In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.
Let’s get started with oscap.
In RHEL 7 oscap can be installed with the following command
OpenSCAP is a standardized compliance solution for Linux. It is comprised of policies (NIST, STIG, etc) and tooling (oscap, scap-workbench) that allow you to scan and evaluate Linux hosts in order to validate their compliance with industry defined standards.
In addition to providing industry standard compliance rules, OpenSCAP also allows administrators to create custom compliance standards using the scap-workbench.
Administrators can then generate remediation files in bash, ansible or puppet.
Let’s get familiar with OpenSCAP below.
Below is an overview of the “Getting Started” workflow. In this workflow we are gonna run through a very simple use-case, scanning your local Fedora workstation.
In the sections below we will walk through each of these steps in detail.
First check to see if the errata is available to your local satellite server. To accomplish this log into your organizations satellite server and click on the “Errata” tab. Then on the left side of the page click on “Advanced Search”.
In the search box enter the RHSA number (Redhat Security Advisory Number) for the errata that you want to clone/update. In this example I am searching for RHSA-2014:1924, which is a Thunderbird security update.
If your search does not return any results, you will need to manually sync your local Satellite Server with Redhat.To accomplish this you need to ssh into your local satellite server and run the command shown below. Note that this does not update any packages/errata. This does update the list of availbile packages/errata.
/usr/bin/satellite-sync [root@myserver ~]# satellite-sync –email 10:08:09 Red Hat Satellite – live synchronization 10:08:09 url: https://satellite.rhn.redhat.com 10:08:09 debug/output level: 1 ….truncated….
Once you are able to locate the specific fix in via “Erratum Search” you may proceed to the next step. In this example, as I stated above, I am searching for RHSA-2014:1924.
Now that our local Satellite server is aware of our specific errata, click on “Clone Errata” on the left side of the page. Search the page “Errata Management” for the specific fix that you want to apply. Note that the “Errata Management”page does have built in search functionality — don’t ask me why — so you must search using your browser’s own page search function.
Once you have located the correct Security Advisory, put a check in the box and spend about 5 minutes scrolling down to the bottom of the page. Stop when your arm is tired, or once you locate the “Clone Errata” button. Obviously you want to click this.
Note that your newly added and updated errata/package may not become immediatley availible to install. You nay need to run the following commands to refresh/reload your repos.
Auditd is the userland piece of the RHEL audit tool suite. When its up and running, audit messages sent by the kenel will be send to log files that you have configured. By default, only a small and limited number of messages will be picked up by Auditd; these are mostly messages related to authentication and authorization.
Its possible to send audit messages to a syslog. By setting active=yes in /etc/audisp/plugins.d/syslog.conf you can send all your audit messages to syslog. If your system is setup to log to a remote syslog server, then your audit messages will go along for the ride as well. Note that you can also send audit messages to a remote logging server via native audit protocol over TCP. I am not going to go into this option, but I want to make sure that we are aware that it exists.
Looking for Audit Events in All the Wrong Places:
Auditd includes a handy-dandy tool for searching audit logs. Ausearch. You can check out all your current audit log messages using the command below.
[root@ip-172-31-21-28 ~]# ausearch -l
Viewing audit logs in their raw format can be accomplished with the command below
[root@ip-172-31-21-28 ~]# ausearch –raw
The -a option allows you to search by audit event ids
[root@ip-172-31-21-28 ~]# ausearch -a 282
Auditd also includes ausearch, which allows you to get a quick summary of audit events, rather than trying to view massive audit logs. Usage and output shown below.
root@ip-172-31-21-28 ~]# aureport
Summary Report ====================== Range of time in logs: 07/17/2014 10:21:36.438 – 07/17/2014 19:52:49.556 Selected time for report: 07/17/2014 10:21:36 – 07/17/2014 19:52:49.556 Number of changes in configuration: 4 Number of changes to accounts, groups, or roles: 24 Number of logins: 20 Number of failed logins: 4 Number of authentications: 75 Number of failed authentications: 3 Number of users: 3 Number of terminals: 18 Number of host names: 19 Number of executables: 14 Number of files: 0 Number of AVC's: 10 Number of MAC events: 20 Number of failed syscalls: 10 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 244 Number of keys: 0 Number of process IDs: 203 Number of events: 1132
You can also use aureport and ausearch together. Simliar to the powerfull partnership between Batman and Robin, these two tools complement each other in ways that you can only imagine. Check out my sexy bits below.
Summary Report ====================== Range of time in logs: 07/17/2014 10:21:36.438 – 07/17/2014 20:01:01.911 Selected time for report: 07/17/2014 10:21:36 – 07/17/2014 20:01:01.911 Number of changes in configuration: 4 Number of changes to accounts, groups, or roles: 24 Number of logins: 20 Number of failed logins: 4 Number of authentications: 75 Number of failed authentications: 3 Number of users: 3 Number of terminals: 18 Number of host names: 19 Number of executables: 14 Number of files: 0 Number of AVC's: 10 Number of MAC events: 20 Number of failed syscalls: 10 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 244 Number of keys: 0 Number of process IDs: 205 Number of events: 1144
Want to know another cool tool that is part of auditd? I know, its a lot to take in at one time, but I am sure that you can handle it. Using autrace you can trace and investigate system calls made by a process.
Want to see everything that nslookup is doing? Then run the command below.