OpenSCAP is a standardized compliance solution for Linux. It is comprised of policies (NIST, STIG, etc) and tooling (oscap, scap-workbench) that allow you to scan and evaluate Linux hosts in order to validate their compliance with industry defined standards.
In addition to providing industry standard compliance rules, OpenSCAP also allows administrators to create custom compliance standards using the scap-workbench.
Administrators can then generate remediation files in bash, ansible or puppet.
Let’s get familiar with OpenSCAP below.
Below is an overview of the “Getting Started” workflow. In this workflow we are gonna run through a very simple use-case, scanning your local Fedora workstation.
- Choose Policy
In the sections below we will walk through each of these steps in detail.
In this section we will walk through the install of the OpenSCAP scanner and scap-workbench on a Fedora node with a graphical env installed.
The command below installs just the scanner.
# yum install openscap-scanner
Now we install the scap-workbench This is the graphical tool that you will use to load and modify policy profiles.
# yum -y install scap-workbench.x86_64
Now we launch the scap-workbench and choose our scanning profile.
$ sudo scap-workbench &
As stated previously, we are going to scan our local Fedora workstation, so we first must choose the proper content to load. Select “Load Content“.
The default rules will be loaded at this time.
If you need/want to modify the policy, click “Customize” and enter “New Profile ID“. You will be greeted with the profile editor where you can select the rules you want to include in your custom profile. You can also modify default values, such as min password length (as shown below)
Once the profile is selected (custom or default), click “SCAN” to run a scan.
Once the scan is complete, items will be marked with pass, fail, or notchecked. You will be able to drill down into each Rule for additional detail.
Select “Generate Remediation Role“. You can output your remediation file in either puppet, ansible, or bash.
You can also generate a nice compliance report via the “Show Report” button. See example below.
Running a Compliance Scan on Remote Nodes
The SCAP Workbench will also allow you to run a compliance scan on a remote host via ssh. Select “Remote Machine (over SSH)” and enter username a host/ip.
Remediation can then be run against the machine remotely or locally.