OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7

/ Christopher Paquin

openscap-base

Introduction

In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.

Let’s get started with oscap.

Installing oscap

In RHEL 7 oscap can be installed with the following command

# yum -y install scap-security-guide openscap-scanner

Content is installed under the following directory. Note that ssg is short for SCAP Security Guide.

/usr/share/xml/scap/ssg/content

Lets change directories to the one listed above and view the installed files.

Screenshot from 2019-07-24 15-58-04

Using oscap we can view more info on each file shown above. In this example we are going to inspect the ssg-rhel7-ds.xml file.

# oscap info ssg-rhel7-ds.xml

Screenshot from 2019-07-25 16-16-27

Let’s look at the profiles that are available.

Running oscap Scan

The format for running a scan is shown below

In the example below we are kicking off a scan using the oval (Open Vulnerability Assessment Language) file format. Output below

# oscap oval eval –results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Neat. Now consider a scenario were we only want to evaluate one oval definition.

For example let’s only check to see if named is disabled.

oscap oval eval –id oval:ssg-service_named_disabled:def:1 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Coo. Now let’s choose a profile and use that to perform a scan. We will need to first determine the appropriate profile name and ID.  This can be accomplished a simple command.

# oscap info ssg-rhel7-ds.xml | grep Title -A1

Output shown below.

Screenshot from 2019-07-25 16-33-46

Note that the profile id that we are looking is below.

“xccdf_org.ssgproject.content_profile_stig-rhel7-disa”

So let’s run the command.  File format will be XCCDF.

#oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –results rhel7-stig-out ssg-rhel7-ds.xml

Excerpt from console output shown below.

Screenshot from 2019-07-25 16-43-09.png

We can also take a look at our output file. Again, just an excerpt from the XML.

Screenshot from 2019-07-25 16-46-39.png

The example command shown below will run the same scan as we ran in the previous step, however it will output the results to html

# oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –results rhel7-stig-out –report report.html ssg-rhel7-ds.xml

Remediation via the Cli

Via the CLI there are 3 ways to remediate vulnerabilities. Online, Offline, and via a script.

Online Remediation

Online remediation executes fixes at the time of scanning. Output will either show as Fixed or as Error. Example command below.

#oscap xccdf eval –remediate –profile xccdf_org.ssgproject.content_profile_rht-ccp –results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Offline Remediation

The process of offline remediation used as results file as input. For example – here we run a scan and generate an output file

oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_rht-ccp –results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Then we use the output to run remediation

# oscap xccdf remediate –results scan-xccdf-results.xml scan-xccdf-results.xml

Script Generation

In the example below we are going to generate an ansible remediation script. Other fix-types are available as well (puppet and bash).

oscap xccdf generate fix –fix-type ansible –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –output stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Using oscap-docker to Scan Containers

You can also use oscap to scan container images or running containers.  Below I have a running RHEL7 container named rhel7-test-tainer.

# oscap-docker container rhel7-test-tainer oval eval \
> –results oval-results.xml –report report.html \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml

Below is an example of a scan run against a container image.

oscap-docker image registry.access.redhat.com/rhel7 oval eval –results oval-results.xml –report report.html  /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml

Additional Resources

Honestly if you have come this far, it would be in your best interest to do a bit more research. Links provided below.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_openscap_with_ansible

https://www.open-scap.org/resources/documentation/security-compliance-of-rhel7-docker-containers/

https://static.open-scap.org/openscap-1.2/oscap_user_manual.html

https://www.open-scap.org/

Next Steps

Read Part 4

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.