Introduction
In part one of the OpenSCAP series we were introduced to the basic usage of the OpenSCAP toolset. In that post we learned how to run a basic scan via the scap-workbench in a desktop environment.
This post will focus on the Content, Profiles, and Targets.
Content
All content will be installed in the directory shown below. The content in this directory will vary based on the installed OS (the content on my Fedora differs from RHEL for example).
/usr/share/xml/scap/ssg/content
The screenshot below contains a list of content installed by default on RHEL 7.
Additional content can be obtained and added to the content directory shown above. For example, NIST content can be downloaded directly from the NIST website. Link below.
National Checklist Program Repository
In the screenshot below we have performed a search for all content that targets RHEL 7.6
Content Types
SCAP security guides are security policy written in the form of an SCAP document. Each guide consists of rules and definitions. Guides can be written in one of several formats. These formats are shown below.
| FILE TYPE | DESCRIPTION |
| OVAL Definitions file [1] | Open Vulnerability and Assessment Language formatted file |
| OCIL Definitions file [2] | Open Checklist Interactive Language formatted file |
| XCCDF Checklist [3] | Extensible Configuration Checklist Description Format |
| Source Data Stream [4] | An SCAP data stream that holds input (source) content |
| CPE Dictionary [5] | Official Common Platform Enumeration Checklist |
The innards of each file can be inspected with oscap, which we will dive into later.
More information below on each file type below.
[1] https://oval.mitre.org/about/faqs.html#b1
[2] https://support.symantec.com/us/en/article.howto84189.html
[3] https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/xccdf/
[4] https://csrc.nist.gov/glossary/term/SCAP-source-data-stream
[5] https://nvd.nist.gov/products/cpe
Targets
Targets are the specific operating system or application that you want to evaluate for vulnerabilities or compliance. For example, RHEL, OSX, Windows, and BSD are all targets. Tomcat, Apache, Microsoft SQL, and Java are also targets. The list of available targets is quite extensive. You can browse the list here.
Profiles
The following profiles are available for RHEL 7 via the ssg-rhel7-ds.xml content file. Shown below are the default profiles included for RHEL 7.
| TITLE |
| PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7 |
| OSPP – Protection Profile for General Purpose Operating Systems v. 4.2 |
| Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) |
| DISA STIG for Red Hat Enterprise Linux 7 |
| Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) |
| Health Insurance Portability and Accountability Act (HIPAA) |
| United States Government Configuration Baseline |
| Standard System Security Profile for Red Hat Enterprise Linux 7 |
| C2S for Red Hat Enterprise Linux 7 |
| Criminal Justice Information Services (CJIS) Security Policy |
| PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7 |
Profiles are based on recommendations from authorities such as NIST, the PCI Security Standards Council, the Center for Internet Security (CIS), vendors such as Red Hat, HP, and Microsoft, and known standards such as NIST 800-171, NIST 800-53, HIPAA, and PCI-DSS.
Next Steps
The topic of SCAP content is rather complicated and possibly a bit convoluted with overlapping terminologies, but in the end a user will select a target which will either be an application (such as Java or Apache), or and operating system (such as RHEL, Windows, Solaris).
Once the target is selected, a profile will be selected (if multiple profiles exists — such is not always the case for applications). In this case the target might be PCI-DSS, HIPAA, STIG.
Once the target and a profile are selected, it’s time to start scanning