Using SCAP tools for Security check and remediation
SCAP (Security Content Automation Protocol) is a set of standards to automate vulnerability management and security compliance checks on various systems. It is a NIST set of standards based on:
CVE (Common Vulnerabilities and Exposures)
CPE (Common Plateform Enumeration)
CCE (Common Configuration Enumeration)
CWE (Common Weakness Enumeration)
CVSS (Common Vulnerability Scoring System)
The SCAP standard is based on OVAL (Open Vulnerability and Assessment Language) formal definitions and on XCCDF (eXtensible Configuration Checklist Description Format) for security compliance checks.
Using SCAP, it is possible to:
- Scan a system for vulnerabilities, using OVAL files
- Check security policy compliance, using standard security policy such as NIST SP-800-53, ANSSI Best-practices, PCI-DSS, etc. or for some Operating Systems supporting CCE, conformity to CCE (supported by RHEL Operating System)
Debian publishes its security information using the Open Vulnerability Assessment Language (OVAL).
Packages
The openscap-scanner and openscap-utils packages provide command-line tools used to evaluate systems against SCAP standards. The base library supporting the SCAP set of standards is libopenscap25.
Policies
In addition to the latest OVAL definitions mentioned above, policies for specific operating systems (various DISA, ANSSI Best-practices, other OS and applications, PCI-DSS, NIST SP-800-53) from the SCAP Security Guide are available in the following packages:
ssg-debian for policies and remediation targeting Debian operating system
ssg-debderived for policies targeting Ubuntu
ssg-nondebian for policies targeting others OS (Red-Had, Fedora, SuSE, etc.)
ssg-applications for policies targeting applications (Firefox, JRE, Webmin, etc.)
Local scanning
This will scan for known vulnerabilities in installed packages on the machine running the scanner:
Install the openscap-scanner package
- Download and uncompress latest OVAL definitions:
wget https://www.debian.org/security/oval/oval-definitions-$(lsb_release -cs).xml.bz2 bunzip oval-definitions-$(lsb_release -cs).xml.bz2
- Run the scanner:
oscap oval eval --report report.html oval-definitions-$(lsb_release -cs).xml
The report will be made available in report.html.
Remote scanning
When this chapter was originally written, scap-security-guide packages wre not available for Debian Stable, so the examples below use a policy server based on Debian Unstable. This workaround is no longer needed.
Preparing the target hosts
All hosts that need to be checked using SCAP tools need libopenscap25 to be installed. The SCAP guides can be installed in a policy server (when managing an infrastructure) or locally.
Install required packages:
apt install libopenscap25 openssh-server
Now create an account with sudo access for oscap command. This account will be used by the policy server to execute the SCAP tool. The administrative access is required for some of the SCAP probes when interrogating system tasks or accessing specific contents such as procfs or sysfs in which unprivileged users have no complete read access.
adduser --gecos "SCAP user" scapadm --home /var/lib/scapadm
Now we have to allow sudo access for this user, only for oscap. In that case, the policy server FQDN.
scapadm policyserver.mycompany.com = (root) NOPASSWD: /usr/bin/oscap
This user will be used by the policy server through SSH using RSA keys for authentication.
Preparing the policy server
The policy server hosts all the policies for the local infrastructure and is used to periodically check security compliance and remediation and retrieve vulnerabilities list for each supported GNU/Linux host.
apt install ssg-debian openssh-client
If targeted hosts are not only Debian-based, install other packages depending on the needs. Access to targeted hosts is done using oscap-ssh tool.
Now, create the policy server SCAP user. It does not requires any local administrative access.
adduser --gecos "SCAP policy user" scapadm --home /var/lib/scapadm su - scapadm ssh-keygen -t rsa ssh-copy-id scapadm@target
Check that the connection using the SSH key is working, and lock the scapadm password on the target, allowing only RSA-key based authentication:
passwd scapadm -l
Running
From the policy server
su - scapadm /usr/local/bin/oscap-ssh --sudo scapadm@target 22 xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high /usr/share/ssg/ssg-debian8-ds.xml
The console output will be something like:
Connecting to 'scapadm@target' on port '22'... Connected! Copying input file '/usr/share/ssg/ssg-debian8-ds.xml' to remote working directory '/tmp/tmp.UN4SMaKr3V'... ssg-debian8-ds.xml 100% 756KB 31.2MB/s 00:00 Starting the evaluation... I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" Title Verify that local System.map file (if exists) is readable only by root Rule xccdf_org.ssgproject.content_rule_file_permissions_systemmap Result fail Title Verify Permissions and ownership on shadow File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow Result pass Title Verify Permissions and ownership on gshadow File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow Result pass Title Verify Permissions and ownership on passwd File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd Result pass Title Verify Permissions and ownership on group File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_group Result pass Title Disable Core Dumps for SUID programs Rule xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable Result fail [...]
This should generate a report and a results file in the policy server. The report is human readable, the results file is generally used for postprocessing by tools such as Foreman.
The policy profile name given in the command line is a construct made of the prefix "xccdf_org.ssgproject.content_profile_" and the real profile name (e.g. "anssi_np_nt28_high").
For Debian 8, supported policy profiles can be obtained by executing:
oscap info /usr/share/ssg/ssg-debian8-xccdf.xml
on the policy server
Automation
The above command can be added as a cron job and reports accessible using a web server. The OpenSCAP ecosystem is now huge, supporting various tools (checking VM content, Docker content, VM templates content (cold check), etc.
Upstream references sources
OpenSCAP: https://github.com/OpenSCAP/openscap
SCAP-Workbench: https://github.com/OpenSCAP/scap-workbench
SCAP-security-guide: https://github.com/OpenSCAP/scap-security-guide
OpenSCAP-daemon: https://github.com/OpenSCAP/openscap-daemon
Center for Internet Security's OVAL Repository: https://github.com/CISecurity/OVALRepo
CategorySystemSecurity | CategorySoftware | CategorySystemAdministration