Server Hardening with OpenSCAP

“SCAP Security Guide is a security policy written in a form of SCAP documents. The security policy created in SCAP Security Guide covers many areas of computer security and provides the best-practice solutions. The guide consists of rules with very detailed description and also includes proven remediation scripts, optimized for target systems. SCAP Security Guide, together with OpenSCAP tools, can be used for auditing your system in an automated way.” http://www.open-scap.org/security-policies/scap-security-guide/

RHEL 7 will be used in this exercise.

In order to get started, the oscap tool and the SCAP Security Guide should be installed.

yum install openscap-scanner scap-security-guide

After installing, the command oscap can be used to start the program

The scap-security-guide package provides the security policies, its content can be found in /usr/share/xml/scap/ssg/content/

content of /usr/share/xml/scap/ssg/content/ directory

SCAP data stream is a file format used since SCAP version 1.2 and it represents a bundle of XCCDF, OVAL, and other component files. The SCAP data stream document can be examined using oscap info module.

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Information about the SCAP data stream

Upon inspection we can notice all the available profiles in the selected SCAP document. I will be selecting the CIS Red Hat Enterprise 7 Benchmark profile with the id xccdf_org.ssgproject.content_profile_cis to audit the system. Notice the warning about the remote resources, we get this warning because the SCAP Security Guide uses external files to check whether the system is up to date and has no known security vulnerabilities.

Scanning

Next is to scan the system for compliance with CIS benchmark using OpenSCAP.

sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_cis --results initial_scan.xml --report initial_scan.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Scanning process

This will scan the system and store the results in a xml file and a html file, the html file will be useful to get an insight of the system and see which rules passed and failed. Remember the warning we found when examining the SCAP document saying it used external files? the--fetch-remote-resources option will download those files needed for the operation, an internet connection is required for this operation, if the system doesn’t have an internet connectivity see here.

After the scan is complete the html report can be viewed.

HTML report of the initial scan

From the report we can get many information such as the score, number of passed and failed rules, severity of failed rules etc. According to my report the score is 62.77, that means there are a reasonable amount of failed rules and the system is not fully secure nor CIS compliant.

Remediating

In order to make the system more compliant we can remediate the system. The following single command will evaluate and remediate the system, this method is called online remediation.

sudo oscap xccdf eval --remediate --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_cis --results scan.xml --report scan.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Once the command is executed, we can first see how oscap is scanning the system and secondly it is remediating the system. During the remediation stage the results will be marked as either fixed or error.

“The fixed result indicates that the scan performed after the remediation passed. The error result indicates that even after applying the remediation, the evaluation still does not pass.”

http://static.open-scap.org/openscap-1.2/oscap_user_manual.html#_remediate_system

Scanning process

Remediation process

After the process is finished, the generated html report can be viewed. As you can see now the score is 92.73 and the system is more secure than it was before. we have successfully security hardened a server using openSCAP.

HTML report generated by oscap

Generating and editing remediation scripts

Since scripts are used to remediate a system, we can use openSCAP to extract remediation scripts for all rules from a profile and generate a single bash script for us, this bash script can then be edited according to our choice. We could remove certain rules or change the values of rules.

oscap xccdf generate fix --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > fix.sh

After generating the bash script, we can use a text editor can make any changes we prefer then this script can be executed to remediate a system.

Remediation bash script open in vim

We have successfully learnt how to harden a RHEL system using OpenSCAP and some of the basics of OpenSCAP.

That’s all folks!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!