the specified location. This can be useful as a backup solution.

      By selecting the As RPM option, you can instruct SCAP Workbench to create an RPM package containing the XCCDF or data stream file and customization file. This is useful for distributing the security content to systems that cannot be scanned remotely, or just for delivering the content for further processing.

Note

Because SCAP Workbench does not support results-based remediations for tailored profiles, use the exported remediations with the oscap command-line utility.

6.11. Deploying systems that are compliant with a security profile right after an installation

Administrators can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP or PCI-DSS, right after the installation process. Administrators that use this deployment method can apply specific rules, for example, a rule for password strength, that cannot be applied later using remediation scripts.

6.11.1. Deploying OSPP-compliant RHEL systems using the graphical installation

Use this procedure to deploy a RHEL system that is aligned with Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • You have booted into the graphical installation program.
  • You have accessed the Installation Summary window.

Procedure

  1. From the Installation Summary window, click Software Selection. The Software Selection window opens.
  2. From the Base Environment pane, select the Server environment. You can select only one base environment.

    Warning

    Server with GUI is the default base environment. GNOME packages installed by the Server with GUI option require the nfs-utils package and this package is not OSPP-compliant. If you do not change the default base environment to Server, the installation process stops after you select OSPP.

  3. Click Done to apply the setting and return to the Installation Summary window.
  4. Click Security Policy. The Security Policy window opens.
  5. To enable security policies on the system, toggle the Apply security policy switch to ON.
  6. Select Protection Profile for General Purpose Operating Systems from the profile pane.
  7. Click Select Profile to confirm the selection.
  8. Confirm the changes in the Changes that were done or need to be done pane that is displayed at the bottom of the window. Complete any remaining manual changes.
  9. Because OSPP has strict partitioning requirements that must be met, create separate partitions for /boot, /home, /var, /var/log, /var/tmp, and /var/log/audit.
  10. Complete the graphical installation process.

    Note

    The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the /root/anaconda-ks.cfg file to automatically install OSPP-compliant systems.

Verification steps

  1. The report of the hardening process is in the /root/openscap_data/eval_remediate_report.html file. Because oscap creates the report in a chroot environment, it can contain also false positives, for example, all service-related rules are shown as errors.
  2. To check the current status of the system properly, scan it after it restarts once the installation is complete:

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

6.11.2. Deploying OSPP-compliant RHEL systems using Kickstart

Use this procedure to deploy RHEL systems that are aligned with Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • The scap-security-guide package is installed on your RHEL 8 system.

Procedure

  1. Open the /usr/share/scap-security-guide/kickstarts/ssg-rhel8-ospp-ks.cfg Kickstart file in an editor of your choice.
  2. Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for /boot, /home, /var, /var/log, /var/tmp, and /var/log/audit must be preserved, and you can only change the size of the partitions.

    Warning

    Because the OSCAP Anaconda Addon plugin does not support text-only installation, do not use the text option in your Kickstart file. For more information, see RHBZ#1674001.

  3. Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Important

Passwords in the hash form cannot be checked for OSPP requirements.

Verification steps

  1. The report of the hardening process is in the /root/openscap_data/eval_remediate_report.html file. Because oscap creates the report in a chroot environment, it can contain also false positives, for example, all service-related rules are shown as errors.
  2. To check the current status of the system properly, scan it after it restarts once the installation is complete:

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources