Assessing Linux Security Configurations with SCAP Workbench. Recently I had a chance to work with OpenSCAP. It’s a set of free and open-source tools for Linux Configuration Assessment and  a collection security content in SCAP (Security Content Automation Protocol) format.

In this post I will write about SCAP Workbench. It is a GUI application that can check the configuration of your local Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example PCI DSS or DISA STIG.

Moreover, you can generate the script for automated remediation. You can also create your own scan profiles based on existing  SCAP content.

Installation

Installation is quite trivial. For CentOS 7 run:

# yum install scap-workbench
...
Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
scap-workbench x86_64 1.1.6-1.el7 base 1.8 M
Installing for dependencies:
dwz x86_64 0.11-3.el7 base 99 k
openscap x86_64 1.2.16-8.el7_5 updates 3.8 M
openscap-containers noarch 1.2.16-8.el7_5 updates 27 k
openscap-scanner x86_64 1.2.16-8.el7_5 updates 61 k
openscap-utils x86_64 1.2.16-8.el7_5 updates 27 k
perl-Thread-Queue noarch 3.02-2.el7 base 17 k
perl-srpm-macros noarch 1-8.el7 base 4.6 k
redhat-rpm-config noarch 9.1.0-80.el7.centos base 79 k
rpm-build x86_64 4.11.3-32.el7 base 147 k
rpmdevtools noarch 8.3-5.el7 base 97 k
scap-security-guide noarch 0.1.36-9.el7.centos updates 4.4 M

Transaction Summary
================================================================================
Install 1 Package (+11 Dependent packages)

Total download size: 11 M
Installed size: 167 M

For other Linux distributions check this official page.

Content

If you runscap-workbench command, the application will invite you to use some existing security content from SCAP Security Guide repository.

You can choose here content to load. Basically, security content is available for RHEL/CentOS and for Firefox and JRE installed on Linux:

And select a profile that contains configuration requirements for some security standard:

For CentOS Linux 7 the following profiles are available:

• C2S (U.S. Government Commercial Cloud Services) for CentOS Linux 7
• Criminal Justice Information Services (CJIS) Security Policy
• Common Profile for General-Purpose Systems
• Standard Docker Host Security Profile
• Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
• United States Government Configuration Baseline (USGCB / STIG) – DRAFT
• PCI-DSS v3 Control Baseline for CentOS Linux 7
• Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
• Standard System Security Profile
• DISA STIG for CentOS Linux 7
• STIG for Red Hat Virtualization Hypervisor

All the content is stored in /usr/share/xml/scap/ssg/content/:

$ ls /usr/share/xml/scap/ssg/content/
ssg-centos6-ds.xml              ssg-jre-oval.xml
ssg-centos6-xccdf.xml           ssg-jre-xccdf.xml
ssg-centos7-ds.xml              ssg-rhel6-cpe-dictionary.xml
ssg-centos7-xccdf.xml           ssg-rhel6-cpe-oval.xml
ssg-firefox-cpe-dictionary.xml  ssg-rhel6-ds.xml
ssg-firefox-cpe-oval.xml        ssg-rhel6-ocil.xml
ssg-firefox-ds.xml              ssg-rhel6-oval.xml
ssg-firefox-ocil.xml            ssg-rhel6-xccdf.xml
ssg-firefox-oval.xml            ssg-rhel7-cpe-dictionary.xml
ssg-firefox-xccdf.xml           ssg-rhel7-cpe-oval.xml
ssg-jre-cpe-dictionary.xml      ssg-rhel7-ds.xml
ssg-jre-cpe-oval.xml            ssg-rhel7-ocil.xml
ssg-jre-ds.xml                  ssg-rhel7-oval.xml
ssg-jre-ocil.xml                ssg-rhel7-xccdf.xml

Scanning local machine

I chose existing PCI DSS v.3 profile to scan my localhost with CentOS 7:

And pressed the Scan button:

Scan results

When scan is finished you can get the results in HTML, ARF (Asset Reporting Format) or XCCDF Result format.

HTML report looks very cute:

But even more interesting  is that you can generate a remediation file: bash script, ansible or puppet. So, in theory, you can reconfigure the server automatically.

Scanning remote host

To launch the remote scan you specify username, host and SSH port:

Note, that openscap-daemon should be installed on remote host, or you will get an error:

You can install it on remote server like this:

# yum install openscap-daemon

Then click Scan button, input the password:

A few minutes after the scan will be completed:

Customizing the content

If you click on Profile -> Customize you can choose the checks:

And set the values for global variables:

You can save the changes as a new profile:

And export data in DS and tailoring XCCDF:

$ ls
ssg-centos7-ds.xml  tailoring-xccdf.xml

In conclusion

1. SCAP Workbench is a great choice if you need to make  a fast assessment of your local host or several remote hosts in the network and generate remediation scripts.
2. If you want to make  an automated assessment process, you should use command line tools oscap and oscap-ssh, but this is for another topic. 😉
3. You can use SCAP Workbench to make your own standard based on existing profiles, but if you need to add own checks, you will need something more advanced.
4. Unfortunately, SCAP Workbench can’t work with raw OVAL data, for example with the CIS OVAL vulnerability data. This data can be probably converted to some format SCAP Workbench understands, but I haven’t seen existing tools for this.
   upd. On the official website there is a description how you can do it for RHEL. You need to download:
   XCCDF: http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
   OVAL: http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
   And open this content with Scap Workbench:
   
   This is available only for Red Hat Enterprise Linux, but it’s a good example how this can be done.