Using SCAP tools for Security check and remediation

SCAP (Security Content Automation Protocol) is a set of standards to automate vulnerability management and security compliance checks on various systems. It is a NIST set of standards based on:

The SCAP standard is based on OVAL (Open Vulnerability and Assessment Language) formal definitions and on XCCDF (eXtensible Configuration Checklist Description Format) for security compliance checks.

Using SCAP, it is possible to:

Debian publishes its security information using the Open Vulnerability Assessment Language (OVAL).

Packages

The openscap-scanner and openscap-utils packages provide command-line tools used to evaluate systems against SCAP standards. The base library supporting the SCAP set of standards is libopenscap25.

Policies

In addition to the latest OVAL definitions mentioned above, policies for specific operating systems (various DISA, ANSSI Best-practices, other OS and applications, PCI-DSS, NIST SP-800-53) from the SCAP Security Guide are available in the following packages:

Local scanning

This will scan for known vulnerabilities in installed packages on the machine running the scanner:

wget https://www.debian.org/security/oval/oval-definitions-$(lsb_release -cs).xml.bz2
bunzip oval-definitions-$(lsb_release -cs).xml.bz2

oscap oval eval --report report.html oval-definitions-$(lsb_release -cs).xml

The report will be made available in report.html.

Remote scanning

When this chapter was originally written, scap-security-guide packages wre not available for Debian Stable, so the examples below use a policy server based on Debian Unstable. This workaround is no longer needed.

Preparing the target hosts

All hosts that need to be checked using SCAP tools need libopenscap25 to be installed. The SCAP guides can be installed in a policy server (when managing an infrastructure) or locally.

Install required packages:

apt install libopenscap25 openssh-server

Now create an account with sudo access for oscap command. This account will be used by the policy server to execute the SCAP tool. The administrative access is required for some of the SCAP probes when interrogating system tasks or accessing specific contents such as procfs or sysfs in which unprivileged users have no complete read access.

adduser --gecos "SCAP user" scapadm --home /var/lib/scapadm

Now we have to allow sudo access for this user, only for oscap. In that case, the policy server FQDN.

scapadm policyserver.mycompany.com = (root) NOPASSWD: /usr/bin/oscap

This user will be used by the policy server through SSH using RSA keys for authentication.

Preparing the policy server

The policy server hosts all the policies for the local infrastructure and is used to periodically check security compliance and remediation and retrieve vulnerabilities list for each supported GNU/Linux host.

apt install ssg-debian openssh-client

If targeted hosts are not only Debian-based, install other packages depending on the needs. Access to targeted hosts is done using oscap-ssh tool.

Now, create the policy server SCAP user. It does not requires any local administrative access.

adduser --gecos "SCAP policy user" scapadm --home /var/lib/scapadm
su - scapadm
ssh-keygen -t rsa
ssh-copy-id scapadm@target

Check that the connection using the SSH key is working, and lock the scapadm password on the target, allowing only RSA-key based authentication:

passwd scapadm -l

Running

From the policy server

su - scapadm
/usr/local/bin/oscap-ssh --sudo scapadm@target 22 xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high /usr/share/ssg/ssg-debian8-ds.xml

The console output will be something like:

Connecting to 'scapadm@target' on port '22'...
Connected!
Copying input file '/usr/share/ssg/ssg-debian8-ds.xml' to remote working directory '/tmp/tmp.UN4SMaKr3V'...
ssg-debian8-ds.xml                                                                                                                    100%  756KB  31.2MB/s   00:00    
Starting the evaluation...
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
Title   Verify that local System.map file (if exists) is readable only by root
Rule    xccdf_org.ssgproject.content_rule_file_permissions_systemmap
Result  fail

Title   Verify Permissions and ownership on shadow File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result  pass

Title   Verify Permissions and ownership on gshadow File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result  pass

Title   Verify Permissions and ownership on passwd File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result  pass

Title   Verify Permissions and ownership on group File
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result  pass

Title   Disable Core Dumps for SUID programs
Rule    xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result  fail
[...]

This should generate a report and a results file in the policy server. The report is human readable, the results file is generally used for postprocessing by tools such as Foreman.

The policy profile name given in the command line is a construct made of the prefix "xccdf_org.ssgproject.content_profile_" and the real profile name (e.g. "anssi_np_nt28_high").

For Debian 8, supported policy profiles can be obtained by executing:

oscap info /usr/share/ssg/ssg-debian8-xccdf.xml

on the policy server

Automation

The above command can be added as a cron job and reports accessible using a web server. The OpenSCAP ecosystem is now huge, supporting various tools (checking VM content, Docker content, VM templates content (cold check), etc.

Upstream references sources


CategorySystemSecurity | CategorySoftware | CategorySystemAdministration