OpenSCAP ~ Let me check

“Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young. The greatest thing in life is to keep your mind young.”?– Henry Ford

Security is the major concern in today’s world irrespective of industry. If our system, tools etc. are not compliant with security standards and regulation then we end up having a cup of tea with massive problems like loss of business, reputation, costly penalties etc. Let me ask you a question; How would it feel when you run a single command and it not only audits your system but also helps us to fix the bug and vulnerabilities?

Today we will be exploring an automated compliance auditing framework name SCAP. My main motive would be to, explain this tool in one to the simplest way with proper practical.

So, let’s start our conversation with a very obvious questions, WHAT is SCAP ??

So, SCAP is automated compliance auditing framework. Let’s break down this statement into simpler format. It is a framework which is used to validate our system against a compliance policy. Hmm…. It’s is not the simplest explanation Right???

Let’s break it down further. Now below, we are having a checklist of rules:

• SSH to root account should be disabled
• Minimum length of password for any user should be 10 character which should include 1 special character, etc.

Such check list of rules is known as “Compliance Policy”. Thus, SCAP is an automation framework which validates our system or remote system against such compliance policy. I guess, now it feels better. SCAP stands for "Security Content Automation Protocol”. It not only validates our system against compliance policy, rather it also finds vulnerability in the system & also helps us to overcome it.

So, now it time to dive deep into SCAP framework.

Very first thing we would be doing is to install SCAP. We would be using OpenSCAP, a tool which will be providing us “oscap” command line utility, in simple words oscap command. I would be using RHEL 8 for all the practical, but if you want to go with other flavour of Linux then installation process would be changing accordingly. In RHEL OpenSCAP is available in its ISO image itself. We will also install “scap-security-guide” module, which provides collection of security policy which we would be using further practical.

Command : "yum install openscap-scanner scap-security-guide -y"

Before moving to our first practical we need to understand few SCAP languages namely,

• OVAL

It stands for "Open Vulnerability & Assessment Language". It is a language/format through which we describe the “state of system” which is required. Like permission for all configuration files should be 600, here we just specified the requirement nothing else, thus OVAL is a declarative language. With OVAL we can specify a secure state of object in system.

• XCCDF

It stands for "Extensible Configuration Checklist Description Format". It is a list of security rules for system. Like,

• SSH for root account disable,
• enable password less authentication, etc.

NOTE : All the SCAP languages are based on XML.

Now for our 1st practical we need to download an XML file. This file contains secure system state of RHEL 8 in OVAL format/language.

Command : "wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml"

This XML file contains a secure system state of RHEL 8. Now, we can use “oscap” command to validate our system, against the state of system mentioned in this file.

Command : "oscap oval eval --report vulnerability.html rhel-8.oval.xml"

First let’s understand this command,

• “oval” specify the language used,
• “eval” specify the task to be performed i.e. evaluate,
• “report” states the output file in which result of evaluation is supposed to be store &
• finally, the file name in which required state of system is specified (rhel-8.oval.xml).

If result == Pass then, The scan did not find any conflicts with this rule.

If result == Fail then, The scan found a conflict with this rule.

If result == Error then, The scan encountered an error.

Below we can see the output report (in HTML format) generated by above command,

Now let’s understand another interesting & important concept named “PROFILE”.There are many securities standard & policy mentioned by government and other authorities. Like one of the policy is HIPAA(Health Insurance Portability and Accountability Act) Thus, there are certain set of rules based on these security policy which are required to be implemented. In our system at /usr/share/xml/scap/ssg/content/ location we can file many xml file. For OpenSCAP these well known profiles are pre-configured in those xml files. We can list down all the profiles in that respective file with “oscap info” command.

Command : “oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml”

Just listing down profiles is not exciting, correct??? Now what if I say, we can validate our system against a profile & if our system is not compliant then we can automatically generate a bash script, which on execution will make our system compliant for that profile!!!

Hmm.. sounds good :)

For validating our system against a profile(Here I am taking “HIPAA”) we can use Command : "oscap xccdf eval --report report.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

Note, profile is set of rules, thus it is written in xccdf format and that is the reason we have used xccdf in our command. Rest of the command explanation we have seen before.

Now lets see report.html file which is generated as output.

From above results we can clearly identify that my system is not compliant with HIPAA profile. Now, to solve it we have 2 solutions,

1. Use --remediate
2. Create a bash script & execute it

If we use --remediate option, oscap will automatic make changes required to make system compliant for HIPAA profile.

Command : "oscap xccdf eval --profile hipaa --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

And then restart your system.

Another option is we can evaluate our system against a profile named HIPAA(Health Insurance Portability and Accountability Act) & create report in xml format.

Command : "oscap xccdf eval --profile hipaa --results hipaa-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

Then, from this xml file we can generate a “bash shell script” which will help us to implement the required changes, to make system compliant for HIPAA profile. Not only bash script, we can also create Ansible playbook as solution script & run that playbook with help of ansible. Isn’t it exciting that we can generate solution automatically & that too in our convenient way of execution?

Command : "oscap xccdf generate fix --profile hipaa --fix-type bash --output hipaa-remediations.sh hipaa-results.xml"

Now let’s run bash script, reboot our system and then re-evaluate our system for HIPAA profile. After applying script one of the very visible changes we observe is ssh to root account is denied.

Now let’s check our system againa HIPAA profile

Command : "oscap xccdf eval --report report_afer.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

Lets see the resulr (report_after.html)

Here, 2 of the rules failed because my system doesn’t have RedHat subscription. But that’s ok at least 98% of our system got compliant with HIPAA profile.

Another very important use case of OpenSCAP is we can not only validate local or remote system but, we can also validate “container images” as well. We need to install oscap-utils for the purpose (Command : “yum install openscap-utils -y”). In this demo I will require podman installed on my system (Command : “yum install podman -y”) along with centos image ("podman pull centos"). Now, we can finally validate that image against a “profile” or a “secure state”. Here, I am validating centos image against HIPAA profile.

Command : "oscap-podman 300e315adb2f xccdf eval --report container_report.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

Like this we can also validate docker images, but for that we need to use “oscap-docker” command.

Are you the one who don’t like commands & prefers a GUI way for functioning. Don’t worry OpenSCAP have solution to this too. OpenSCAP have a GUI or workbench from where we can scan the local/remote systems etc. “scap-workbench” package is required for access SCAP through GUI.

Command : "yum install scap-workbench -y"

From workbench we can load the profiles and customize it as per our requirement. Like I want to create profile in which I have only one rule & that is to install System/Tooling & Utilities.

Finally, one of real-life application of OpenSCAP is, we can integrate OpenSCAP with CI/CD environment, where in for different microservices, container images are getting build on the fly and, we want those images to be compliant with certain profiles, thus we can use “oscap-podman” or “oscap-docker” command for generating report before deploying them into production environment. Also, we can fail the pipeline if we found critical vulnerabilities.

SO, HOPE YOU ENJOYED EXPLORING OpenSCAP WITH ME. Do share you feedback in comments. HappyLearning :)