Using SCAP tools for Security check and remediation

About SCAP

SCAP (Security Content Automation Protocol) is a set of standards to automate vulnerability management and security compliance checks on various systems. It is a NIST set of standards based on:

The SCAP standard is based on OVAL (Open Vulnerability and Assessment Language) formal definitions and on XCCDF (eXtensible Configuration Checklist Description Format) for security compliance checks.

Using SCAP, it is possible to: - Scan a system for vulnerabilities, using OVAL files - Check security policy compliance, using standard security policy such as NIST SP-800-53, ANSSI Best-practices, PCI-DSS, etc. or for some Operating Systems supporting CCE, conformity to CCE (supported by RHEL Operating System)

Prerequisites on Debian

About packages

The tool supporting the SCAP set of standards is libopenscap8. This is a command-line tools supporting various modes.

There is a graphical interface to oscap allowing simplified usage of oscap: scap-workbench.

About policies

The libopenscap8 package hosts the official mainstream policies of the openSCAP team, targeting Red-Had and Fedora. Supported policies are PCI-DSS and NIST SP-800-53 conformity checks.

Other policies (various DISA, ANSSI Best-practices, policies for Debian 8, Ubuntu 14.04, 16.04, other OS and applications) are hosted by the scap-security-guide package through the following bin packages:

By now, all policies are not equally supported for each OS. ANSSI best practices are (partially) supported for Debian and Ubuntu, as for NIST SP-800-53. Most US and NATO policies and PCI-DSS are supported for RHEL and derivatives (Fedora, Centos, RHEL).

Preparing the targeted hosts

All hosts that need to be checked using SCAP tools need libopenscap8 to be installed. the SCAP guides can be installed in a policy server (when managing an infrastructure) or locally.

By now, a Debian host can't check its own policy compliance because Debian CPE are defined for oldstable and older, and the scap-security-guide packages only exists in unstable and testing. Here, we use a policy server based on unstable. Support for new stable (9.0) is not yet merged in upstream

apt install libopenscap8 openssh-server

Now create an account with sudo access for oscap command. This account will be used by the policy server to execute the SCAP tool. The administrative access is required for some of the SCAP probes when interogating system tasks or accessing specific contents such as procfs or sysfs in which users has no complete read access.

su
adduser --gecos "SCAP user" scapadm --home /var/lib/scapadm

Now we have to allow sudo access for this user, only for oscap. In that case, the policy server FQDN.

scapadm policyserver.mycompany.com = (root) NOPASSWD: /usr/bin/oscap

This user will be used by the policy server through SSH using RSA keys for authentication.

Preparing the policy server

The policy server hosts all the policies for the local infrastructure and is used to periodically check security compliance and remediation and retreive vulnerabilities list for each supported GNU/Linux host.

By now, the policy server has to be installed with unstable or testing release

apt install ssg-debian openssh-client

If targeted hosts are not only Debian-based, install other packages depending on the needs. Access to targeted hosts is done using oscap-ssh tool.

oscap-ssh is a part of the OpenSCAP project but is not included in libopenscap8. Yet this is an autonomous shell script that can be downloaded from the OpenSCAP repository.

wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.2/utils/oscap-ssh
chmod 0755 oscap-ssh
su
mv oscap-ssh /usr/local/bin/oscap-ssh
chown root:root /usr/local/bin/oscap-ssh

Now, create the policy server SCAP user. It does not requires any local administrative access.

su
adduser --gecos "SCAP policy user" scapadm --home /var/lib/scapadm
su - scapadm
ssh-keygen -t rsa
ssh-copy-id scapadm@target

Now you've check that the ssh connection using the SSH key is working, you can lock the scapadm password usage on the target, allowing only RSA-key based authentication

su
passwd scapadm -l

Launching a policy compliance tests

Testing the configuration

From the policy server

su - scapadm
/usr/local/bin/oscap-ssh --sudo scapadm@target 22 xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high /usr/share/ssg/ssg-debian8-ds.xml

The console output will be something like:

Connecting to 'scapadm@target' on port '22'...
Connected!
Copying input file '/usr/share/ssg/ssg-debian8-ds.xml' to remote working directory '/tmp/tmp.UN4SMaKr3V'...
ssg-debian8-ds.xml                                                                                                                    100%  756KB  31.2MB/s   00:00    
Starting the evaluation...
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
Title   Verify that local System.map file (if exists) is readable only by root
Rule    xccdf_org.ssgproject.content_rule_file_permissions_systemmap
Result  fail

Title   Verify Permissions and ownership on shadow File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result  pass

Title   Verify Permissions and ownership on gshadow File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result  pass

Title   Verify Permissions and ownership on passwd File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result  pass

Title   Verify Permissions and ownership on group File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result  pass

Title   Disable Core Dumps for SUID programs
Rule    xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result  fail
[...]

This should generate a report and a results file in the policy server. The report is human readable, the results file is generally used for postprocessing by tools such as Foreman.

The policy profile name given in the command line is a construct made of the prefix "xccdf_org.ssgproject.content_profile_" and the real profile name (e.g. "anssi_np_nt28_high").

For Debian 8, supported policy profiles can be obtained by executing:

oscap info /usr/share/ssg/ssg-debian8-xccdf.xml

on the policy server

Automation

The above command can be added as a cron job and reports accessible using a web server. The OpenSCAP ecosystem is now huge, supporting various tools (checking VM content, Docker content, VM templates content (cold check), etc.

TODO

See SCAPGuide page.


CategorySystemSecurity