In this tutorial, you will learn, how to install OpenSCAP tool on Rocky Linux 9 and run Vulnerability Scan on your Linux Operating System. #centlinux #linux #openscap
Table of Contents
What is OpenSCAP?
In today’s digital landscape, with new threats emerging daily, regular scanning of your Linux servers is essential. OpenSCAP (Security Content Automation Protocol) is an open-source framework designed for managing security compliance checking, vulnerability management, and policy enforcement. It provides a standardized approach for maintaining system security and compliance with various security policies, benchmarks, and guidelines.
Key components of OpenSCAP tool include:
- SCAP Content: OpenSCAP Scanner provides a collection of security policies, benchmarks, and guidelines in the form of SCAP (Security Content Automation Protocol) content. This content is based on various standards such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), etc.
- Scanner: OpenSCAP tool includes a scanner component that can assess the security posture of systems by evaluating them against predefined security policies and benchmarks. The scanner can check for vulnerabilities, misconfigurations, and adherence to security best practices.
- Utilities: OpenSCAP tool provides various command-line utilities and APIs for interacting with SCAP content, running scans, generating reports, and integrating it’s functionality into other security management tools and systems.
- Reporting: OpenSCAP scanner generates detailed reports after scanning systems, providing information on security vulnerabilities, compliance status, and recommendations for remediation. These reports help system administrators and security professionals to identify and address security issues effectively.
- Integration: OpenSCAP tool can be integrated with other security tools and systems, such as configuration management systems, security information and event management (SIEM) solutions, and vulnerability management platforms, to enhance overall security management capabilities.
OpenSCAP scanner is widely used in enterprise environments, government agencies, and other organizations to ensure the security and compliance of their IT infrastructure, including servers, workstations, and cloud environments. It helps organizations automate security assessments, streamline compliance efforts, and improve overall security posture.
How to perform OpenSCAP Vulnerability Scan?
An OpenSCAP vulnerability scan is a process where the OpenSCAP tool is utilized to assess the security posture of a system or a network by scanning for vulnerabilities, misconfigurations, and adherence to security policies and standards. Here’s an overview of how an OpenSCAP vulnerability scan typically works:
Preparation: Before initiating the scan, the user typically selects or defines the security benchmarks, policies, or standards against which the system will be evaluated. These benchmarks may include industry standards like CIS (Center for Internet Security), DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides), or other custom policies.
Scanning: The OpenSCAP scanner then conducts the scan based on the selected benchmarks and policies. It checks various aspects of the system configuration, including but not limited to:
- Presence of known vulnerabilities (identified by CVE IDs)
- Configuration settings that deviate from best practices or security standards
- Compliance with specific security requirements outlined in the selected benchmarks
Evaluation: During the scan, OpenSCAP tool evaluates the system’s configuration and settings against the predefined benchmarks and policies. It identifies vulnerabilities, weaknesses, and areas of non-compliance.
Reporting: Once the scan is completed, OpenSCAP generates a detailed report summarizing the findings. This report typically includes:
- List of vulnerabilities detected, along with their severity ratings and CVE identifiers
- Configuration issues and deviations from security best practices
- Compliance status with respect to the selected benchmarks or standards
- Recommendations for remediation, including steps to mitigate identified vulnerabilities and improve overall security posture
Remediation: Based on the findings of the vulnerability scan, system administrators and security professionals can take appropriate actions to address the identified issues. This may involve applying software patches, reconfiguring system settings, or implementing additional security controls to mitigate risks and improve security.
Overall, an OpenSCAP vulnerability scan provides organizations with valuable insights into the security status of their systems, helping them identify and prioritize security risks, comply with regulatory requirements, and enhance their overall security posture.
Recommended Training: Linux Command Line
Environment Specification:
We are using a minimal Rocky Linux 9 virtual machine with following specifications.
- CPU – 3.4 Ghz (2 cores)
- Memory – 4 GB
- Storage – 40 GB
- Operating System – Rocky Linux release 9.3 (Blue Onyx)
- Hostname – openscap-01.centlinux.com
- IP Address – 192.168.18.121/24
Pre-installation Configuration:
Login to your Rocky Linux Server as a privileged user by using any ssh client.
Set hostname for your Linux machine and configure local DNS resolution as follows.
# hostnamectl set-hostname openscap-01.centlinux.com # echo 192.168.18.121 openscap-01 openscap-01.centlinux.com >> /etc/hosts
Update Linux software packages by executing following command.
# dnf update -y
The above command may also update software packages related to Linux Kernel. In such case, reboot your Linux machine before moving forward.
# reboot
Check the Linux OS & Linux Kernel version.
# cat /etc/os-release NAME="Rocky Linux" VERSION="9.3 (Blue Onyx)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)" ANSI_COLOR="0;32" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:rocky:rocky:9::baseos" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" SUPPORT_END="2032-05-31" ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9" ROCKY_SUPPORT_PRODUCT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="Rocky Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" # uname -r 5.14.0-362.18.1.el9_3.0.1.x86_64
Install OpenSCAP Tool on Rocky Linux 9
You will require, following two packages to install OpenSCAP tool and run vulnerability scan from Linux command line. Both of these packages are available in standard yum repositories.
# dnf install -y openscap-scanner scap-security-guide
Here,
- openscap-scanner package provides the oscap command.
- scap-security-guide provides the Security Policies.
You can optionally install scap-workbench package, if you wish to use OpenSCAP from graphical interface.
Select a Security Policy
SSG (SCAP Security Guide) policy files are located in the /usr/share/xml/scap/ssg/content/ directory.
You can execute following command to get list of SSG policy files.
# ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
Select a Security Profile
Each security policy can have multiple profiles which provide policies implemented according to specific security baselines. Every profile can select different rules and use different values. You can list these profiles using the following command:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml [
Document type: Source Data Stream
Imported: 2024-02-26T20:55:34
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream
Status: draft
Generated: 2024-02-26
Resolved: true
Profiles:
Title: ANSSI-BP-028 (enhanced)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
Title: ANSSI-BP-028 (high)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
Title: ANSSI-BP-028 (intermediary)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
Title: ANSSI-BP-028 (minimal)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
Title: CCN Red Hat Enterprise Linux 9 - Advanced
Id: xccdf_org.ssgproject.content_profile_ccn_advanced
Title: CCN Red Hat Enterprise Linux 9 - Basic
Id: xccdf_org.ssgproject.content_profile_ccn_basic
Title: CCN Red Hat Enterprise Linux 9 - Intermediate
Id: xccdf_org.ssgproject.content_profile_ccn_intermediate
Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
Id: xccdf_org.ssgproject.content_profile_cis
Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
Id: xccdf_org.ssgproject.content_profile_cis_server_l1
Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
Title: DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Id: xccdf_org.ssgproject.content_profile_cui
Title: Australian Cyber Security Centre (ACSC) Essential Eight
Id: xccdf_org.ssgproject.content_profile_e8
Title: Health Insurance Portability and Accountability Act (HIPAA)
Id: xccdf_org.ssgproject.content_profile_hipaa
Title: Australian Cyber Security Centre (ACSC) ISM Official
Id: xccdf_org.ssgproject.content_profile_ism_o
Title: Protection Profile for General Purpose Operating Systems
Id: xccdf_org.ssgproject.content_profile_ospp
Title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9
Id: xccdf_org.ssgproject.content_profile_pci-dss
Title: DISA STIG for Red Hat Enterprise Linux 9
Id: xccdf_org.ssgproject.content_profile_stig
Title: DISA STIG with GUI for Red Hat Enterprise Linux 9
Id: xccdf_org.ssgproject.content_profile_stig_gui
Referenced check files:
ssg-rhel9-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel9-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xmlYou can any of the above Security Profile for your Rocky Linux server.
We have selected xccdf_org.ssgproject.content_profile_cis for demonstration in this Linux tutorial.
Running OpenSCAP Vulnerability Scan
Hopefully, You have selected the Security Policy and Security Profile by now.
Now, you can run an OpenSCAP Vulnerability Scan on your Rocky Linux server, by using oscap command.
# oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results-arf arf.xml \ --report report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream WARNING: Skipping ./security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2 file which is referenced from XCCDF content --- Starting Evaluation --- Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Ident CCE-90843-4 Result notapplicable Title Build and Test AIDE Database Rule xccdf_org.ssgproject.content_rule_aide_build_database Ident CCE-83438-2 Result notapplicable Title Configure AIDE to Verify the Audit Tools Rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools Ident CCE-87757-1 Result notapplicable Title Configure Periodic Execution of AIDE Rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking Ident CCE-83437-4 Result notapplicable Title Configure System Cryptography Policy Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy Ident CCE-83450-7 Result notapplicable
The On-screen output of this command is quiet long, therefore, we are only show a couple of lines.
However, the results of OpenSCAP vulnerability scan were also stored in arf.xml and report.html files.
report.html file has better readability. You can open this file in a web browser.
Conclusion:
In this tutorial, you have learned, how to install OpenSCAP tool on Rocky Linux 9 or other Red hat based Linux OS. We have also performed an OpenSCAP Vulnerability Scan on our Linux server.
Greeting
thank you for the explanation.
however all the rules skipped as not applicable
when running the oscap xccdf eval with –verbose INFO it gives to all rules same criteria failure :
“I: oscap: Evaluating definition ‘oval:ssg-installed_OS_is_rhel9:def:1’: Red Hat Enterprise Linux 9.”
how to disable this criteria check ?
brgrds
Hi, You are using RHEL 9, therefore, using the relevant security policy i.e. /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml may work for you.
i found out that choosing /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml and not /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml permit working with rocky 9 as well
Good to here that, you have resolved the issue.