Using SCAP tools for Security check and remediation
About SCAP
SCAP (Security Content Automation Protocol) is a set of standards to automate vulnerability management and security compliance checks on various systems. It is a NIST set of standards based on:
CVE (Common Vulnerabilities and Exposures)
CPE (Common Plateform Enumeration)
CCE (Common Configuration Enumeration)
CWE (Common Weakness Enumeration)
CVSS (Common Vulnerability Scoring System)
The SCAP standard is based on OVAL (Open Vulnerability and Assessment Language) formal definitions and on XCCDF (eXtensible Configuration Checklist Description Format) for security compliance checks.
Using SCAP, it is possible to: - Scan a system for vulnerabilities, using OVAL files - Check security policy compliance, using standard security policy such as NIST SP-800-53, ANSSI Best-practices, PCI-DSS, etc. or for some Operating Systems supporting CCE, conformity to CCE (supported by RHEL Operating System)
Prerequisites on Debian
About packages
The tool supporting the SCAP set of standards is libopenscap8. This is a command-line tools supporting various modes.
There is a graphical interface to oscap allowing simplified usage of oscap: scap-workbench.
About policies
The libopenscap8 package hosts the official mainstream policies of the openSCAP team, targeting Red-Had and Fedora. Supported policies are PCI-DSS and NIST SP-800-53 conformity checks.
Other policies (various DISA, ANSSI Best-practices, policies for Debian 8, Ubuntu 14.04, 16.04, other OS and applications) are hosted by the scap-security-guide package through the following bin packages:
- ssg-debian for policies and remediation targeting Debian operating system
- ssg-debderived for policies targeting Ubuntu (Trusty 14.04 and Xenial 16.04)
- ssg-nondebian for policies targeting others OS (Red-Had, Fedora, SuSE, etc.)
- ssg-applications for policies targeting applications (Firefox, JRE, Webmin, etc.)
By now, all policies are not equally supported for each OS. ANSSI best practices are (partially) supported for Debian and Ubuntu, as for NIST SP-800-53. Most US and NATO policies and PCI-DSS are supported for RHEL and derivatives (Fedora, Centos, RHEL).
Preparing the targeted hosts
All hosts that need to be checked using SCAP tools need libopenscap8 to be installed. the SCAP guides can be installed in a policy server (when managing an infrastructure) or locally.
By now, a Debian host can't check its own policy compliance because Debian CPE are defined for oldstable and older, and the scap-security-guide packages only exists in unstable and testing. Here, we use a policy server based on unstable. Support for new stable (9.0) is not yet merged in upstream
apt install libopenscap8 openssh-server
Now create an account with sudo access for oscap command. This account will be used by the policy server to execute the SCAP tool. The administrative access is required for some of the SCAP probes when interogating system tasks or accessing specific contents such as procfs or sysfs in which users has no complete read access.
su adduser --gecos "SCAP user" scapadm --home /var/lib/scapadm
Now we have to allow sudo access for this user, only for oscap. In that case, the policy server FQDN.
scapadm policyserver.mycompany.com = (root) NOPASSWD: /usr/bin/oscap
This user will be used by the policy server through SSH using RSA keys for authentication.
Preparing the policy server
The policy server hosts all the policies for the local infrastructure and is used to periodically check security compliance and remediation and retreive vulnerabilities list for each supported GNU/Linux host.
By now, the policy server has to be installed with unstable or testing release
apt install ssg-debian openssh-client
If targeted hosts are not only Debian-based, install other packages depending on the needs. Access to targeted hosts is done using oscap-ssh tool.
oscap-ssh is a part of the OpenSCAP project but is not included in libopenscap8. Yet this is an autonomous shell script that can be downloaded from the OpenSCAP repository.
wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.2/utils/oscap-ssh chmod 0755 oscap-ssh su mv oscap-ssh /usr/local/bin/oscap-ssh chown root:root /usr/local/bin/oscap-ssh
Now, create the policy server SCAP user. It does not requires any local administrative access.
su adduser --gecos "SCAP policy user" scapadm --home /var/lib/scapadm su - scapadm ssh-keygen -t rsa ssh-copy-id scapadm@target
Now you've check that the ssh connection using the SSH key is working, you can lock the scapadm password usage on the target, allowing only RSA-key based authentication
su passwd scapadm -l
Launching a policy compliance tests
Testing the configuration
From the policy server
su - scapadm /usr/local/bin/oscap-ssh --sudo scapadm@target 22 xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high /usr/share/ssg/ssg-debian8-ds.xml
The console output will be something like:
Connecting to 'scapadm@target' on port '22'... Connected! Copying input file '/usr/share/ssg/ssg-debian8-ds.xml' to remote working directory '/tmp/tmp.UN4SMaKr3V'... ssg-debian8-ds.xml 100% 756KB 31.2MB/s 00:00 Starting the evaluation... I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" Title Verify that local System.map file (if exists) is readable only by root Rule xccdf_org.ssgproject.content_rule_file_permissions_systemmap Result fail Title Verify Permissions and ownership on shadow File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow Result pass Title Verify Permissions and ownership on gshadow File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow Result pass Title Verify Permissions and ownership on passwd File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd Result pass Title Verify Permissions and ownership on group File Rule xccdf_org.ssgproject.content_rule_file_permissions_etc_group Result pass Title Disable Core Dumps for SUID programs Rule xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable Result fail [...]
This should generate a report and a results file in the policy server. The report is human readable, the results file is generally used for postprocessing by tools such as Foreman.
The policy profile name given in the command line is a construct made of the prefix "xccdf_org.ssgproject.content_profile_" and the real profile name (e.g. "anssi_np_nt28_high").
For Debian 8, supported policy profiles can be obtained by executing:
oscap info /usr/share/ssg/ssg-debian8-xccdf.xml
on the policy server
Automation
The above command can be added as a cron job and reports accessible using a web server. The OpenSCAP ecosystem is now huge, supporting various tools (checking VM content, Docker content, VM templates content (cold check), etc.
TODO
See SCAPGuide page.