Assessing Linux Security Configurations with SCAP Workbench

Recently I had a chance to work with OpenSCAP. It’s a set of free and open-source tools for Linux Configuration Assessment and  a collection security content in SCAP (Security Content Automation Protocol) format.

In this post I will write about SCAP Workbench. It is a GUI application that can check the configuration of your local Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example PCI DSS or DISA STIG.

SCAP Workbench PCI DSS CentOS7 localhost

Moreover, you can generate the script for automated remediation. You can also create your own scan profiles based on existing  SCAP content.

Installation

Installation is quite trivial. For CentOS 7 run:

# yum install scap-workbench
...
Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
scap-workbench x86_64 1.1.6-1.el7 base 1.8 M
Installing for dependencies:
dwz x86_64 0.11-3.el7 base 99 k
openscap x86_64 1.2.16-8.el7_5 updates 3.8 M
openscap-containers noarch 1.2.16-8.el7_5 updates 27 k
openscap-scanner x86_64 1.2.16-8.el7_5 updates 61 k
openscap-utils x86_64 1.2.16-8.el7_5 updates 27 k
perl-Thread-Queue noarch 3.02-2.el7 base 17 k
perl-srpm-macros noarch 1-8.el7 base 4.6 k
redhat-rpm-config noarch 9.1.0-80.el7.centos base 79 k
rpm-build x86_64 4.11.3-32.el7 base 147 k
rpmdevtools noarch 8.3-5.el7 base 97 k
scap-security-guide noarch 0.1.36-9.el7.centos updates 4.4 M

Transaction Summary
================================================================================
Install 1 Package (+11 Dependent packages)

Total download size: 11 M
Installed size: 167 M

For other Linux distributions check this official page.

Content

If you runscap-workbench command, the application will invite you to use some existing security content from SCAP Security Guide repository.

scap security guide

You can choose here content to load. Basically, security content is available for RHEL/CentOS and for Firefox and JRE installed on Linux:

SCAP Workbench load content

And select a profile that contains configuration requirements for some security standard:

SCAP Workbench CentOS7 standards

For CentOS Linux 7 the following profiles are available:

  • C2S (U.S. Government Commercial Cloud Services) for CentOS Linux 7
  • Criminal Justice Information Services (CJIS) Security Policy
  • Common Profile for General-Purpose Systems
  • Standard Docker Host Security Profile
  • Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
  • United States Government Configuration Baseline (USGCB / STIG) – DRAFT
  • PCI-DSS v3 Control Baseline for CentOS Linux 7
  • Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
  • Standard System Security Profile
  • DISA STIG for CentOS Linux 7
  • STIG for Red Hat Virtualization Hypervisor

All the content is stored in /usr/share/xml/scap/ssg/content/:

$ ls /usr/share/xml/scap/ssg/content/
ssg-centos6-ds.xml              ssg-jre-oval.xml
ssg-centos6-xccdf.xml           ssg-jre-xccdf.xml
ssg-centos7-ds.xml              ssg-rhel6-cpe-dictionary.xml
ssg-centos7-xccdf.xml           ssg-rhel6-cpe-oval.xml
ssg-firefox-cpe-dictionary.xml  ssg-rhel6-ds.xml
ssg-firefox-cpe-oval.xml        ssg-rhel6-ocil.xml
ssg-firefox-ds.xml              ssg-rhel6-oval.xml
ssg-firefox-ocil.xml            ssg-rhel6-xccdf.xml
ssg-firefox-oval.xml            ssg-rhel7-cpe-dictionary.xml
ssg-firefox-xccdf.xml           ssg-rhel7-cpe-oval.xml
ssg-jre-cpe-dictionary.xml      ssg-rhel7-ds.xml
ssg-jre-cpe-oval.xml            ssg-rhel7-ocil.xml
ssg-jre-ds.xml                  ssg-rhel7-oval.xml
ssg-jre-ocil.xml                ssg-rhel7-xccdf.xml

Scanning local machine

I chose existing PCI DSS v.3 profile to scan my localhost with CentOS 7:

SCAP Workbench PCI DSS CentOS7

And pressed the Scan button:

SCAP Workbench PCI DSS CentOS7 localhost

Scan results

When scan is finished you can get the results in HTML, ARF (Asset Reporting Format) or XCCDF Result format.

SCAP Workbench save results

HTML report looks very cute:

SCAP Workbench html scan results

SCAP Workbench scan results controls

But even more interesting  is that you can generate a remediation file: bash script, ansible or puppet. So, in theory, you can reconfigure the server automatically.

SCAP Workbench generate remediation

Scanning remote host

To launch the remote scan you specify username, host and SSH port:

SCAP Workbench scan remote target

Note, that openscap-daemon should be installed on remote host, or you will get an error:

SCAP Workbench error agent not installed

You can install it on remote server like this:

# yum install openscap-daemon

Then click Scan button, input the password:

SCAP Workbench input password

A few minutes after the scan will be completed:

SCAP Workbench PCI DSS CentOS7 diagnostics

Customizing the content

If you click on Profile -> Customize you can choose the checks:

SCAP Workbench choose checks

And set the values for global variables:

SCAP Workbench change bool values

You can save the changes as a new profile:

SCAP Workbench customize profile

And export data in DS and tailoring XCCDF:

$ ls
ssg-centos7-ds.xml  tailoring-xccdf.xml

In conclusion

  1. SCAP Workbench is a great choice if you need to make  a fast assessment of your local host or several remote hosts in the network and generate remediation scripts.
  2. If you want to make  an automated assessment process, you should use command line tools oscap and oscap-ssh, but this is for another topic. 😉
  3. You can use SCAP Workbench to make your own standard based on existing profiles, but if you need to add own checks, you will need something more advanced.
  4. Unfortunately, SCAP Workbench can’t work with raw OVAL data, for example with the CIS OVAL vulnerability data. This data can be probably converted to some format SCAP Workbench understands, but I haven’t seen existing tools for this.
    upd. On the official website there is a description how you can do it for RHEL. You need to download:
    XCCDF: http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
    OVAL: http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
    And open this content with Scap Workbench:
    SCAP Workbench RHEL vulnerabilities
    This is available only for Red Hat Enterprise Linux, but it’s a good example how this can be done.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.