In this tutorial, you will learn, how to install OpenSCAP tool on Rocky Linux 9 and run Vulnerability Scan on your Linux Operating System. #centlinux #linux #openscap
In today’s digital landscape, with new threats emerging daily, regular scanning of your Linux servers is essential. OpenSCAP (Security Content Automation Protocol) is an open-source framework designed for managing security compliance checking, vulnerability management, and policy enforcement. It provides a standardized approach for maintaining system security and compliance with various security policies, benchmarks, and guidelines.
Key components of OpenSCAP tool include:
OpenSCAP scanner is widely used in enterprise environments, government agencies, and other organizations to ensure the security and compliance of their IT infrastructure, including servers, workstations, and cloud environments. It helps organizations automate security assessments, streamline compliance efforts, and improve overall security posture.
An OpenSCAP vulnerability scan is a process where the OpenSCAP tool is utilized to assess the security posture of a system or a network by scanning for vulnerabilities, misconfigurations, and adherence to security policies and standards. Here’s an overview of how an OpenSCAP vulnerability scan typically works:
Preparation: Before initiating the scan, the user typically selects or defines the security benchmarks, policies, or standards against which the system will be evaluated. These benchmarks may include industry standards like CIS (Center for Internet Security), DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides), or other custom policies.
Scanning: The OpenSCAP scanner then conducts the scan based on the selected benchmarks and policies. It checks various aspects of the system configuration, including but not limited to:
Evaluation: During the scan, OpenSCAP tool evaluates the system’s configuration and settings against the predefined benchmarks and policies. It identifies vulnerabilities, weaknesses, and areas of non-compliance.
Reporting: Once the scan is completed, OpenSCAP generates a detailed report summarizing the findings. This report typically includes:
Remediation: Based on the findings of the vulnerability scan, system administrators and security professionals can take appropriate actions to address the identified issues. This may involve applying software patches, reconfiguring system settings, or implementing additional security controls to mitigate risks and improve security.
Overall, an OpenSCAP vulnerability scan provides organizations with valuable insights into the security status of their systems, helping them identify and prioritize security risks, comply with regulatory requirements, and enhance their overall security posture.
Recommended Training: Linux Command Line
We are using a minimal Rocky Linux 9 virtual machine with following specifications.
Login to your Rocky Linux Server as a privileged user by using any ssh client.
Set hostname for your Linux machine and configure local DNS resolution as follows.
# hostnamectl set-hostname openscap-01.centlinux.com # echo 192.168.18.121 openscap-01 openscap-01.centlinux.com >> /etc/hosts
Update Linux software packages by executing following command.
# dnf update -y
The above command may also update software packages related to Linux Kernel. In such case, reboot your Linux machine before moving forward.
# reboot
Check the Linux OS & Linux Kernel version.
# cat /etc/os-release NAME="Rocky Linux" VERSION="9.3 (Blue Onyx)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)" ANSI_COLOR="0;32" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:rocky:rocky:9::baseos" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" SUPPORT_END="2032-05-31" ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9" ROCKY_SUPPORT_PRODUCT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="Rocky Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3" # uname -r 5.14.0-362.18.1.el9_3.0.1.x86_64
You will require, following two packages to install OpenSCAP tool and run vulnerability scan from Linux command line. Both of these packages are available in standard yum repositories.
# dnf install -y openscap-scanner scap-security-guide
Here,
You can optionally install scap-workbench package, if you wish to use OpenSCAP from graphical interface.
SSG (SCAP Security Guide) policy files are located in the /usr/share/xml/scap/ssg/content/ directory.
You can execute following command to get list of SSG policy files.
# ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
Each security policy can have multiple profiles which provide policies implemented according to specific security baselines. Every profile can select different rules and use different values. You can list these profiles using the following command:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml [ Document type: Source Data Stream Imported: 2024-02-26T20:55:34 Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream Status: draft Generated: 2024-02-26 Resolved: true Profiles: Title: ANSSI-BP-028 (enhanced) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced Title: ANSSI-BP-028 (high) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high Title: ANSSI-BP-028 (intermediary) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary Title: ANSSI-BP-028 (minimal) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal Title: CCN Red Hat Enterprise Linux 9 - Advanced Id: xccdf_org.ssgproject.content_profile_ccn_advanced Title: CCN Red Hat Enterprise Linux 9 - Basic Id: xccdf_org.ssgproject.content_profile_ccn_basic Title: CCN Red Hat Enterprise Linux 9 - Intermediate Id: xccdf_org.ssgproject.content_profile_ccn_intermediate Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server Id: xccdf_org.ssgproject.content_profile_cis Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server Id: xccdf_org.ssgproject.content_profile_cis_server_l1 Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1 Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2 Title: DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8 Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Australian Cyber Security Centre (ACSC) ISM Official Id: xccdf_org.ssgproject.content_profile_ism_o Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: DISA STIG for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_stig Title: DISA STIG with GUI for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_stig_gui Referenced check files: ssg-rhel9-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel9-ocil.xml system: http://scap.nist.gov/schema/ocil/2 security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2 system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml Ref-Id: scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2 Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml
You can any of the above Security Profile for your Rocky Linux server.
We have selected xccdf_org.ssgproject.content_profile_cis for demonstration in this Linux tutorial.
Hopefully, You have selected the Security Policy and Security Profile by now.
Now, you can run an OpenSCAP Vulnerability Scan on your Rocky Linux server, by using oscap command.
# oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results-arf arf.xml \ --report report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream WARNING: Skipping ./security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2 file which is referenced from XCCDF content --- Starting Evaluation --- Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Ident CCE-90843-4 Result notapplicable Title Build and Test AIDE Database Rule xccdf_org.ssgproject.content_rule_aide_build_database Ident CCE-83438-2 Result notapplicable Title Configure AIDE to Verify the Audit Tools Rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools Ident CCE-87757-1 Result notapplicable Title Configure Periodic Execution of AIDE Rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking Ident CCE-83437-4 Result notapplicable Title Configure System Cryptography Policy Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy Ident CCE-83450-7 Result notapplicable
The On-screen output of this command is quiet long, therefore, we are only show a couple of lines.
However, the results of OpenSCAP vulnerability scan were also stored in arf.xml and report.html files.
report.html file has better readability. You can open this file in a web browser.
In this tutorial, you have learned, how to install OpenSCAP tool on Rocky Linux 9 or other Red hat based Linux OS. We have also performed an OpenSCAP Vulnerability Scan on our Linux server.
Puppy Linux is a fast, lightweight OS designed for speed and simplicity, perfect for old…
Learn how to change Apache document root in Linux by following this step-by-step guide. Adjust…
Discover how to change Apache port in Linux easily. Follow our simple guide to modify…
Learn how to create a virtual host in Apache Server with this comprehensive guide. Set…
Discover 10 practical tasks for the RHCSA exam with step-by-step solutions. Boost your Linux skills…
Discover the ultimate Fail2ban configuration guide. Learn how to set up, customize, and optimize Fail2ban…
This website uses cookies.
View Comments
Greeting
thank you for the explanation.
however all the rules skipped as not applicable
when running the oscap xccdf eval with --verbose INFO it gives to all rules same criteria failure :
"I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_rhel9:def:1': Red Hat Enterprise Linux 9."
how to disable this criteria check ?
brgrds
Hi, You are using RHEL 9, therefore, using the relevant security policy i.e. /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml may work for you.
i found out that choosing /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml and not /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml permit working with rocky 9 as well
Good to here that, you have resolved the issue.