In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.
Let’s get started with oscap.
In RHEL 7 oscap can be installed with the following command
# yum -y install scap-security-guide openscap-scanner
Content is installed under the following directory. Note that ssg is short for SCAP Security Guide.
Lets change directories to the one listed above and view the installed files.
Using oscap we can view more info on each file shown above. In this example we are going to inspect the ssg-rhel7-ds.xml file.
# oscap info ssg-rhel7-ds.xml
Let’s look at the profiles that are available.
Running oscap Scan
The format for running a scan is shown below
In the example below we are kicking off a scan using the oval (Open Vulnerability Assessment Language) file format. Output below
# oscap oval eval –results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Neat. Now consider a scenario were we only want to evaluate one oval definition.
For example let’s only check to see if named is disabled.
oscap oval eval –id oval:ssg-service_named_disabled:def:1 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Coo. Now let’s choose a profile and use that to perform a scan. We will need to first determine the appropriate profile name and ID. This can be accomplished a simple command.
# oscap info ssg-rhel7-ds.xml | grep Title -A1
Output shown below.
Note that the profile id that we are looking is below.
So let’s run the command. File format will be XCCDF.
#oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –results rhel7-stig-out ssg-rhel7-ds.xml
Excerpt from console output shown below.
We can also take a look at our output file. Again, just an excerpt from the XML.
The example command shown below will run the same scan as we ran in the previous step, however it will output the results to html
# oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –results rhel7-stig-out –report report.html ssg-rhel7-ds.xml
Remediation via the Cli
Via the CLI there are 3 ways to remediate vulnerabilities. Online, Offline, and via a script.
Online remediation executes fixes at the time of scanning. Output will either show as Fixed or as Error. Example command below.
#oscap xccdf eval –remediate –profile xccdf_org.ssgproject.content_profile_rht-ccp –results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The process of offline remediation used as results file as input. For example – here we run a scan and generate an output file
oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_rht-ccp –results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Then we use the output to run remediation
# oscap xccdf remediate –results scan-xccdf-results.xml scan-xccdf-results.xml
In the example below we are going to generate an ansible remediation script. Other fix-types are available as well (puppet and bash).
oscap xccdf generate fix –fix-type ansible –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –output stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Using oscap-docker to Scan Containers
You can also use oscap to scan container images or running containers. Below I have a running RHEL7 container named rhel7-test-tainer.
# oscap-docker container rhel7-test-tainer oval eval \
> –results oval-results.xml –report report.html \
Below is an example of a scan run against a container image.
oscap-docker image registry.access.redhat.com/rhel7 oval eval –results oval-results.xml –report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
Honestly if you have come this far, it would be in your best interest to do a bit more research. Links provided below.