OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7

openscap-base

Introduction

In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.

Let’s get started with oscap.

Installing oscap

In RHEL 7 oscap can be installed with the following command

# yum -y install scap-security-guide openscap-scanner

Content is installed under the following directory. Note that ssg is short for SCAP Security Guide.

/usr/share/xml/scap/ssg/content

Lets change directories to the one listed above and view the installed files.

Screenshot from 2019-07-24 15-58-04

Using oscap we can view more info on each file shown above. In this example we are going to inspect the ssg-rhel7-ds.xml file.

# oscap info ssg-rhel7-ds.xml

Continue reading

OpenSCAP Part 2: SCAP Content for RHEL 7

openscap-base

Introduction

In part one of the OpenSCAP series we were introduced to the basic usage of the OpenSCAP toolset. In that post we learned how to run a basic scan via the scap-workbench in a desktop environment.

This post will focus on the Content, Profiles, and Targets.

Content

All content will be installed in the directory shown below.  The content in this directory will vary based on the installed OS (the content on my Fedora differs from RHEL for example).

/usr/share/xml/scap/ssg/content

The screenshot below contains a list of content installed by default on RHEL 7.

Screenshot from 2019-07-24 15-58-04.png

Additional content can be obtained and added to the content directory shown above.  For example, NIST content can be downloaded directly from the NIST website. Link below.

National Checklist Program Repository

In the screenshot below we have performed a search for all content that targets RHEL 7.6

Screenshot from 2019-07-25 11-45-44.png

 

Continue reading

OpenSCAP Part 1: Introduction and Basic Usage for RHEL 7/CentOS 7/Fedora

openscap-base

Introduction

OpenSCAP is a standardized compliance solution for Linux. It is comprised of policies (NIST, STIG, etc) and tooling (oscap, scap-workbench) that allow you to scan and evaluate Linux hosts in order to validate their compliance with industry defined standards.

In addition to providing industry standard compliance rules, OpenSCAP also allows administrators to create custom compliance standards using the scap-workbench.

Administrators can then generate remediation files in bash, ansible or puppet.

Let’s get familiar with OpenSCAP below.

Getting Started

Below is an overview of the “Getting Started” workflow. In this workflow we are gonna run through a very simple use-case, scanning your local Fedora workstation.

  1. Install
  2. Choose Policy
  3. Modify/Adjust
  4. Scan
  5. Remediate

In the sections below we will walk through each of these steps in detail.

Continue reading