OpenSCAP Part 1: Introduction and Basic Usage for RHEL 7/CentOS 7/Fedora

/ Christopher Paquin

openscap-base

Introduction

OpenSCAP is a standardized compliance solution for Linux. It is comprised of policies (NIST, STIG, etc) and tooling (oscap, scap-workbench) that allow you to scan and evaluate Linux hosts in order to validate their compliance with industry defined standards.

In addition to providing industry standard compliance rules, OpenSCAP also allows administrators to create custom compliance standards using the scap-workbench.

Administrators can then generate remediation files in bash, ansible or puppet.

Let’s get familiar with OpenSCAP below.

Getting Started

Below is an overview of the “Getting Started” workflow. In this workflow we are gonna run through a very simple use-case, scanning your local Fedora workstation.

  1. Install
  2. Choose Policy
  3. Modify/Adjust
  4. Scan
  5. Remediate

In the sections below we will walk through each of these steps in detail.

Install

In this section we will walk through the install of the OpenSCAP scanner and scap-workbench on a Fedora node with a graphical env installed.

The command below installs just the scanner.

# yum install openscap-scanner

Now we install the scap-workbench This is the graphical tool that you will use to load and modify policy profiles.

# yum -y install scap-workbench.x86_64

Choose Policy

Now we launch the scap-workbench and choose our scanning profile.

$ sudo scap-workbench &

As stated previously, we are going to scan our local Fedora workstation, so we first must choose the proper content to load. Select “Load Content“.

Screenshot from 2019-07-23 18-51-03

The default rules will be loaded at this time.

Screenshot from 2019-07-23 18-51-21.png

Modify/Adjust

If you need/want to modify the policy, click “Customize” and enter “New Profile ID“. You will be greeted with the profile editor where you can select the rules you want to include in your custom profile. You can also modify default values, such as min password length (as shown below)

Screenshot from 2019-07-23 19-37-12.png

Scan

Once the profile is selected (custom or default), click “SCAN” to run a scan.

Screenshot from 2019-07-23 18-51-21.png

Once the scan is complete, items will be marked with pass, fail, or notchecked. You will be able to drill down into each Rule for additional detail.

Screenshot from 2019-07-23 19-24-44.png

Remediate

Select “Generate Remediation Role“. You can output your remediation file in either puppet, ansible, or bash.

Screenshot from 2019-07-23 19-07-20

You can also generate a nice compliance report via the “Show Report” button. See example below.

Screenshot from 2019-07-23 20-10-29.png

Running a Compliance Scan on Remote Nodes

The SCAP Workbench will also allow you to run a compliance scan on a remote host via ssh.  Select “Remote Machine (over SSH)” and enter username a host/ip.

Screenshot from 2019-07-23 20-20-55

Remediation can then be run against the machine remotely or locally.

Next Steps

Read Part 2

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.