Using SCAP tools for Security check and remediation
About SCAP
SCAP (Security Content Automation Protocol) is a set of standards to automate vulnerability management and security compliance checks on various systems. It is a NIST set of standards based on:
CVE (Common Vulnerabilities and Exposures)
CPE (Common Plateform Enumeration)
CCE (Common Configuration Enumeration)
CWE (Common Weakness Enumeration)
CVSS (Common Vulnerability Scoring System)
The SCAP standard is based on OVAL (Open Vulnerability and Assessment Language) formal definitions and on XCCDF (eXtensible Configuration Checklist Description Format) for security compliance checks.
Using SCAP, it is possible to: - Scan a system for vulnerabilities, using OVAL files - Check security policy compliance, using standard security policy such as NIST SP-800-53, ANSSI Best-practices, PCI-DSS, etc. or for some Operating Systems supporting CCE, conformity to CCE (supported by RHEL Operating System)
Prerequisites on Debian
About packages
The tool supporting the SCAP set of standards is libopenscap8. This is a command-line tools supporting various modes.
There is a graphical interface to oscap allowing simplified usage of oscap: scap-workbench.
About policies
The libopenscap8 package hosts the official mainstream policies of the openSCAP team, targeting Red-Had and Fedora. Supported policies are PCI-DSS and NIST SP-800-53 conformity checks.
Other policies (various DISA, ANSSI Best-practices, policies for Debian 8, Ubuntu 14.04, 16.04, other OS and applications) are hosted by the scap-security-guide package through the following bin packages:
- ssg-debian for policies and remediation targeting Debian operating system
- ssg-debderived for policies targeting Ubuntu (Trusty 14.04 and Xenial 16.04)
- ssg-nondebian for policies targeting others OS (Red-Had, Fedora, SuSE, etc.)
- ssg-applications for policies targeting applications (Firefox, JRE, Webmin, etc.)
By now, all policies are not equally supported for each OS. ANSSI best practices are (partially) supported for Debian and Ubuntu, as for NIST SP-800-53. Most US and NATO policies and PCI-DSS are supported for RHEL and derivatives (Fedora, Centos, RHEL).
Preparing the targeted hosts
All hosts that need to be checked using SCAP tools need libopenscap8 to be installed. the SCAP guides can be installed in a policy server (when managing an infrastructure) or locally.
By now, a Debian host can't check its own policy compliance because Debian CPE are defined for stable and older, and the scap-security-guide packages only exists in unstable. Here, we use a policy server based on unstable.
apt install libopenscap8 openssh-server
Now create an account with sudo access for oscap command. This account will be used by the policy server to execute the SCAP tool. The administrative access is required for some of the SCAP probes when interogating system tasks or accessing specific contents such as procfs or sysfs in which users has no complete read access.
su adduser --gecos "SCAP user" scapadm --home /var/lib/scapadm
Now we have to allow sudo access for this user, only for oscap. In that case, the policy server FQDN.
scapadm policyserver.mycompany.com = (root) NOPASSWD: /usr/bin/oscap
This user will be used by the policy server through SSH using RSA keys for authentication.
Preparing the policy server
The policy server hosts all the policies for the local infrastructure and is used to periodically check security compliance and remediation and retreive vulnerabilities list for each supported GNU/Linux host.
By now, the policy server has to be installed with unstable release
apt install ssg-debian openssh-client
If targeted hosts are not only Debian-based, install other packages depending on the needs. Access to targeted hosts is done using oscap-ssh tool.
oscap-ssh is a part of the OpenSCAP project but not included in libopenscap8. Yet this is an autonomous shell script that can be downloaded from the OpenSCAP repository.
wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.2/utils/oscap-ssh chmod +x oscap-ssh su mv oscap-ssh /usr/local/bin/oscap-ssh
Now, create the policy server SCAP user. It does not requires any local administrative access.
su adduser --gecos "SCAP policy user" scapadm --home /var/lib/scapadm su - scapadm ssh-keygen -t rsa ssh-copy-id scapadm@target
Now you've check that the ssh connection using the SSH key is working, you can lock the scapadm password usage on the target, allowing only RSA-key based authentication
su usermod -L scapadm
Launching a policy compliance tests
Testing the configuration
From the policy server
su - scapadm /usr/local/bin/oscap-ssh scapadm@target 22 xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile anssi_np_nt28_high /usr/share/ssg/ssg-debian8-ds.xml
This should generate a report and a results file in the policy server. The report is human readable, the results file is generally used for postprocessing by tools such as Foreman.
Automation
The above command can be added as a cron job and reports accessible using a web server. The OpenSCAP ecosystem is now huge, supporting various tools (checking VM content, Docker content, VM templates content (cold check), etc.
TODO
See SCAPGuide page.