Using SCAP tools for Security check and remediation

About SCAP

SCAP (Security Content Automation Protocol) is a set of standards to automate vulnerability management and security compliance checks on various systems. It is a NIST set of standards based on:

The SCAP standard is based on OVAL (Open Vulnerability and Assessment Language) formal definitions and on XCCDF (eXtensible Configuration Checklist Description Format) for security compliance checks.

Using SCAP, it is possible to: - Scan a system for vulnerabilities, using OVAL files - Check security policy compliance, using standard security policy such as NIST SP-800-53, ANSSI Best-practices, PCI-DSS, etc. or for some Operating Systems supporting CCE, conformity to CCE (supported by RHEL Operating System)

Prerequisites on Debian

About packages

The tool supporting the SCAP set of standards is libopenscap8. This is a command-line tools supporting various modes.

There is a graphical interface to oscap allowing simplified usage of oscap: scap-workbench.

About policies

The libopenscap8 package hosts the official mainstream policies of the openSCAP team, targeting Red-Had and Fedora. Supported policies are PCI-DSS and NIST SP-800-53 conformity checks.

Other policies (various DISA, ANSSI Best-practices, policies for Debian 8, Ubuntu 14.04, 16.04, other OS and applications) are hosted by the scap-security-guide package through the following bin packages:

By now, all policies are not equally supported for each OS. ANSSI best practices are (partially) supported for Debian and Ubuntu, as for NIST SP-800-53. Most US and NATO policies and PCI-DSS are supported for RHEL and derivatives (Fedora, Centos, RHEL).

Preparing the targeted hosts

All hosts that need to be checked using SCAP tools need libopenscap8 to be installed. the SCAP guides can be installed in a policy server (when managing an infrastructure) or locally.

By now, a Debian host can't check its own policy compliance because Debian CPE are defined for stable and older, and the scap-security-guide packages only exists in unstable. Here, we use a policy server based on unstable.

apt install libopenscap8 openssh-server

Now create an account with sudo access for oscap command. This account will be used by the policy server to execute the SCAP tool. The administrative access is required for some of the SCAP probes when interogating system tasks or accessing specific contents such as procfs or sysfs in which users has no complete read access.

su
adduser --gecos "SCAP user" scapadm --home /var/lib/scapadm

Now we have to allow sudo access for this user, only for oscap. In that case, the policy server FQDN.

scapadm policyserver.mycompany.com = (root) NOPASSWD: /usr/bin/oscap

This user will be used by the policy server through SSH using RSA keys for authentication.

Preparing the policy server

The policy server hosts all the policies for the local infrastructure and is used to periodically check security compliance and remediation and retreive vulnerabilities list for each supported GNU/Linux host.

By now, the policy server has to be installed with unstable release

apt install ssg-debian openssh-client

If targeted hosts are not only Debian-based, install other packages depending on the needs. Access to targeted hosts is done using oscap-ssh tool.

oscap-ssh is a part of the OpenSCAP project but not included in libopenscap8. Yet this is an autonomous shell script that can be downloaded from the OpenSCAP repository.

wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.2/utils/oscap-ssh
chmod +x oscap-ssh
su
mv oscap-ssh /usr/local/bin/oscap-ssh

Now, create the policy server SCAP user. It does not requires any local administrative access.

su
adduser --gecos "SCAP policy user" scapadm --home /var/lib/scapadm
su - scapadm
ssh-keygen -t rsa
ssh-copy-id scapadm@target

Now you've check that the ssh connection using the SSH key is working, you can lock the scapadm password usage on the target, allowing only RSA-key based authentication

su
usermod -L scapadm

Launching a policy compliance tests

Testing the configuration

From the policy server

su - scapadm
/usr/local/bin/oscap-ssh scapadm@target 22 xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile anssi_np_nt28_high /usr/share/ssg/ssg-debian8-ds.xml

This should generate a report and a results file in the policy server. The report is human readable, the results file is generally used for postprocessing by tools such as Foreman.

Automation

The above command can be added as a cron job and reports accessible using a web server. The OpenSCAP ecosystem is now huge, supporting various tools (checking VM content, Docker content, VM templates content (cold check), etc.

TODO

See SCAPGuide page.


CategorySystemSecurity